amadey | a13e7faae122bc102b08a43756324af72cd2bae5a5a4817f31b75a1f6fe5e170

Analysis

max time kernel
113s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

1.8MB
MD5

211061571cf1b60208209fa2204b3035
SHA1

570b171d6cbbae798b86f664b566763be8c15e48
SHA256

a13e7faae122bc102b08a43756324af72cd2bae5a5a4817f31b75a1f6fe5e170
SHA512

35a9b350cb7f1131c60f8ab86cf14b07d858e9d7c37cc6ba59ede151b695017f484249bdcb87dd0329267960a52a4121aab6e3c176d096d16c98550abaef06e5
SSDEEP

24576:o54dustllVjtOxjmRclRvN3iUGb0DUSYQSoyPPMsvT+tTfLspOgGDO/P9EScJsnQ:oOdusjlp8JFSUG4AqAEt0BCzxtLej

Score

10^/10

amadey darkvision lumma vidar xworm 092155 f942dabea5a58a141236ae72e4720fbf bootkit credential_access defense_evasion discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://5pepperiop.digital/oage

https://jrxsafer.top/shpaoz

https://plantainklj.run/opafg

https://puerrogfh.live/iqwez

https://quavabvc.top/iuzhd

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://rambutanvcx.run/adioz

https://ywmedici.top/noagis

https://rodformi.run/aUosoz

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://navstarx.shop/FoaJSi

https://wstarcloc.bet/GOksAo

https://atargett.top/dsANGt

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

Extracted

Family

xworm

Version

5.0

127.0.0.1:9000

45.134.39.20:9000

Mutex

oV8zKY7m1pKloRzQ

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

darkvision

82.29.67.160

Attributes

url
http://107.174.192.179/data/003

https://grabify.link/ZATFQO

http://107.174.192.179/clean
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Extracted

Family

vidar

Version

13.4

Botnet

f942dabea5a58a141236ae72e4720fbf

https://t.me/f07nd

https://steamcommunity.com/profiles/76561199843252735

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Detect Vidar Stealer 7 IoCs

stealer

resource	yara_rule
behavioral1/memory/1524-210-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1524-211-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1524-219-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1524-235-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1524-240-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1524-258-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1524-262-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/5864-73-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 5016 created 3524	5016	wQI4o11.exe	56
PID 6016 created 3524	6016	wQI4o11.exe	56

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ae7644785a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9447a62878.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	02c5e59435.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
12528	powershell.exe
2560	powershell.exe

Downloads MZ/PE file 20 IoCs

flow	pid	Process
372	1524	MSBuild.exe
372	1524	MSBuild.exe
88	4600	futors.exe
132	4600	futors.exe
132	4600	futors.exe
80	1260	rapes.exe
141	1260	rapes.exe
258	4600	futors.exe
346	1260	rapes.exe
361	4600	futors.exe
27	1260	rapes.exe
27	1260	rapes.exe
27	1260	rapes.exe
85	1260	rapes.exe
87	4536	svchost.exe
363	1260	rapes.exe
363	1260	rapes.exe
363	1260	rapes.exe
363	1260	rapes.exe
363	1260	rapes.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\9e186137.sys	515ffdb8.exe
File created	C:\Windows\System32\Drivers\klupd_9e186137a_arkmon.sys	515ffdb8.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\9e186137\ImagePath = "System32\\Drivers\\9e186137.sys"	515ffdb8.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_9e186137a_arkmon\ImagePath = "System32\\Drivers\\klupd_9e186137a_arkmon.sys"	515ffdb8.exe

Uses browser remote debugging 2 TTPs 13 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
12700	msedge.exe
12688	msedge.exe
22004	chrome.exe
22340	chrome.exe
6672	chrome.exe
1836	chrome.exe
7392	chrome.exe
7216	chrome.exe
22012	chrome.exe
22144	chrome.exe
4732	chrome.exe
7560	chrome.exe
11560	msedge.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	02c5e59435.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	02c5e59435.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9447a62878.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ae7644785a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ae7644785a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9447a62878.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	d2705ee510.exe

Deletes itself 1 IoCs

pid	Process
1168	w32tm.exe

Executes dropped EXE 34 IoCs

pid	Process
1260	rapes.exe
4404	YMauSAr.exe
4316	VrQSuEQ.exe
4080	rapes.exe
5016	wQI4o11.exe
3996	02c5e59435.exe
6016	wQI4o11.exe
3444	VrQSuEQ.exe
2932	amnew.exe
4600	futors.exe
2748	UZPt0hR.exe
5276	v7942.exe
5888	ae7644785a.exe
1816	tzutil.exe
1168	w32tm.exe
7292	alex12312321.exe
11312	legendarik.exe
6412	rapes.exe
4624	futors.exe
9228	d2705ee510.exe
8260	6b2a94a8b9.exe
7580	svchost015.exe
4984	crypted.exe
12968	Constraints.com
13244	RYZusWg.exe
6424	9447a62878.exe
5884	39886065.exe
11836	3c3e4c5d4f.exe
5496	x4euknopzu.exe
4752	515ffdb8.exe
8928	n0hEgR9.exe
10120	svchost015.exe
10752	3wbaas00z5.exe
10640	3wbaas00z5.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	02c5e59435.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	ae7644785a.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	9447a62878.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\9e186137.sys\ = "Driver"	515ffdb8.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\9e186137.sys	515ffdb8.exe

Loads dropped DLL 19 IoCs

pid	Process
4752	515ffdb8.exe
4752	515ffdb8.exe
4752	515ffdb8.exe
4752	515ffdb8.exe
4752	515ffdb8.exe
4752	515ffdb8.exe
4752	515ffdb8.exe
4752	515ffdb8.exe
4752	515ffdb8.exe
4752	515ffdb8.exe
4752	515ffdb8.exe
4752	515ffdb8.exe
4752	515ffdb8.exe
4752	515ffdb8.exe
4752	515ffdb8.exe
4752	515ffdb8.exe
4752	515ffdb8.exe
4752	515ffdb8.exe
4752	515ffdb8.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9447a62878.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10052940101\\9447a62878.exe"	futors.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\64b92a58-d3f1-49d4-9f01-712fa477e26f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{607f08f3-df27-4b98-a459-aa1e4589a351}\\64b92a58-d3f1-49d4-9f01-712fa477e26f.cmd\""	515ffdb8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3c3e4c5d4f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10052950101\\3c3e4c5d4f.exe"	futors.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	ae7644785a.exe
File opened for modification	\??\PhysicalDrive0	515ffdb8.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
12020	tasklist.exe
12204	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
3316	random.exe
1260	rapes.exe
4080	rapes.exe
3996	02c5e59435.exe
5888	ae7644785a.exe
6412	rapes.exe
6424	9447a62878.exe

Suspicious use of SetThreadContext 13 IoCs

description	pid	Process	procid_target
PID 4316 set thread context of 3984	4316	VrQSuEQ.exe	100
PID 5016 set thread context of 5864	5016	wQI4o11.exe	105
PID 6016 set thread context of 1244	6016	wQI4o11.exe	113
PID 3444 set thread context of 212	3444	VrQSuEQ.exe	115
PID 5276 set thread context of 1524	5276	v7942.exe	131
PID 7292 set thread context of 5272	7292	alex12312321.exe	146
PID 11312 set thread context of 11456	11312	legendarik.exe	156
PID 8260 set thread context of 7580	8260	6b2a94a8b9.exe	173
PID 4984 set thread context of 4532	4984	crypted.exe	175
PID 5496 set thread context of 6412	5496	x4euknopzu.exe	200
PID 6424 set thread context of 10120	6424	9447a62878.exe	206
PID 8928 set thread context of 11464	8928	n0hEgR9.exe	205
PID 10752 set thread context of 10640	10752	3wbaas00z5.exe	208

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	39886065.exe
File opened (read-only)	\??\VBoxMiniRdrDN	515ffdb8.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\futors.job	amnew.exe
File opened for modification	C:\Windows\CongressJvc	d2705ee510.exe
File opened for modification	C:\Windows\DependMedication	d2705ee510.exe
File opened for modification	C:\Windows\AndorraPrint	d2705ee510.exe
File created	C:\Windows\Tasks\rapes.job	random.exe
File opened for modification	C:\Windows\SyntheticLil	d2705ee510.exe
File opened for modification	C:\Windows\MadnessSet	d2705ee510.exe
File opened for modification	C:\Windows\PolarRail	d2705ee510.exe
File opened for modification	C:\Windows\NewcastlePeripherals	d2705ee510.exe
File opened for modification	C:\Windows\LocksWisconsin	d2705ee510.exe
File opened for modification	C:\Windows\LimeNirvana	d2705ee510.exe
File opened for modification	C:\Windows\ZuMiller	d2705ee510.exe
File opened for modification	C:\Windows\DealersFocuses	d2705ee510.exe
File opened for modification	C:\Windows\AucklandChef	d2705ee510.exe
File opened for modification	C:\Windows\ExceedExec	d2705ee510.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
17052	11052	WerFault.exe	214
17548	10292	WerFault.exe	211
23900	17124	WerFault.exe	221
30308	23896	WerFault.exe	239
7256	24536	WerFault.exe	238
21956	11028	WerFault.exe	252

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c3e4c5d4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9447a62878.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wQI4o11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae7644785a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	515ffdb8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02c5e59435.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2705ee510.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Constraints.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wQI4o11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b2a94a8b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZPt0hR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39886065.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
24548	PING.EXE

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
17388	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	33	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133883928527235513"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	rapes.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
24548	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3316	random.exe
3316	random.exe
1260	rapes.exe
1260	rapes.exe
3984	MSBuild.exe
3984	MSBuild.exe
3984	MSBuild.exe
3984	MSBuild.exe
4080	rapes.exe
4080	rapes.exe
5016	wQI4o11.exe
5016	wQI4o11.exe
3996	02c5e59435.exe
3996	02c5e59435.exe
3996	02c5e59435.exe
3996	02c5e59435.exe
3996	02c5e59435.exe
3996	02c5e59435.exe
6016	wQI4o11.exe
6016	wQI4o11.exe
212	MSBuild.exe
212	MSBuild.exe
212	MSBuild.exe
212	MSBuild.exe
2560	powershell.exe
2560	powershell.exe
2560	powershell.exe
1524	MSBuild.exe
1524	MSBuild.exe
5888	ae7644785a.exe
5888	ae7644785a.exe
1524	MSBuild.exe
1524	MSBuild.exe
6672	chrome.exe
6672	chrome.exe
5272	MSBuild.exe
5272	MSBuild.exe
5272	MSBuild.exe
5272	MSBuild.exe
1524	MSBuild.exe
1524	MSBuild.exe
1524	MSBuild.exe
1524	MSBuild.exe
11456	MSBuild.exe
11456	MSBuild.exe
11456	MSBuild.exe
11456	MSBuild.exe
6412	rapes.exe
6412	rapes.exe
1524	MSBuild.exe
1524	MSBuild.exe
4532	MSBuild.exe
4532	MSBuild.exe
4532	MSBuild.exe
4532	MSBuild.exe
1524	MSBuild.exe
1524	MSBuild.exe
12968	Constraints.com
12968	Constraints.com
12968	Constraints.com
12968	Constraints.com
12968	Constraints.com
12968	Constraints.com
12528	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4752	515ffdb8.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2748	UZPt0hR.exe
2748	UZPt0hR.exe
2748	UZPt0hR.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
11560	msedge.exe
11560	msedge.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	5864	RegAsm.exe
Token: SeDebugPrivilege	1244	RegAsm.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeShutdownPrivilege	6672	chrome.exe
Token: SeCreatePagefilePrivilege	6672	chrome.exe
Token: SeShutdownPrivilege	6672	chrome.exe
Token: SeCreatePagefilePrivilege	6672	chrome.exe
Token: SeShutdownPrivilege	6672	chrome.exe
Token: SeCreatePagefilePrivilege	6672	chrome.exe
Token: SeShutdownPrivilege	6672	chrome.exe
Token: SeCreatePagefilePrivilege	6672	chrome.exe
Token: SeShutdownPrivilege	6672	chrome.exe
Token: SeCreatePagefilePrivilege	6672	chrome.exe
Token: SeShutdownPrivilege	6672	chrome.exe
Token: SeCreatePagefilePrivilege	6672	chrome.exe
Token: SeShutdownPrivilege	6672	chrome.exe
Token: SeCreatePagefilePrivilege	6672	chrome.exe
Token: SeDebugPrivilege	12020	tasklist.exe
Token: SeDebugPrivilege	12204	tasklist.exe
Token: SeDebugPrivilege	13244	RYZusWg.exe
Token: SeDebugPrivilege	12528	powershell.exe
Token: SeDebugPrivilege	4752	515ffdb8.exe
Token: SeBackupPrivilege	4752	515ffdb8.exe
Token: SeRestorePrivilege	4752	515ffdb8.exe
Token: SeLoadDriverPrivilege	4752	515ffdb8.exe
Token: SeShutdownPrivilege	4752	515ffdb8.exe
Token: SeSystemEnvironmentPrivilege	4752	515ffdb8.exe
Token: SeSecurityPrivilege	4752	515ffdb8.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
2932	amnew.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
6672	chrome.exe
11560	msedge.exe
12968	Constraints.com
12968	Constraints.com
12968	Constraints.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
12968	Constraints.com
12968	Constraints.com
12968	Constraints.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 1260	3316	random.exe	90
PID 3316 wrote to memory of 1260	3316	random.exe	90
PID 3316 wrote to memory of 1260	3316	random.exe	90
PID 1260 wrote to memory of 4404	1260	rapes.exe	98
PID 1260 wrote to memory of 4404	1260	rapes.exe	98
PID 1260 wrote to memory of 4316	1260	rapes.exe	99
PID 1260 wrote to memory of 4316	1260	rapes.exe	99
PID 4316 wrote to memory of 3984	4316	VrQSuEQ.exe	100
PID 4316 wrote to memory of 3984	4316	VrQSuEQ.exe	100
PID 4316 wrote to memory of 3984	4316	VrQSuEQ.exe	100
PID 4316 wrote to memory of 3984	4316	VrQSuEQ.exe	100
PID 4316 wrote to memory of 3984	4316	VrQSuEQ.exe	100
PID 4316 wrote to memory of 3984	4316	VrQSuEQ.exe	100
PID 4316 wrote to memory of 3984	4316	VrQSuEQ.exe	100
PID 4316 wrote to memory of 3984	4316	VrQSuEQ.exe	100
PID 4316 wrote to memory of 3984	4316	VrQSuEQ.exe	100
PID 1260 wrote to memory of 5016	1260	rapes.exe	102
PID 1260 wrote to memory of 5016	1260	rapes.exe	102
PID 1260 wrote to memory of 5016	1260	rapes.exe	102
PID 5016 wrote to memory of 5864	5016	wQI4o11.exe	105
PID 5016 wrote to memory of 5864	5016	wQI4o11.exe	105
PID 5016 wrote to memory of 5864	5016	wQI4o11.exe	105
PID 5016 wrote to memory of 5864	5016	wQI4o11.exe	105
PID 5016 wrote to memory of 5864	5016	wQI4o11.exe	105
PID 5016 wrote to memory of 5864	5016	wQI4o11.exe	105
PID 5016 wrote to memory of 5864	5016	wQI4o11.exe	105
PID 5016 wrote to memory of 5864	5016	wQI4o11.exe	105
PID 1260 wrote to memory of 3996	1260	rapes.exe	108
PID 1260 wrote to memory of 3996	1260	rapes.exe	108
PID 1260 wrote to memory of 3996	1260	rapes.exe	108
PID 1260 wrote to memory of 6016	1260	rapes.exe	111
PID 1260 wrote to memory of 6016	1260	rapes.exe	111
PID 1260 wrote to memory of 6016	1260	rapes.exe	111
PID 6016 wrote to memory of 1244	6016	wQI4o11.exe	113
PID 6016 wrote to memory of 1244	6016	wQI4o11.exe	113
PID 6016 wrote to memory of 1244	6016	wQI4o11.exe	113
PID 6016 wrote to memory of 1244	6016	wQI4o11.exe	113
PID 6016 wrote to memory of 1244	6016	wQI4o11.exe	113
PID 6016 wrote to memory of 1244	6016	wQI4o11.exe	113
PID 6016 wrote to memory of 1244	6016	wQI4o11.exe	113
PID 6016 wrote to memory of 1244	6016	wQI4o11.exe	113
PID 1260 wrote to memory of 3444	1260	rapes.exe	114
PID 1260 wrote to memory of 3444	1260	rapes.exe	114
PID 3444 wrote to memory of 212	3444	VrQSuEQ.exe	115
PID 3444 wrote to memory of 212	3444	VrQSuEQ.exe	115
PID 3444 wrote to memory of 212	3444	VrQSuEQ.exe	115
PID 3444 wrote to memory of 212	3444	VrQSuEQ.exe	115
PID 3444 wrote to memory of 212	3444	VrQSuEQ.exe	115
PID 3444 wrote to memory of 212	3444	VrQSuEQ.exe	115
PID 3444 wrote to memory of 212	3444	VrQSuEQ.exe	115
PID 3444 wrote to memory of 212	3444	VrQSuEQ.exe	115
PID 3444 wrote to memory of 212	3444	VrQSuEQ.exe	115
PID 1260 wrote to memory of 2932	1260	rapes.exe	119
PID 1260 wrote to memory of 2932	1260	rapes.exe	119
PID 1260 wrote to memory of 2932	1260	rapes.exe	119
PID 2932 wrote to memory of 4600	2932	amnew.exe	120
PID 2932 wrote to memory of 4600	2932	amnew.exe	120
PID 2932 wrote to memory of 4600	2932	amnew.exe	120
PID 1260 wrote to memory of 2748	1260	rapes.exe	121
PID 1260 wrote to memory of 2748	1260	rapes.exe	121
PID 1260 wrote to memory of 2748	1260	rapes.exe	121
PID 2748 wrote to memory of 2880	2748	UZPt0hR.exe	122
PID 2748 wrote to memory of 2880	2748	UZPt0hR.exe	122
PID 2748 wrote to memory of 4536	2748	UZPt0hR.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\random.exe
  "C:\Users\Admin\AppData\Local\Temp\random.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
    "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\10469560101\YMauSAr.exe
      "C:\Users\Admin\AppData\Local\Temp\10469560101\YMauSAr.exe"
      4⤵
      Executes dropped EXE
      PID:4404
  - - C:\Users\Admin\AppData\Local\Temp\10472140101\VrQSuEQ.exe
      "C:\Users\Admin\AppData\Local\Temp\10472140101\VrQSuEQ.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4316
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3984
  - - C:\Users\Admin\AppData\Local\Temp\10473240101\wQI4o11.exe
      "C:\Users\Admin\AppData\Local\Temp\10473240101\wQI4o11.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5016
  - - C:\Users\Admin\AppData\Local\Temp\10473270101\02c5e59435.exe
      "C:\Users\Admin\AppData\Local\Temp\10473270101\02c5e59435.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3996
  - - C:\Users\Admin\AppData\Local\Temp\10473280101\wQI4o11.exe
      "C:\Users\Admin\AppData\Local\Temp\10473280101\wQI4o11.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:6016
  - - C:\Users\Admin\AppData\Local\Temp\10473290101\VrQSuEQ.exe
      "C:\Users\Admin\AppData\Local\Temp\10473290101\VrQSuEQ.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3444
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:212
  - - C:\Users\Admin\AppData\Local\Temp\10473300101\amnew.exe
      "C:\Users\Admin\AppData\Local\Temp\10473300101\amnew.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        5⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4600
      - C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1524
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:6672
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe435bdcf8,0x7ffe435bdd04,0x7ffe435bdd10
        9⤵
        
        PID:6712
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1952,i,2714095005328170080,5908533245720169393,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1948 /prefetch:2
        9⤵
        
        PID:6420
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2224,i,2714095005328170080,5908533245720169393,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2240 /prefetch:3
        9⤵
        
        PID:2068
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2356,i,2714095005328170080,5908533245720169393,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2364 /prefetch:8
        9⤵
        
        PID:1432
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,2714095005328170080,5908533245720169393,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3224 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4732
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3468,i,2714095005328170080,5908533245720169393,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3480 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1836
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4348,i,2714095005328170080,5908533245720169393,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4376 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:7392
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4704,i,2714095005328170080,5908533245720169393,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3796 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:7560
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4988,i,2714095005328170080,5908533245720169393,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5000 /prefetch:8
        9⤵
        
        PID:3224
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5044,i,2714095005328170080,5908533245720169393,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4976 /prefetch:8
        9⤵
        
        PID:3736
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4952,i,2714095005328170080,5908533245720169393,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5428 /prefetch:8
        9⤵
        
        PID:8308
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5112,i,2714095005328170080,5908533245720169393,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4976 /prefetch:8
        9⤵
        
        PID:8404
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5416,i,2714095005328170080,5908533245720169393,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5636 /prefetch:8
        9⤵
        
        PID:8468
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5448,i,2714095005328170080,5908533245720169393,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5760 /prefetch:8
        9⤵
        
        PID:2256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:11560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ffe4516f208,0x7ffe4516f214,0x7ffe4516f220
        9⤵
        
        PID:11616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1924,i,15188839595350074533,13461784922654919108,262144 --variations-seed-version --mojo-platform-channel-handle=1920 /prefetch:2
        9⤵
        
        PID:12024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2156,i,15188839595350074533,13461784922654919108,262144 --variations-seed-version --mojo-platform-channel-handle=2164 /prefetch:3
        9⤵
        
        PID:12040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2584,i,15188839595350074533,13461784922654919108,262144 --variations-seed-version --mojo-platform-channel-handle=2580 /prefetch:8
        9⤵
        
        PID:868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3548,i,15188839595350074533,13461784922654919108,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:12688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3552,i,15188839595350074533,13461784922654919108,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:12700
        
        C:\ProgramData\x4euknopzu.exe
        
        "C:\ProgramData\x4euknopzu.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6412
        
        C:\ProgramData\3wbaas00z5.exe
        
        "C:\ProgramData\3wbaas00z5.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:10752
        
        C:\ProgramData\3wbaas00z5.exe
        
        "C:\ProgramData\3wbaas00z5.exe"
        9⤵
        Executes dropped EXE
        
        PID:10640
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        10⤵
        
        PID:9308
        
        C:\Users\Admin\AppData\Local\G54wDoMqWiRP.exe
        
        "C:\Users\Admin\AppData\Local\G54wDoMqWiRP.exe"
        10⤵
        
        PID:24148
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:24460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:24496
        
        C:\Users\Admin\AppData\Local\DMpXJUBzLEG0.exe
        
        "C:\Users\Admin\AppData\Local\DMpXJUBzLEG0.exe"
        10⤵
        
        PID:24320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:24344
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        12⤵
        Uses browser remote debugging
        
        PID:7216
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffe41f2dcf8,0x7ffe41f2dd04,0x7ffe41f2dd10
        13⤵
        
        PID:24144
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2004,i,14024549177275700405,12109370968644072480,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2000 /prefetch:2
        13⤵
        
        PID:21820
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1568,i,14024549177275700405,12109370968644072480,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2228 /prefetch:3
        13⤵
        
        PID:21840
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2264,i,14024549177275700405,12109370968644072480,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2752 /prefetch:8
        13⤵
        
        PID:21916
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3224,i,14024549177275700405,12109370968644072480,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3244 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:22004
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3016,i,14024549177275700405,12109370968644072480,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3276 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:22012
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4260,i,14024549177275700405,12109370968644072480,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4284 /prefetch:2
        13⤵
        Uses browser remote debugging
        
        PID:22144
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4592,i,14024549177275700405,12109370968644072480,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4572 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:22340
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4964,i,14024549177275700405,12109370968644072480,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4976 /prefetch:8
        13⤵
        
        PID:22516
        
        C:\Users\Admin\AppData\Local\HuT5jem7EmzF.exe
        
        "C:\Users\Admin\AppData\Local\HuT5jem7EmzF.exe"
        10⤵
        
        PID:24484
        
        C:\Users\Admin\AppData\Local\Temp\TB9PKjeZ\swFRBqJO4EMgBrSi.exe
        
        C:\Users\Admin\AppData\Local\Temp\TB9PKjeZ\swFRBqJO4EMgBrSi.exe 0
        11⤵
        
        PID:24536
        
        C:\Users\Admin\AppData\Local\Temp\TB9PKjeZ\ZOl86C04qjf9JqCg.exe
        
        C:\Users\Admin\AppData\Local\Temp\TB9PKjeZ\ZOl86C04qjf9JqCg.exe 24536
        12⤵
        
        PID:23896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 23896 -s 608
        13⤵
        Program crash
        
        PID:30308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 24536 -s 684
        12⤵
        Program crash
        
        PID:7256
        
        C:\ProgramData\16fct00rim.exe
        
        "C:\ProgramData\16fct00rim.exe"
        8⤵
        
        PID:10192
        
        C:\Users\Admin\AppData\Local\Temp\ula2PKEV\FRF2KYuO8yEpge3Y.exe
        
        C:\Users\Admin\AppData\Local\Temp\ula2PKEV\FRF2KYuO8yEpge3Y.exe 0
        9⤵
        
        PID:10292
        
        C:\Users\Admin\AppData\Local\Temp\ula2PKEV\4Pm28AXX0EvRSehq.exe
        
        C:\Users\Admin\AppData\Local\Temp\ula2PKEV\4Pm28AXX0EvRSehq.exe 10292
        10⤵
        
        PID:11052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11052 -s 724
        11⤵
        Program crash
        
        PID:17052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10292 -s 1748
        10⤵
        Program crash
        
        PID:17548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\w4w4w" & exit
        8⤵
        
        PID:17172
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        9⤵
        Delays execution with timeout.exe
        
        PID:17388
      - C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:7292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5272
      - C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:11312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:11456
      - C:\Users\Admin\AppData\Local\Temp\10046340101\d2705ee510.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10046340101\d2705ee510.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:9228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Bc.wbk Bc.wbk.bat & Bc.wbk.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:9860
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:12020
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:12044
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:12204
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:12216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 674187
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:12300
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Funky.wbk
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:12404
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Und" Tournament
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 674187\Constraints.com + Lu + Pepper + Cn + Hairy + Nose + Providence + Bra + Corresponding + Promo + Ending 674187\Constraints.com
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:12744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Losses.wbk + ..\Finally.wbk + ..\Medications.wbk + ..\Borough.wbk + ..\Trim.wbk + ..\Ellis.wbk + ..\Truly.wbk + ..\Was.wbk r
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:12864
        
        C:\Users\Admin\AppData\Local\Temp\674187\Constraints.com
        
        Constraints.com r
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:12968
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:13296
      - C:\Users\Admin\AppData\Local\Temp\10047850101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10047850101\crypted.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4532
      - C:\Users\Admin\AppData\Local\Temp\10052940101\9447a62878.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10052940101\9447a62878.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6424
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10052940101\9447a62878.exe"
        7⤵
        Executes dropped EXE
        
        PID:10120
      - C:\Users\Admin\AppData\Local\Temp\10052950101\3c3e4c5d4f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10052950101\3c3e4c5d4f.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:11836
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10052950101\3c3e4c5d4f.exe"
        7⤵
        
        PID:11100
  - - C:\Users\Admin\AppData\Local\Temp\10473310101\UZPt0hR.exe
      "C:\Users\Admin\AppData\Local\Temp\10473310101\UZPt0hR.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        5⤵
        
        PID:2880
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
    - - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        5⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:4536
      - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        6⤵
        Executes dropped EXE
        
        PID:1816
      - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        6⤵
        Deletes itself
        Executes dropped EXE
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\{11a47fb3-4513-4daa-ba7e-06c0b632ad5f}\39886065.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{11a47fb3-4513-4daa-ba7e-06c0b632ad5f}\39886065.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        7⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\{45150a05-6952-420f-9d0d-3f5424a7bbd4}\515ffdb8.exe
        
        C:/Users/Admin/AppData/Local/Temp/{45150a05-6952-420f-9d0d-3f5424a7bbd4}/\515ffdb8.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        8⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
  - - C:\Users\Admin\AppData\Local\Temp\10473320101\ae7644785a.exe
      "C:\Users\Admin\AppData\Local\Temp\10473320101\ae7644785a.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Writes to the Master Boot Record (MBR)
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5888
  - - C:\Users\Admin\AppData\Local\Temp\10473330101\6b2a94a8b9.exe
      "C:\Users\Admin\AppData\Local\Temp\10473330101\6b2a94a8b9.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:8260
    - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10473330101\6b2a94a8b9.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7580
  - - C:\Users\Admin\AppData\Local\Temp\10473340101\RYZusWg.exe
      "C:\Users\Admin\AppData\Local\Temp\10473340101\RYZusWg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:13244
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10473351121\ccosvAs.cmd"
      4⤵
      System Location Discovery: System Language Discovery
      PID:7924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10473351121\ccosvAs.cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6016
  - - C:\Users\Admin\AppData\Local\Temp\10473360101\n0hEgR9.exe
      "C:\Users\Admin\AppData\Local\Temp\10473360101\n0hEgR9.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:8928
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:9068
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:11464
  - - C:\Users\Admin\AppData\Local\Temp\10473370101\Rm3cVPI.exe
      "C:\Users\Admin\AppData\Local\Temp\10473370101\Rm3cVPI.exe"
      4⤵
      PID:17248
  - - C:\Users\Admin\AppData\Local\Temp\10473380101\mTk60rz.exe
      "C:\Users\Admin\AppData\Local\Temp\10473380101\mTk60rz.exe"
      4⤵
      PID:30284
    - - C:\Users\Admin\AppData\Local\Temp\onefile_30284_133883929131339938\ZSoeRVBe.exe
        
        C:\Users\Admin\AppData\Local\Temp\10473380101\mTk60rz.exe
        5⤵
        
        PID:30616
  - - C:\Users\Admin\AppData\Local\Temp\10473390101\95e465375a.exe
      "C:\Users\Admin\AppData\Local\Temp\10473390101\95e465375a.exe"
      4⤵
      PID:6832
  - - C:\Users\Admin\AppData\Local\Temp\10473400101\LJl8AAr.exe
      "C:\Users\Admin\AppData\Local\Temp\10473400101\LJl8AAr.exe"
      4⤵
      PID:3652
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:21660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
  2⤵
  PID:2140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
  2⤵
  PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{607f08f3-df27-4b98-a459-aa1e4589a351}\64b92a58-d3f1-49d4-9f01-712fa477e26f.cmd"
  2⤵
  PID:7140
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:24548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ula2PKEV\FRF2KYuO8yEpge3Y.exe
  2⤵
  PID:10972
- - C:\Users\Admin\AppData\Local\Temp\ula2PKEV\FRF2KYuO8yEpge3Y.exe
    C:\Users\Admin\AppData\Local\Temp\ula2PKEV\FRF2KYuO8yEpge3Y.exe
    3⤵
    PID:17092
  - - C:\Users\Admin\AppData\Local\Temp\JX6viklC\d3nDEYEfI2JDOaRD.exe
      C:\Users\Admin\AppData\Local\Temp\JX6viklC\d3nDEYEfI2JDOaRD.exe 17092
      4⤵
      PID:17124
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 17124 -s 692
        5⤵
        Program crash
        
        PID:23900
  - - C:\Users\Admin\AppData\Local\Temp\ula2PKEV\3W2RW6O5cfwhCNpu.exe
      C:\Users\Admin\AppData\Local\Temp\ula2PKEV\3W2RW6O5cfwhCNpu.exe 17092
      4⤵
      PID:11028
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11028 -s 572
        5⤵
        Program crash
        
        PID:21956

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4080

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:7036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:12224

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6412

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:4624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBEAEQALQBNAFAAUABSAGUAZgBlAHIARQBuAEMAZQAgAC0AZQB4AEMAbAB1AFMAaQBvAG4AUABhAFQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBvAGQAZQBcAEkAcwBWAGEAbAB1AGUAQwByAGUAYQB0AGUAZAAuAGUAeABlACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAFIAYwBFADsAIABBAEQARAAtAE0AUABQAHIAZQBmAEUAUgBFAE4AQwBlACAALQBFAFgAQwBsAFUAcwBpAE8AbgBQAFIAbwBjAGUAcwBTACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBvAGQAZQBcAEkAcwBWAGEAbAB1AGUAQwByAGUAYQB0AGUAZAAuAGUAeABlACAALQBGAG8AcgBDAGUA
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:12528

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 11052 -ip 11052
1⤵
PID:17024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 10292 -ip 10292
1⤵
PID:17516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 17124 -ip 17124
1⤵
PID:23812

C:\Users\Admin\AppData\Roaming\Mode\IsValueCreated.exe
C:\Users\Admin\AppData\Roaming\Mode\IsValueCreated.exe
1⤵
PID:23992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 23896 -ip 23896
1⤵
PID:30268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 24536 -ip 24536
1⤵
PID:10272

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:9672

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:10920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 11028 -ip 11028
1⤵
PID:21656

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:21940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Authentication Process

T1556

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KVRT2020_Data\Temp\7C924DD4D20055C80007791130E2D03F\klupd_9e186137a_arkmon.sys

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\ProgramData\16fct00rim.exe

Filesize
251KB

MD5
58d3a0d574e37dc90b40603f0658abd2

SHA1
bf5419ce7000113002b8112ace2a9ac35d0dc557

SHA256
dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5

SHA512
df61329a32e9261b01c5b7d95e0d9a3fb8cc36e5d90ede72bc16befe00fb32c221898a8346db9de07c0f5dcba57dcdbb09a22ca8b73223f989d33ec433c3a90a

Download Submit
C:\ProgramData\26xb1\cjwbaa

Filesize
6KB

MD5
084d43aeadaf963f52f4dc3a4e3ee81c

SHA1
1b51ff5f424f9b035931755469687d8b4c25d6dc

SHA256
3330365721930a736798d9cbd011c1111791fec6315644b3c85ae303247631a0

SHA512
467f329f0973ba0c77b6cab61a7319fdb07b42d9092ac960d2b1b3c2397be70cdcb1854243fb8d2fd5d1e826961860f599989351f150177c68cd37980941757a

Download Submit
C:\ProgramData\26xb1\wl6pzmy5p

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\ProgramData\3wbaas00z5.exe

Filesize
952KB

MD5
f258ba9ca646b9749d7f22a3dfdc77d2

SHA1
36ee4ef9e49e0ebb8973c8f50849d6367c03e69b

SHA256
fcc3edcd526b0c746998d72af8ce9cc29b0bd801f767078cc472f93d57eee9ef

SHA512
764ecce1c087bceb9dbaab806bce134dae40a0a89a8aa6ab9e566bf2206ca79850cb2a109111455f9c14dbbdb6783193958c9007f7780d444e3837fa7dbdea3a

Download Submit
C:\ProgramData\FlnSKuneOhxl

Filesize
96KB

MD5
6066c07e98c96795ecd876aa92fe10f8

SHA1
f73cbd7b307c53aaae38677d6513b1baa729ac9f

SHA256
33a2357af8dc03cc22d2b7ce5c90abf25ac8b40223155a516f1a8df4acbf2a53

SHA512
7d76207c1c6334aa98f79c325118adf03a5ba36b1e2412803fd3e654a9d3630c775f32a98855c46342eba00d4a8496a3ded3686e74beaac9c216beee37aa5cb7

Download Submit
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
1.9MB

MD5
bcbec32483eb43840823c4f6bd653779

SHA1
3b83255512c5f268d0a1cb2997b1cc9d40f4252d

SHA256
d8a8e71a2be6d5fafa5d49029a37751c78be7e007152859233b8020a5c258167

SHA512
4cb807157807c72d599305eada37e85330314e43061f9af3ab9c44839bfc945431e320adf5259b9a9ecb531368cd9ab91d047eb8874f0ce6a8d4022ed69a6408

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
5eeb51e9e64e555e4a7d2705eb9976db

SHA1
742d0f4d9a77575115f5c5ad9ac8a133bd7abde6

SHA256
47b9983eedcea6a3828388e3097617595b69ff60543180b2411b20b0444085aa

SHA512
32c4630f6be0210efa8330dd1286855379c169c048543d4bc1a985eba6fdedb67b3c8fab522265f667276f74fbd4290013588d8233003bfbce63701fb8ae3581

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
888d42db04953a00fdd72c8c0ed2901d

SHA1
b9b8f16a6e5c4f818b2d56b27dfa09460d9be368

SHA256
756f4c1618fc9011d53367c42a04b3024e7ce01767a1959a59de010dd0c9361f

SHA512
5f34e9902f3af37747a2e2bc86fb263c1751452adf49739755f711b56087ea65f03088eab6b98bd00b8c7283b25ec3885640297c28ec27bb800eadd423fd364c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
172b62870e751352232a695679b9f131

SHA1
8fd7a96fa2c62f8f8722ac7780dbde8e343cbefc

SHA256
22b73ba24a1e495d79076ade7e63cf6ca209c32d1b1bf1c36dab12999eff92c8

SHA512
920cc87b520725810f9732acf9e676f7916917903e2e62a9202b1f4ba8db9c955f28e74003cfbecdf21d09784587e5335006b12ab43a3dcd9992258852407478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8625e8ce164e1039c0d19156210674ce

SHA1
9eb5ae97638791b0310807d725ac8815202737d2

SHA256
2f65f9c3c54fe018e0b1f46e3c593d100a87758346d3b00a72cb93042daf60a2

SHA512
3c52b8876982fe41d816f9dfb05cd888c551cf7efd266a448050c87c3fc52cc2172f53c83869b87d7643ce0188004c978570f35b0fcc1cb50c9fffea3dec76a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
214feea7ff02e587e84ae32db67d3640

SHA1
8258d4aea56f64835b68a44026efe5a4e5fb4729

SHA256
65430a187685777d8a0844501a4f24bd04bb9b074ee72621a474bf093f7440d0

SHA512
c9a478bae0dc23daa25a028167636e464477720c9cb190649d50af948859dda66dde82e4ea285c3703981340ffda202c47dfd24c66e9402bec777431a0feee7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fb973ee3-44c0-474a-a1d2-0dc494346dcb.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
70f9cadd44cd81ca58ef1b492c5069a8

SHA1
12348b094aaa08867e47cd7c68c75fec77f1f728

SHA256
68fd09a05459ef48fb28fbe0a13b9922c756785c5610133d28053a5318768334

SHA512
ff7bd962923be69f3b16d64c503def54c2cf851006669a2cb4f6560ea00f0592b8a19b06685df31ea1fdeb4e65b723dc4ee9a8897603d31ca141511fc54a9ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH2PF5WH\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
360KB

MD5
cbc01fb7800453f31807a3c8c53ce422

SHA1
a1b48d519d0f4b2d375d2e0f72c8f6076f63f7f6

SHA256
f6fbc80ec9718b3ad7fe6f0de73aedf067d1d43a283f677b58ae9f5d283560ca

SHA512
ad368855a6a49eb28325799cc5759b2d28b842da85209721d57c6770bff6d18f3a6b1fcc5146568c8ec98ff179c226da366a7ff3ab6032b164f85ba4ab26c4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe

Filesize
1.9MB

MD5
1c1602475ec7a0aa4e5450a11dd8870f

SHA1
fcb574a067e4b40feea92b296234dc037fabb7aa

SHA256
d522f1e3faa457f26102b3b10b2281863d5282d4c68151eb5bd89096b9d99a92

SHA512
7fd0be5da736ef645fb906eb0aca28e212a2bc6778efb554bd3d6a4e58bce2b140e43e452e74a1f5444ea7e1939e59bdfa09f83ed435dfb465e706d32504ebd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe

Filesize
2.1MB

MD5
2a3fbf508bbf6c77fb9138e6bdc0c114

SHA1
8de41763cb3b5011ef1bb611fc258184b24ca258

SHA256
b87944aaa06658715496841be98f0f4791165f2d0d2a85267bf5fc80ef59f74f

SHA512
ed5cc3d07923986cc2751d1e5d833fc2a83de70fb68926378b9dbb0d83506ca7af39ce3a9bc46461c96bf5c2a35c04e106d56296b0d010a64a6c128057a9c84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10046340101\d2705ee510.exe

Filesize
1.3MB

MD5
09232161939bec92432fe5751b7cd092

SHA1
b5da678663e7adfc4a85b096e94fa5d4ba0ccc20

SHA256
f741a6cfbd22e05821557394ea54651c78882c16e1ce667ef0343957abe201a0

SHA512
914f26d4f6917a1d8eb3f9a5b33f63671fe3586d54efff2043ca16186bf1fa7859246062262d1fd2dca7f8571260aa027d6cca42a7e4881aead8f29a7276f119

Download Submit
C:\Users\Admin\AppData\Local\Temp\10047850101\crypted.exe

Filesize
1.9MB

MD5
bb7dd9e8a9208dce433986550698e70a

SHA1
978999f07f696a2ffa437fafda988805cc77b316

SHA256
a542d24a574ba119fd926178d68f80f1923b4dffd149812e8d0103496c00fb77

SHA512
1378a77291502e50bdd318d5875652924a000b71d4179901321e2a9df587557bb93b613678afd71f234ee2627220c528fdd0239cfa7505b083c63b8fc8401c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\10052940101\9447a62878.exe

Filesize
4.4MB

MD5
e1e2da6b5cd813d7f0ec3f00990ae47f

SHA1
a256358da54ef7e8fd065842fa592ee82f2fd3cf

SHA256
baf5e2a07be7d2663cb6ef113dd31328c69f7307fd189145189f46cc1bcd37df

SHA512
60c3454f7f242379528739cded5a0d45036c72b5e1027aeccad668e4d50fa50a737c095fc7eeddcc1b0e1649476f8305c0c66fa22e45c1711ad0af8965a28bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\10469560101\YMauSAr.exe

Filesize
7.8MB

MD5
9e7b72fc6d4a6b523db31a92955fb0af

SHA1
476824befa9db5c437a0a3e322219a42f0326da2

SHA256
7a877c8cab63651290d7fba73619a22157de658f056c708c154bb04bea3ceb7e

SHA512
6d04ea169193da8b4e30fc0c683e74ee45090a82987301f139d84e5a4202a633f646661a7bd9762d3643cff904dfb3d23b397a2983032c2025313fbd8fa80b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10472140101\VrQSuEQ.exe

Filesize
584KB

MD5
c5d9e2e38334a86e8f50dfb92e895e11

SHA1
723b222dce3677b76fda3754c7d58dcf60a7ee3a

SHA256
4d78fb22cc89fa243a5b356ee029331d52e047aac72595fb2d0e66fc6d2943dd

SHA512
65952a94ab63f509b98211db5f5544f8d962e0f9441381be0584498e5031adb5259d5ea3ab79804ed685ebd2ba162612f519bdbd580aa21d0352e1a3f05103b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473240101\wQI4o11.exe

Filesize
5.5MB

MD5
d66272143362242811fc9849c98b47b5

SHA1
17194970bbfe4ef0402f413fce909c3ae57e5342

SHA256
c29d978e33e1d80eb188cff6ebebd0a576480871a0c173f8132a7b14383a50a9

SHA512
9aa0267466e63c69c651a5ffd9fb0ea8285bcf7f6b6a2d72d53e8af04c8077aca2b4839d5721a9ec4a3a55a4a6675cc4e1a9950ae4f85e67bf9b6e19d1a772dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473270101\02c5e59435.exe

Filesize
1.8MB

MD5
e5ce7c7822d6ae95ea7df9a6bec47195

SHA1
1d52d18943beed15b7354731c7073ca0e05bd991

SHA256
d774cec2801f9e42a38553dcc558e80cdd83b5e89aebde3a6528d695f105b85a

SHA512
68f5d360a1e8c505431238b825fe8d0c461e99fc78884005517fec13d5a494ddb771a06a8bdc544e734744b90b9ef223284ef6f6d77c67f70666728599cae562

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473300101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473310101\UZPt0hR.exe

Filesize
1.2MB

MD5
bf6f64455cb1039947a3100e62f96a52

SHA1
28cdd5c2e82d4ad078420dcbf4b32b928861fcb6

SHA256
c81ece0b60ed50db7d3769388f34ba051a05c95bd026e78dabb6ce08ff91bbba

SHA512
c2ceb000b387710cf388e6699a2cb4465380bf5798d9f37c238db0701aaea6ccad1f44e6b9e45398050202ef875a5d7679890df2bb65538a0c8a9655c62c185b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473320101\ae7644785a.exe

Filesize
2.1MB

MD5
b716eeac8d2b82a187470f85b1db47af

SHA1
c9bd99c909c0f0d11aaf0883f8c8a10e3cc20b3f

SHA256
410b45fbefb6d7774958ce3836396a2f8b67084358b609da0080f4dcccb33a83

SHA512
28476e788b7e7ed90d7b3e6a21b75edb0ee86ea970ffeedf76360cd0d043c76beddd2c55f3850e5fafac34abecda87787ca9a54f39eee10e2f681c8b44c01519

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473330101\6b2a94a8b9.exe

Filesize
5.9MB

MD5
e05432c13d42b8526ce4bc0dc240d297

SHA1
db6e9382425055030662ecdc95d6405d30dcf82a

SHA256
574c5ba90e69460799a53ea6fc88d8c6ba4b2b749f739f61779e1975e53e15d9

SHA512
56ad65cc3608f67b680599f8769a0bb0a8b16bdaaf62569c517fa54e72c12671d57472c1e88baaa13cf69a95b84887c527cba666abbca61a923d380dd71481ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473340101\RYZusWg.exe

Filesize
655KB

MD5
922e963ce085b717f4d3818a1f340d17

SHA1
ce250046d0587889ad29f485fbf0e97692156625

SHA256
bf5d1dd6ea5f4af043069d12699f9352af431ce3cdff633ff227eec441244bca

SHA512
689b6afe8755a81c428e76dadac66cfee8f81afd6fabf386cc1d1ed836c09fe318844964120f25e445fbd03995708f91609194961c9753362b6563f603fad1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473351121\ccosvAs.cmd

Filesize
1.4MB

MD5
2f0f5fb7efce1c965ff89e19a9625d60

SHA1
622ff9fe44be78dc07f92160d1341abb8d251ca6

SHA256
426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

SHA512
b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473360101\n0hEgR9.exe

Filesize
1.1MB

MD5
3f986040ea150bfb24408c7f5677289d

SHA1
cee2ff576ec34b152ae9b7390c327fcf931fd372

SHA256
fcf94c18fbd9114e3a71142b47952f8e1cf81ef2a8a58f484d175f337d717235

SHA512
ff4cae88022f2a686d33629d80999fde444ede2755f3868a4096bde2b08360da8387ac046e116bf5e6d6bc7b4a352b33ebefc606502f7ffb41c440d638f2e07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473370101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473380101\mTk60rz.exe

Filesize
11.6MB

MD5
e717d08f2813115fea75f3423b85bbce

SHA1
38da94cd4447748b80e919c13108ac61cd67c486

SHA256
cf7e773ff75c1b2f3df3a804eef95b68e5f9e5c3954cb60e85916da9512757c1

SHA512
b6912bd37710a68e754822c50d4ad9b5dd359b52bc226ea699829af36161dc2ce69014919f0a8cbfe2211ceb8de2128eed2169d2e92f577405234b05191c822f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473390101\95e465375a.exe

Filesize
1.8MB

MD5
4be2eb8946c8efd4fcf31c662a91fafa

SHA1
b25b928cd4e5f090613bda67a9a40ae18c57db3a

SHA256
652f1c890566dec2fef9fd2b444a28d1cc367d954a71b2bb8b5c0702fed6dc04

SHA512
7067572063aa8310c6d5f47cfef873b7a4cbfc0860b9de0ef4db74ec3ff5af7d15dfe5f3b6ddd99b27d7110672f148581d5b1044b8c20c77093a4bd8b380ccef

Download Submit
C:\Users\Admin\AppData\Local\Temp\674187\Constraints.com

Filesize
1KB

MD5
5039e428b91cef38ecb9024ab020c300

SHA1
ae4a2f972e1d2a345cfc1f4aae25f02e226c6f8b

SHA256
4a5a00983722db1188e1d333803b3a1c9d002c5acf9eb7c01b019bfeb966d711

SHA512
1662f0e702f0b160c1488d8c1476560c7ee8c37347f7989a0e1baa1dad223fa498da89dd65fd6e0a72e5a80cd866d1a9ae7d14f4ba44bec73c78b10bf15e2716

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bc.wbk

Filesize
24KB

MD5
aee7816472439f47b4aa818ff773dc5c

SHA1
a87fbe8ffd5323e789712d19318d2d0e72554a0e

SHA256
1ac3ccd1e88fb7649020227e8ec53d33f8f70f5a1a987f003c4c8846f14e9e9a

SHA512
730f55d5d06acdbc271706aed70e233ae53cd6a4db3c7e186caf02df0c2a385ac605199f78b9c46c5bd1cdaf52cb9efdd8b8c71f5673e791d696ae7a17beb433

Download Submit
C:\Users\Admin\AppData\Local\Temp\Funky.wbk

Filesize
477KB

MD5
9ab3d5764480ba983291e94acd33d14f

SHA1
9d76d8ce4e2ad638d792550168f9f1dfa40a261a

SHA256
14b9e0bd1dab1ee4388c088537413c9c6032f665c42a099337ddefb52c7681af

SHA512
a233431293a9802547479f31f7259fdc9057ae7534aa104e4b6f3c0d0966bf0914128860e25944fc0ecdfbee7e56493f32fe9b373e8ecaba0341af28b2eb1690

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tournament

Filesize
1KB

MD5
4fdd1d162f372b618d23d7812605066e

SHA1
9a7b01a191d0e3c01bce85d9aa79ef6a2fcabf1a

SHA256
6c80f1a4143030374f2bcabb2b7247f250bc4bd98f2526696f620238acbd5ae1

SHA512
cc443ccf0f3cbbbcc7461c5474bd845134e6297fa2fd1766d0860eaadaef58cfe5c5e147bc19ffad132b5afb2f1d029c5354d97d1c72aeae61f91ae046cd7608

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a4eseaaa.qxb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
1.8MB

MD5
211061571cf1b60208209fa2204b3035

SHA1
570b171d6cbbae798b86f664b566763be8c15e48

SHA256
a13e7faae122bc102b08a43756324af72cd2bae5a5a4817f31b75a1f6fe5e170

SHA512
35a9b350cb7f1131c60f8ab86cf14b07d858e9d7c37cc6ba59ede151b695017f484249bdcb87dd0329267960a52a4121aab6e3c176d096d16c98550abaef06e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir6672_1059806040\44e981e5-49e3-4279-8f4f-f6e7932d4a24.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{45150a05-6952-420f-9d0d-3f5424a7bbd4}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Windows\System32\drivers\klupd_9e186137a_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
memory/1260-108-0x0000000000630000-0x0000000000AF4000-memory.dmp

Filesize
4.8MB

Download
memory/1260-19-0x0000000000631000-0x000000000065F000-memory.dmp

Filesize
184KB

Download
memory/1260-18-0x0000000000630000-0x0000000000AF4000-memory.dmp

Filesize
4.8MB

Download
memory/1260-193-0x0000000000630000-0x0000000000AF4000-memory.dmp

Filesize
4.8MB

Download
memory/1260-20-0x0000000000630000-0x0000000000AF4000-memory.dmp

Filesize
4.8MB

Download
memory/1260-21-0x0000000000630000-0x0000000000AF4000-memory.dmp

Filesize
4.8MB

Download
memory/1260-55-0x0000000000630000-0x0000000000AF4000-memory.dmp

Filesize
4.8MB

Download
memory/1260-75-0x0000000000630000-0x0000000000AF4000-memory.dmp

Filesize
4.8MB

Download
memory/1260-24-0x0000000000630000-0x0000000000AF4000-memory.dmp

Filesize
4.8MB

Download
memory/1260-23-0x0000000000630000-0x0000000000AF4000-memory.dmp

Filesize
4.8MB

Download
memory/1260-22-0x0000000000630000-0x0000000000AF4000-memory.dmp

Filesize
4.8MB

Download
memory/1524-262-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-258-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-219-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-235-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-240-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-210-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-211-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1816-272-0x00000000008A0000-0x0000000000A28000-memory.dmp

Filesize
1.5MB

Download
memory/1816-271-0x00000000008A0000-0x0000000000A28000-memory.dmp

Filesize
1.5MB

Download
memory/1816-274-0x00000000008A0000-0x0000000000A28000-memory.dmp

Filesize
1.5MB

Download
memory/1816-273-0x00000000008A0000-0x0000000000A28000-memory.dmp

Filesize
1.5MB

Download
memory/1816-270-0x00000000008A0000-0x0000000000A28000-memory.dmp

Filesize
1.5MB

Download
memory/1816-263-0x0000000140000000-0x000000014043E000-memory.dmp

Filesize
4.2MB

Download
memory/1816-266-0x00000000008A0000-0x0000000000A28000-memory.dmp

Filesize
1.5MB

Download
memory/1816-267-0x00000000008A0000-0x0000000000A28000-memory.dmp

Filesize
1.5MB

Download
memory/1816-268-0x00000000008A0000-0x0000000000A28000-memory.dmp

Filesize
1.5MB

Download
memory/1816-265-0x00000000008A0000-0x0000000000A28000-memory.dmp

Filesize
1.5MB

Download
memory/1816-269-0x00000000008A0000-0x0000000000A28000-memory.dmp

Filesize
1.5MB

Download
memory/2560-188-0x0000024D93480000-0x0000024D934A2000-memory.dmp

Filesize
136KB

Download
memory/2748-169-0x0000000000400000-0x0000000000681000-memory.dmp

Filesize
2.5MB

Download
memory/3316-0-0x00000000003C0000-0x0000000000884000-memory.dmp

Filesize
4.8MB

Download
memory/3316-17-0x00000000003C0000-0x0000000000884000-memory.dmp

Filesize
4.8MB

Download
memory/3316-1-0x0000000077D74000-0x0000000077D76000-memory.dmp

Filesize
8KB

Download
memory/3316-3-0x00000000003C0000-0x0000000000884000-memory.dmp

Filesize
4.8MB

Download
memory/3316-4-0x00000000003C0000-0x0000000000884000-memory.dmp

Filesize
4.8MB

Download
memory/3316-2-0x00000000003C1000-0x00000000003EF000-memory.dmp

Filesize
184KB

Download
memory/3984-53-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3984-54-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3996-92-0x0000000000060000-0x0000000000500000-memory.dmp

Filesize
4.6MB

Download
memory/3996-90-0x0000000000060000-0x0000000000500000-memory.dmp

Filesize
4.6MB

Download
memory/4080-57-0x0000000000630000-0x0000000000AF4000-memory.dmp

Filesize
4.8MB

Download
memory/4536-172-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/4536-218-0x000001D4BE510000-0x000001D4BE581000-memory.dmp

Filesize
452KB

Download
memory/4536-182-0x000001D4BE510000-0x000001D4BE581000-memory.dmp

Filesize
452KB

Download
memory/4536-181-0x000001D4BE510000-0x000001D4BE581000-memory.dmp

Filesize
452KB

Download
memory/4536-180-0x000001D4BE510000-0x000001D4BE581000-memory.dmp

Filesize
452KB

Download
memory/4536-173-0x000001D4BE510000-0x000001D4BE581000-memory.dmp

Filesize
452KB

Download
memory/5864-73-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5864-74-0x0000000005750000-0x00000000057EC000-memory.dmp

Filesize
624KB

Download
memory/5864-150-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/5864-23851-0x0000000006F80000-0x0000000007524000-memory.dmp

Filesize
5.6MB

Download
memory/5864-23850-0x0000000006930000-0x00000000069C2000-memory.dmp

Filesize
584KB

Download
memory/5864-72-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5888-23964-0x0000000000400000-0x00000000008BB000-memory.dmp

Filesize
4.7MB

Download
memory/5888-248-0x0000000000400000-0x00000000008BB000-memory.dmp

Filesize
4.7MB

Download
memory/5888-234-0x0000000000400000-0x00000000008BB000-memory.dmp

Filesize
4.7MB

Download
memory/6412-24294-0x0000000000630000-0x0000000000AF4000-memory.dmp

Filesize
4.8MB

Download
memory/6424-28112-0x0000000000400000-0x0000000000CE3000-memory.dmp

Filesize
8.9MB

Download
memory/6424-28270-0x0000000000400000-0x0000000000CE3000-memory.dmp

Filesize
8.9MB

Download
memory/6832-28761-0x0000000000650000-0x0000000000B00000-memory.dmp

Filesize
4.7MB

Download
memory/9672-28771-0x0000000000630000-0x0000000000AF4000-memory.dmp

Filesize
4.8MB

Download
memory/9672-28779-0x0000000000630000-0x0000000000AF4000-memory.dmp

Filesize
4.8MB

Download
memory/13244-25270-0x000001FB3EAA0000-0x000001FB3EBAA000-memory.dmp

Filesize
1.0MB

Download
memory/13244-28067-0x000001FB3EC10000-0x000001FB3EC5C000-memory.dmp

Filesize
304KB

Download
memory/13244-28066-0x000001FB3EBB0000-0x000001FB3EC06000-memory.dmp

Filesize
344KB

Download
memory/13244-28076-0x000001FB3F550000-0x000001FB3F5A4000-memory.dmp

Filesize
336KB

Download
memory/13244-25269-0x000001FB24500000-0x000001FB245A8000-memory.dmp

Filesize
672KB

Download