sectoprat | 8b3dcbc8862553bd18ae5f181f192bb76a5fe20dec5184383574a7e24701d8d8

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wEotIbaw.ps1
Size

14.7MB
MD5

995596f28f9a7d8543795fa3783c5417
SHA1

26bdb7edbc54be02342dc1facb281059ac85d04d
SHA256

8b3dcbc8862553bd18ae5f181f192bb76a5fe20dec5184383574a7e24701d8d8
SHA512

daa12601f414d8f1d25d5ec32c9a3f4885a6aba35f60e72e6d414898e29ab6c378b175c3960261474641d6344475439dfc93e590274fc7fb79094ca093931a94
SSDEEP

768:QbcXWHsPosaVp9Im/mwYljpGBQfANhIqnzK3edX7j8ASEz5pOgApo1n0aE1R74XL:QQ9kR

Score

10^/10

sectoprat credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2884-105-0x0000000000910000-0x00000000009E4000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Uses browser remote debugging 2 TTPs 12 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5920	msedge.exe
4308	chrome.exe
2736	chrome.exe
3136	chrome.exe
5788	msedge.exe
6104	msedge.exe
5192	chrome.exe
1940	chrome.exe
1056	chrome.exe
1128	msedge.exe
4508	msedge.exe
1076	msedge.exe

Executes dropped EXE 4 IoCs

pid	Process
1932	kato.exe
3028	kato.exe
2420	TiVoDiag.exe
4012	TiVoDiag.exe

Loads dropped DLL 7 IoCs

pid	Process
3028	kato.exe
2420	TiVoDiag.exe
2420	TiVoDiag.exe
2420	TiVoDiag.exe
4012	TiVoDiag.exe
4012	TiVoDiag.exe
4012	TiVoDiag.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kato.exe = "C:\\Users\\Admin\\AppData\\Roaming\\KD8Y0n1n\\kato.exe"	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4012 set thread context of 1296	4012	TiVoDiag.exe	95
PID 1296 set thread context of 2884	1296	cmd.exe	103

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4244	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TiVoDiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TiVoDiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2720	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4244	powershell.exe
4244	powershell.exe
2420	TiVoDiag.exe
4012	TiVoDiag.exe
4012	TiVoDiag.exe
2260	taskmgr.exe
2260	taskmgr.exe
1296	cmd.exe
1296	cmd.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2884	MSBuild.exe
2884	MSBuild.exe
2884	MSBuild.exe
2884	MSBuild.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2260	taskmgr.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4012	TiVoDiag.exe
1296	cmd.exe
1296	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	2260	taskmgr.exe
Token: SeSystemProfilePrivilege	2260	taskmgr.exe
Token: SeCreateGlobalPrivilege	2260	taskmgr.exe
Token: SeSecurityPrivilege	2260	taskmgr.exe
Token: SeTakeOwnershipPrivilege	2260	taskmgr.exe
Token: SeDebugPrivilege	2884	MSBuild.exe
Token: SeBackupPrivilege	732	svchost.exe
Token: SeRestorePrivilege	732	svchost.exe
Token: SeSecurityPrivilege	732	svchost.exe
Token: SeTakeOwnershipPrivilege	732	svchost.exe
Token: 35	732	svchost.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
4308	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe
2260	taskmgr.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2884	MSBuild.exe
3056	OpenWith.exe
3056	OpenWith.exe
3056	OpenWith.exe
3056	OpenWith.exe
3056	OpenWith.exe
3056	OpenWith.exe
3056	OpenWith.exe
3056	OpenWith.exe
3056	OpenWith.exe
3056	OpenWith.exe
3056	OpenWith.exe
3056	OpenWith.exe
3056	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 1932	4244	powershell.exe	91
PID 4244 wrote to memory of 1932	4244	powershell.exe	91
PID 1932 wrote to memory of 3028	1932	kato.exe	92
PID 1932 wrote to memory of 3028	1932	kato.exe	92
PID 3028 wrote to memory of 2420	3028	kato.exe	93
PID 3028 wrote to memory of 2420	3028	kato.exe	93
PID 3028 wrote to memory of 2420	3028	kato.exe	93
PID 2420 wrote to memory of 4012	2420	TiVoDiag.exe	94
PID 2420 wrote to memory of 4012	2420	TiVoDiag.exe	94
PID 2420 wrote to memory of 4012	2420	TiVoDiag.exe	94
PID 4012 wrote to memory of 1296	4012	TiVoDiag.exe	95
PID 4012 wrote to memory of 1296	4012	TiVoDiag.exe	95
PID 4012 wrote to memory of 1296	4012	TiVoDiag.exe	95
PID 4012 wrote to memory of 1296	4012	TiVoDiag.exe	95
PID 1296 wrote to memory of 2884	1296	cmd.exe	103
PID 1296 wrote to memory of 2884	1296	cmd.exe	103
PID 1296 wrote to memory of 2884	1296	cmd.exe	103
PID 1296 wrote to memory of 2884	1296	cmd.exe	103
PID 1296 wrote to memory of 2884	1296	cmd.exe	103
PID 2884 wrote to memory of 4308	2884	MSBuild.exe	118
PID 2884 wrote to memory of 4308	2884	MSBuild.exe	118
PID 4308 wrote to memory of 384	4308	chrome.exe	119
PID 4308 wrote to memory of 384	4308	chrome.exe	119
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 1492	4308	chrome.exe	120
PID 4308 wrote to memory of 972	4308	chrome.exe	121
PID 4308 wrote to memory of 972	4308	chrome.exe	121
PID 4308 wrote to memory of 2736	4308	chrome.exe	123
PID 4308 wrote to memory of 2736	4308	chrome.exe	123
PID 4308 wrote to memory of 2736	4308	chrome.exe	123
PID 4308 wrote to memory of 2736	4308	chrome.exe	123
PID 4308 wrote to memory of 2736	4308	chrome.exe	123
PID 4308 wrote to memory of 2736	4308	chrome.exe	123
PID 4308 wrote to memory of 2736	4308	chrome.exe	123
PID 4308 wrote to memory of 2736	4308	chrome.exe	123
PID 4308 wrote to memory of 2736	4308	chrome.exe	123

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\wEotIbaw.ps1
1⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe
  "C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\TEMP\{6A2A4C80-630D-4645-B155-71B15CE5ACC4}\.cr\kato.exe
    "C:\Windows\TEMP\{6A2A4C80-630D-4645-B155-71B15CE5ACC4}\.cr\kato.exe" -burn.clean.room="C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe" -burn.filehandle.attached=588 -burn.filehandle.self=644
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\TEMP\{D321CDEA-0BF1-4C8C-9075-5A4B88122358}\.ba\TiVoDiag.exe
      C:\Windows\TEMP\{D321CDEA-0BF1-4C8C-9075-5A4B88122358}\.ba\TiVoDiag.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2420
    - - C:\Users\Admin\AppData\Roaming\debugDemo\TiVoDiag.exe
        
        C:\Users\Admin\AppData\Roaming\debugDemo\TiVoDiag.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4012
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=8896 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffbddddcf8,0x7fffbddddd04,0x7fffbddddd10
        9⤵
        
        PID:384
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2072,i,8550939881338594160,9246387718305082379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2052 /prefetch:2
        9⤵
        
        PID:1492
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1628,i,8550939881338594160,9246387718305082379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2300 /prefetch:3
        9⤵
        
        PID:972
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2444,i,8550939881338594160,9246387718305082379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2460 /prefetch:8
        9⤵
        
        PID:548
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8896 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,8550939881338594160,9246387718305082379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3168 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2736
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8896 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,8550939881338594160,9246387718305082379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3148 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5192
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8896 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4352,i,8550939881338594160,9246387718305082379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4416 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:3136
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8896 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4388,i,8550939881338594160,9246387718305082379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4336 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:1940
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8896 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4800,i,8550939881338594160,9246387718305082379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4920 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9679 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:1128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x250,0x254,0x258,0x24c,0x260,0x7fffbc0bf208,0x7fffbc0bf214,0x7fffbc0bf220
        9⤵
        
        PID:3620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1976,i,769923710142933542,14875108975122090292,262144 --variations-seed-version --mojo-platform-channel-handle=2804 /prefetch:3
        9⤵
        
        PID:5488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2700,i,769923710142933542,14875108975122090292,262144 --variations-seed-version --mojo-platform-channel-handle=2696 /prefetch:2
        9⤵
        
        PID:4236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2224,i,769923710142933542,14875108975122090292,262144 --variations-seed-version --mojo-platform-channel-handle=2812 /prefetch:8
        9⤵
        
        PID:2136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9679 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3600,i,769923710142933542,14875108975122090292,262144 --variations-seed-version --mojo-platform-channel-handle=3676 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9679 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3608,i,769923710142933542,14875108975122090292,262144 --variations-seed-version --mojo-platform-channel-handle=3684 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9679 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4228,i,769923710142933542,14875108975122090292,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9679 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4236,i,769923710142933542,14875108975122090292,262144 --variations-seed-version --mojo-platform-channel-handle=4368 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:1076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9679 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5024,i,769923710142933542,14875108975122090292,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:6104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4008,i,769923710142933542,14875108975122090292,262144 --variations-seed-version --mojo-platform-channel-handle=3720 /prefetch:8
        9⤵
        
        PID:4336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5528,i,769923710142933542,14875108975122090292,262144 --variations-seed-version --mojo-platform-channel-handle=5548 /prefetch:8
        9⤵
        
        PID:5832

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6128

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4068

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3056
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\debugDemo\rendzina.yml
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
6c69dacc21162d78b30b5184406991da

SHA1
375219842fe8cfd314babad4e0bf96f0f69ff42e

SHA256
cef862d4279d994f52692b02d5c890571375df92c18133695846964aaae0fbb9

SHA512
e2d152dd4bcc1b18aff4ba5c0749987daabe2a2a4beb517607c3e03a5eab648ace57e633c753b5b7a2ebd2288f06c0df38debb85a6eced7fb5d57fab7af36721

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
8c0f1de366146833e21e32a8875cf697

SHA1
604ba9b28c502cda2cfa05bd6451b2d504fe8bf7

SHA256
b25de212558844069506f7a4829d967ef9b8f2972a964bf7e3e77be64f24da14

SHA512
0145f28a675e20ce224a6b2bfb0f1d1266e4db3e1d8d836268a81b381303676522cc8707038f46c73745aaff494a672f97f9aeed81f5a20a54ac2ac7193d05bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
36f9fd1ea77d2f590556c7d635edd948

SHA1
77be267292d38d47ce859e8924a6730130f7f2da

SHA256
3e876f232d2a766cc7244538ab5fc61da25853942ffe237bbee3077f0cbb435c

SHA512
5c222b04d880e65af08e3ca8e8695af07d0c29ef5cf70c74fa0d81baf12f7dd7ad11073cff8651767e4743f40bc3fa93df6198bd3cbdcbcf38ba1ecbedea5a42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
caba3b97f983eb81b0720471256478c8

SHA1
339f3ecc344478074922a419c72f2d5ae5057596

SHA256
ee9a4e8df1a64f019f80b1d75be15fd30693816fcaab4c7425230e96b6badba3

SHA512
2509f6b967fd54eb3dce44408b7e0b5c32c2900a68082f573aa8382def609314022cdb0759ce9cbd88f6a7c2b83b3026f464388f3848fed913cae30d7f2b730f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
b80215fc9cc0554dbfd1dc8982318bc2

SHA1
68ed1d62359ff0fd9fc1ce194fd7aa0d98f9934f

SHA256
7c3a0233ca68eb96cf1176e26e5c60dffb33c989aa54a6b1c88bc40886d96285

SHA512
086124e8388fe1f96c6f4d2e37e3a0cc589efc2a0a3c01e84ae75f8cdcd3865aa002662e4f46816436c95a65dd34c23f1889ec40b601d89481c82439a64373a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b6a380d4-5862-40a9-a645-ceea7f421bc5\index-dir\the-real-index

Filesize
1KB

MD5
4ce3b506671d5e095af4ca9b68f8e7e6

SHA1
7a6a13b3fc289f1d955dffcbd3ceabaf325155d9

SHA256
cd77f0d6429137ab37c0a0b91bd07cf4e2f3e5317c12d44b979fa663823347a5

SHA512
d726c24517ecde19d8b77cb323570a881699d088cf10fbae323abea68689116cd1e89663fa99ccf67984784ce279620e810b3b5c529932b9c559421b6cf3c2e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b6a380d4-5862-40a9-a645-ceea7f421bc5\index-dir\the-real-index~RFe5885b5.TMP

Filesize
1KB

MD5
34b446e8078a4485ed4dbcf92b662548

SHA1
06fa9efb4cc21629eb03061eefe1fa872173c79e

SHA256
1cd80654904e3b6bf796978aed577bd2ad65c4b5166055d3ba18a8c90c82eaf3

SHA512
5fd878c0d71f792a48a14e2aee18bfab1bda8d6c4b22a6f0ed90f326fd4f6341c1f945a7bd19f32c7e5114a5f792f3f9384279f7500fbddd448528d8ce17727d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
a65dd0aeca8b289bc1e1a735520cb483

SHA1
431ef6fc28560ec5cd44d4f5306c5f58b55c8c32

SHA256
4744ae03e1df9db6941c6a509276e5efdb562977cfd78b6613e7001cb5289218

SHA512
0276f2344ef33a48e0b02910019d5646f99c80cdebafae2d44965c1e67a8e15a877428b6fd642bfbbb862280d3d83595c0cb4729f77b1e04dfe050a0fd6e48e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
afb1ebda10063a2b4a1d747668243aca

SHA1
838b4ac25c2a395c8d9712dc701c7b34ea53c333

SHA256
203a469a506ee57d90c57c12b961647f7c364ae163b47a573dea0bf5943b2df7

SHA512
e4ba32ac32aa14c09b5d503c64fb5d4508e5cead5b715dfd82d4bf8c51db842e15f6a5cfc32a8a5b70dcb1a29a3327103756b1b108a6181fa08d8c915d3243f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\111b80c3

Filesize
1.6MB

MD5
bd9d8a34acac6c8e4358eac2abf5505d

SHA1
e1b844fff9e146505f23945e9b8e1ff4783e60c6

SHA256
62268f4feca2558cb79a71fd1eb470c6dedcaa204d7838a394e9858c4471827b

SHA512
bb65d83f08219c400f33a73d7c8a63080838c548f5b0055a489ddb301408932ecbe5e63c9b13179765a2b131269640a02c128b24d292614866217d046d2fab34

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nmjpt3gw.3ag.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\background.js

Filesize
596B

MD5
aa0e77ec6b92f58452bb5577b9980e6f

SHA1
237872f2b0c90e8cbe61eaa0e2919d6578cacd3f

SHA256
aad1c9be17f64d7700feb2d38df7dc7446a48bf001ae42095b59b11fd24dfcde

SHA512
37366bd1e0a59036fe966f2e2fe3a0f7dce6f11f2ed5bf7724afb61ea5e8d3e01bdc514f0deb3beb6febfd8b4d08d45e4e729c23cc8f4cae4f6d11f18fc39fa6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\content.js

Filesize
1KB

MD5
d43876a03d65f1338a3ba7f643bfbb38

SHA1
97a4abf18c120dc5546a1a66eff61bf24c0f940e

SHA256
7ee4aac572051398bd5f5b366deacfe8dfb168a43d37fe28b653cb8eacdf5c67

SHA512
56d2d27b0ef4fc3196330b0319be79640a16a05112268f7029dd882f0f453b0ccf6404ab6c4a028182d82b4d7be02ade12851f1fc4388b9ccc9bec8c367721ce

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\icon.png

Filesize
5KB

MD5
2c905a6e4a21a3fa14adc1d99b7cbc03

SHA1
bd8682b580d951e3df05dfd467abba6b87bb43d9

SHA256
cc3631ced23f21ae095c1397770e685f12f6ad788c8fa2f15487835a77a380fb

SHA512
753e28bab9d50b7882a1308f6072f80fda99edeaa476fafc7e647d29f5c9c15f5c404689c866f8f198b7f1ed41bae3cc55ae4d15528b0df966a47cbc4b31caf6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\jquery.js

Filesize
93KB

MD5
3c9137d88a00b1ae0b41ff6a70571615

SHA1
1797d73e9da4287351f6fbec1b183c19be217c2a

SHA256
24262baafef17092927c3dafe764aaa52a2a371b83ed2249cca7e414df99fac1

SHA512
31730738e73937ee0086849cb3d6506ea383ca2eac312b8d08e25c60563df5702fc2b92b3778c4b2b66e7fddd6965d74b5a4df5132df3f02faed01dcf3c7bcae

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\manifest.json

Filesize
569B

MD5
2835dd0a0aef8405d47ab7f73d82eaa5

SHA1
851ea2b4f89fc06f6a4cd458840dd5c660a3b76c

SHA256
2aafd1356d876255a99905fbcafb516de31952e079923b9ddf33560bbe5ed2f3

SHA512
490327e218b0c01239ac419e02a4dc2bd121a08cb7734f8e2ba22e869b60175d599104ba4b45ef580e84e312fe241b3d565fac958b874d6256473c2f987108cc

Download Submit
C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe

Filesize
3.0MB

MD5
e5f6219b54266957ab0da8224f0fd830

SHA1
cb5d9bc8901daea8fcc4ed4b97aaaa1651ead30c

SHA256
a4c67af2f732b249f2879a3334006713a8f0aa07f771a80065cbfa6b4637a403

SHA512
83fbef2bdc90e61f622769f0f28936388dad7cf321f1df67af9819724de1d65a4d5624b885bbda80ac8a372e5408585adbef34860e43d54fc12e456182e5564e

Download Submit
C:\Windows\TEMP\{D321CDEA-0BF1-4C8C-9075-5A4B88122358}\.ba\rendzina.yml

Filesize
1.3MB

MD5
7b0a2c7dcbaf47949428b8f82570fa89

SHA1
c85af70092b1d97d28aef786e97507c748359724

SHA256
f3b12aa0fa6d27a0c9401d0c0b7a564b342a7e1d65f0827a139ac505db0d4e85

SHA512
7377ebe6e2fc625718c8a94b190b5ec211307a4dbb672dcbc1efc95cc57a26138ebc150b52aea06cc26002ad0bdd876eb8bb6cbe8303b9fd51646fe29f4d1f08

Download Submit
C:\Windows\Temp\{6A2A4C80-630D-4645-B155-71B15CE5ACC4}\.cr\kato.exe

Filesize
2.9MB

MD5
ee5d43fee47f62dc57e5e509fd6a9056

SHA1
0dafc5b4458d61986988dcf7e90c4ab5c13d15de

SHA256
1c331c776a850d970d39be136659746c0729c393b6e6c934f1ab1c9075f76973

SHA512
e2180ca5d43b87723705bb9a4a4e1c13bea2f8bf12aa7bb798cdbf68b5acc6c731d8c07b839b2e1749c8c6135899201a2389bc75669301337ec7da46b0827ec5

Download Submit
C:\Windows\Temp\{D321CDEA-0BF1-4C8C-9075-5A4B88122358}\.ba\Knockwurst.dll

Filesize
1.3MB

MD5
9882ac3b1c5d3f27475cdcf2edd6694f

SHA1
3a01679cab83c493ed0bcd946c50c2c675a0a270

SHA256
6a73fb33a020f62b03ba576d4627ec87f1d7af73066a16a5290b4db0042c0b3c

SHA512
7a35ed2179b479afebbf386b7cbd5c2d301cc2778708dfcebb5ac2c658d86578b1161149a66623f18dd0b193da5acc819f27d14ef2f703567ee84a7b67f4d992

Download Submit
C:\Windows\Temp\{D321CDEA-0BF1-4C8C-9075-5A4B88122358}\.ba\MindClient.dll

Filesize
467KB

MD5
c058b36fb6b007c2920604229b1fa0a3

SHA1
1377c5c47f08ffabb6a3359cdc2c3b5c8df958bb

SHA256
37cc3ebff3b7b7e55e8a8cc8785449152c6b119d25bacc6671b089dca7998ca2

SHA512
a53f211cae71d083bb3fd6c2918384ed00a5b35cf67f28544303111e05abbc464b8033d649957a0665ff32c2180b594e3fbd66f90c4f783e2e8ee5d6865108c3

Download Submit
C:\Windows\Temp\{D321CDEA-0BF1-4C8C-9075-5A4B88122358}\.ba\TiVoDiag.exe

Filesize
815KB

MD5
379ba636ef26aa22b2636bb0ba2876d2

SHA1
5d1b53d63b9de9138e1a679a928d9cf34413711f

SHA256
70ea7dcb7e15202e806cf8e3d3f250c1432c1af01c25a440f55fd07eec4913ad

SHA512
066a456cc7ae9b16e5293cf979d5f0bae2ad095b76925a7f9aa1ab184d468b40bbe6d81655fb97766d786fa1bc7174f3c5b76f6e0de3205f60e09a4e69f992f5

Download Submit
C:\Windows\Temp\{D321CDEA-0BF1-4C8C-9075-5A4B88122358}\.ba\shieldfern.doc

Filesize
55KB

MD5
df4f621ea64bac21c2051ef4a2e9cb30

SHA1
03cc13749b9b73223df4820d9568b262488aacab

SHA256
e2f35cd3969c76969aca8720d6bd3bdc4b2d77785c797c2b51ff9646aea7e3e6

SHA512
c3efe090cb9f0363c80c60e1f1b4e8a0688a26ed6062aaa9df0afbaa6700227fe8527e21dcb03442ff99f4a8c1a02e021c5520102f55311a7a56798708f37158

Download Submit
C:\Windows\Temp\{D321CDEA-0BF1-4C8C-9075-5A4B88122358}\.ba\wspconfig.dll

Filesize
535KB

MD5
b86ca5c4e56fedb923332528bf09ef48

SHA1
251ba312b1461270d866510fb7fc9b8dd42740d3

SHA256
08f820cffb07375c795ab336dc248be94457e44f6b2fabd3c6d27230a41d98d2

SHA512
c6d71ff960dc288931443cbfb9a3786b317f19206359d4842f7e3d1c304a4cd61a177ed058899da678bc2ba50b4235e4267889762cd98c46e4d0a35d0523cfc8

Download Submit
memory/1296-85-0x0000000074B70000-0x0000000074CEB000-memory.dmp

Filesize
1.5MB

Download
memory/1296-84-0x00007FFFDD890000-0x00007FFFDDA85000-memory.dmp

Filesize
2.0MB

Download
memory/1296-100-0x0000000074B70000-0x0000000074CEB000-memory.dmp

Filesize
1.5MB

Download
memory/2260-94-0x000002960D6D0000-0x000002960D6D1000-memory.dmp

Filesize
4KB

Download
memory/2260-129-0x000002960BF30000-0x000002960BF40000-memory.dmp

Filesize
64KB

Download
memory/2260-96-0x000002960D6D0000-0x000002960D6D1000-memory.dmp

Filesize
4KB

Download
memory/2260-95-0x000002960D6D0000-0x000002960D6D1000-memory.dmp

Filesize
4KB

Download
memory/2260-97-0x000002960D6D0000-0x000002960D6D1000-memory.dmp

Filesize
4KB

Download
memory/2260-93-0x000002960D6D0000-0x000002960D6D1000-memory.dmp

Filesize
4KB

Download
memory/2260-98-0x000002960D6D0000-0x000002960D6D1000-memory.dmp

Filesize
4KB

Download
memory/2260-89-0x000002960D6D0000-0x000002960D6D1000-memory.dmp

Filesize
4KB

Download
memory/2260-88-0x000002960D6D0000-0x000002960D6D1000-memory.dmp

Filesize
4KB

Download
memory/2260-87-0x000002960D6D0000-0x000002960D6D1000-memory.dmp

Filesize
4KB

Download
memory/2260-99-0x000002960D6D0000-0x000002960D6D1000-memory.dmp

Filesize
4KB

Download
memory/2260-124-0x000002960BEE0000-0x000002960BEF0000-memory.dmp

Filesize
64KB

Download
memory/2420-61-0x00007FFFDD890000-0x00007FFFDDA85000-memory.dmp

Filesize
2.0MB

Download
memory/2420-60-0x0000000074B70000-0x0000000074CEB000-memory.dmp

Filesize
1.5MB

Download
memory/2420-56-0x0000000000AA0000-0x0000000000B2A000-memory.dmp

Filesize
552KB

Download
memory/2884-108-0x00000000050A0000-0x00000000050F0000-memory.dmp

Filesize
320KB

Download
memory/2884-111-0x0000000006330000-0x000000000685C000-memory.dmp

Filesize
5.2MB

Download
memory/2884-120-0x0000000007D40000-0x0000000007D4A000-memory.dmp

Filesize
40KB

Download
memory/2884-109-0x0000000005470000-0x0000000005632000-memory.dmp

Filesize
1.8MB

Download
memory/2884-110-0x00000000056D0000-0x0000000005746000-memory.dmp

Filesize
472KB

Download
memory/2884-135-0x0000000005150000-0x0000000005162000-memory.dmp

Filesize
72KB

Download
memory/2884-102-0x0000000074710000-0x00000000749A1000-memory.dmp

Filesize
2.6MB

Download
memory/2884-107-0x0000000005850000-0x0000000005DF4000-memory.dmp

Filesize
5.6MB

Download
memory/2884-106-0x0000000004FA0000-0x0000000005032000-memory.dmp

Filesize
584KB

Download
memory/2884-105-0x0000000000910000-0x00000000009E4000-memory.dmp

Filesize
848KB

Download
memory/2884-113-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/2884-136-0x00000000051D0000-0x000000000520C000-memory.dmp

Filesize
240KB

Download
memory/2884-112-0x00000000057A0000-0x00000000057BE000-memory.dmp

Filesize
120KB

Download
memory/4012-81-0x0000000074B70000-0x0000000074CEB000-memory.dmp

Filesize
1.5MB

Download
memory/4012-75-0x0000000000870000-0x00000000008E9000-memory.dmp

Filesize
484KB

Download
memory/4012-79-0x0000000074B70000-0x0000000074CEB000-memory.dmp

Filesize
1.5MB

Download
memory/4012-80-0x00007FFFDD890000-0x00007FFFDDA85000-memory.dmp

Filesize
2.0MB

Download
memory/4244-0-0x00007FFFBF973000-0x00007FFFBF975000-memory.dmp

Filesize
8KB

Download
memory/4244-34-0x00007FFFBF970000-0x00007FFFC0431000-memory.dmp

Filesize
10.8MB

Download
memory/4244-15-0x00000205EA800000-0x00000205EA812000-memory.dmp

Filesize
72KB

Download
memory/4244-14-0x00000205EA7D0000-0x00000205EA7DA000-memory.dmp

Filesize
40KB

Download
memory/4244-12-0x00007FFFBF970000-0x00007FFFC0431000-memory.dmp

Filesize
10.8MB

Download
memory/4244-11-0x00007FFFBF970000-0x00007FFFC0431000-memory.dmp

Filesize
10.8MB

Download
memory/4244-1-0x00000205EB790000-0x00000205EB7B2000-memory.dmp

Filesize
136KB

Download