hxxps://github[.]com/Illegal-Services/Illegal_Services[.]git

Resubmissions

21/02/2024, 11:24

240221-nhscqaeh95 8

Analysis

max time kernel
210s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20240220-en
resource tags

arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 11:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Illegal-Services/Illegal_Services.git

Score

8^/10

evasion upx

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1604	attrib.exe
2284	attrib.exe

Loads dropped DLL 15 IoCs

pid	Process
2356	bookmarks_parser.exe
2356	bookmarks_parser.exe
2356	bookmarks_parser.exe
2356	bookmarks_parser.exe
2356	bookmarks_parser.exe
752	bookmarks_parser.exe
752	bookmarks_parser.exe
752	bookmarks_parser.exe
752	bookmarks_parser.exe
752	bookmarks_parser.exe
1664	bookmarks_parser.exe
1664	bookmarks_parser.exe
1664	bookmarks_parser.exe
1664	bookmarks_parser.exe
1664	bookmarks_parser.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/916-371-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/916-378-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/916-379-0x0000000000400000-0x00000000004A5000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
117	raw.githubusercontent.com
46	camo.githubusercontent.com
94	raw.githubusercontent.com
95	raw.githubusercontent.com

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
776	timeout.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
4452	tasklist.exe
1992	tasklist.exe
4852	tasklist.exe
3388	tasklist.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133529883010513323"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1044	chrome.exe
1044	chrome.exe
3516	msedge.exe
3516	msedge.exe
2344	msedge.exe
2344	msedge.exe
4792	identity_helper.exe
4792	identity_helper.exe
2652	powershell.exe
2652	powershell.exe
4396	cmdbkg.exe
4396	cmdbkg.exe
3404	chrome.exe
3404	chrome.exe
4136	powershell.exe
4136	powershell.exe
2992	cmdbkg.exe
2992	cmdbkg.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1044	chrome.exe
1044	chrome.exe
2344	msedge.exe
2344	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe
Token: SeShutdownPrivilege	1044	chrome.exe
Token: SeCreatePagefilePrivilege	1044	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2136	Illegal_Services.exe
3796	cmdwiz.exe
1804	cmdbkg.exe
4396	cmdbkg.exe
3112	cmdwiz.exe
3472	cmdwiz.exe
916	extd.exe
2720	cmdwiz.exe
4984	cmdwiz.exe
848	cmdwiz.exe
4048	cmdwiz.exe
1740	cmdwiz.exe
4620	cmdwiz.exe
1592	cmdwiz.exe
3652	cmdwiz.exe
1440	cmdwiz.exe
2652	Illegal_Services.exe
916	cmdbkg.exe
2992	cmdbkg.exe
4036	cmdwiz.exe
1700	cmdwiz.exe
772	cmdwiz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 4936	1044	chrome.exe	47
PID 1044 wrote to memory of 4936	1044	chrome.exe	47
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 396	1044	chrome.exe	90
PID 1044 wrote to memory of 368	1044	chrome.exe	91
PID 1044 wrote to memory of 368	1044	chrome.exe	91
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92
PID 1044 wrote to memory of 4424	1044	chrome.exe	92

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
808	attrib.exe
1604	attrib.exe
3388	attrib.exe
2284	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Illegal-Services/Illegal_Services.git
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedbf99758,0x7ffedbf99768,0x7ffedbf99778
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1880,i,1879446469843160786,15325375501799491653,131072 /prefetch:2
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1880,i,1879446469843160786,15325375501799491653,131072 /prefetch:8
  2⤵
  PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1880,i,1879446469843160786,15325375501799491653,131072 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1880,i,1879446469843160786,15325375501799491653,131072 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1880,i,1879446469843160786,15325375501799491653,131072 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1880,i,1879446469843160786,15325375501799491653,131072 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1880,i,1879446469843160786,15325375501799491653,131072 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1880,i,1879446469843160786,15325375501799491653,131072 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1880,i,1879446469843160786,15325375501799491653,131072 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5348 --field-trial-handle=1880,i,1879446469843160786,15325375501799491653,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3404

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2196

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Temp1_Illegal_Services-main.zip\Illegal_Services-main\Tutorial.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffecaaf46f8,0x7ffecaaf4708,0x7ffecaaf4718
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13596663278098798721,17713518920855816988,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13596663278098798721,17713518920855816988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,13596663278098798721,17713518920855816988,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13596663278098798721,17713518920855816988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13596663278098798721,17713518920855816988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13596663278098798721,17713518920855816988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13596663278098798721,17713518920855816988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\Illegal_Services.exe
"C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\Illegal_Services.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8IJEK507.bat" "C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\Illegal_Services.exe" "
  2⤵
  PID:4740
- - C:\Windows\system32\attrib.exe
    attrib -s -h "C:\Users\Admin\AppData\Local\Temp\8IJEK507.bat"
    3⤵
    - Views/modifies file attributes
    PID:808
- - C:\Windows\system32\attrib.exe
    attrib +s +h +i "C:\Users\Admin\AppData\Local\Temp\8IJEK507.bat"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1604
- - C:\Windows\system32\findstr.exe
    findstr /v "$" "C:\Users\Admin\AppData\Local\Temp\8IJEK507.bat"
    3⤵
    PID:4452
- - C:\Windows\system32\findstr.exe
    findstr /v "$" "C:\Users\Admin\AppData\Local\Temp\8IJEK507.bat"
    3⤵
    PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp
    3⤵
    PID:4092
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:2800
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /z "Illegal_Services.exe" nul
    3⤵
    PID:2988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c forfiles /m "Illegal_Services.exe" /c "cmd /c echo 0x1B"
    3⤵
    PID:3956
  - - C:\Windows\system32\forfiles.exe
      forfiles /m "Illegal_Services.exe" /c "cmd /c echo 0x1B"
      4⤵
      PID:4984
    - - C:\Windows\system32\cmd.exe
        
        /c echo
        5⤵
        
        PID:3700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c set
    3⤵
    PID:3960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language"
    3⤵
    PID:5080
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language"
      4⤵
      PID:908
- - C:\Windows\system32\reg.exe
    reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language"
    3⤵
    PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language" /v "InstallLanguage"
    3⤵
    PID:4400
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language" /v "InstallLanguage"
      4⤵
      PID:1440
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language" /t REG_SZ /d EN /f
    3⤵
    PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language"
    3⤵
    PID:4700
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language"
      4⤵
      PID:2144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Personal"
    3⤵
    PID:4296
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Personal"
      4⤵
      PID:3944
- - C:\Windows\system32\chcp.com
    chcp 437
    3⤵
    PID:3852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell /?
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2652
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:4088
- - C:\Windows\system32\where.exe
    where mode.com
    3⤵
    PID:4576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\Console\%%Startup" /v "DelegationTerminal"
    3⤵
    PID:3144
- - C:\Windows\system32\find.exe
    find "{00000000-0000-0000-0000-000000000000}"
    3⤵
    PID:1276
- - C:\Windows\system32\tasklist.exe
    tasklist /nh /fo csv /fi "imagename eq WindowsTerminal.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1992
- - C:\Windows\system32\find.exe
    find """WindowsTerminal.exe"""
    3⤵
    PID:432
- - C:\Windows\system32\mode.com
    mode 125,19
    3⤵
    PID:2180
- - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdwiz.exe
    lib\cmdwiz.exe setquickedit 0
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Username"
    3⤵
    PID:3708
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Username"
      4⤵
      PID:640
- - C:\Windows\system32\reg.exe
    reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Username"
    3⤵
    PID:3084
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Username" /t REG_SZ /d "Admin" /f
    3⤵
    PID:4784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Username"
    3⤵
    PID:2108
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Username"
      4⤵
      PID:1888
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Username" /t REG_SZ /d "Admin" /f
    3⤵
    PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul tasklist /nh /fo csv /fi "imagename eq Illegal_Services.exe" | find """Illegal_Services.exe"""
    3⤵
    PID:5048
  - - C:\Windows\system32\tasklist.exe
      tasklist /nh /fo csv /fi "imagename eq Illegal_Services.exe"
      4⤵
      Enumerates processes with tasklist
      PID:4852
  - - C:\Windows\system32\find.exe
      find """Illegal_Services.exe"""
      4⤵
      PID:1604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul dir "C:\Users\Admin\AppData\Local\Temp\????????.bat" /a:-d /o:-d /b | findstr /rxc:"........\.bat"
    3⤵
    PID:2020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir "C:\Users\Admin\AppData\Local\Temp\????????.bat" /a:-d /o:-d /b 2>nul"
      4⤵
      PID:2716
  - - C:\Windows\system32\findstr.exe
      findstr /rxc:"........\.bat"
      4⤵
      PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul dir "C:\Users\Admin\AppData\Local\Temp\URL????.url" /a:-d /b | findstr /rc:"URL....\.url"
    3⤵
    PID:2196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir "C:\Users\Admin\AppData\Local\Temp\URL????.url" /a:-d /b 2>nul"
      4⤵
      PID:376
  - - C:\Windows\system32\findstr.exe
      findstr /rc:"URL....\.url"
      4⤵
      PID:2800
- - C:\Windows\system32\where.exe
    where curl.exe
    3⤵
    PID:4712
- - C:\Windows\system32\curl.exe
    curl.exe -fIkLs -X GET -o NUL "https://1.1.1.1/"
    3⤵
    PID:2720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Proxy"
    3⤵
    PID:320
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Proxy"
      4⤵
      PID:3768
- - C:\Windows\system32\reg.exe
    reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Proxy"
    3⤵
    PID:4716
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Proxy" /f
    3⤵
    PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl.exe -fIks -X GET -o NUL "https://github.com/Illegal-Services/Illegal_Services" -w "%{response_code}"
    3⤵
    PID:4136
  - - C:\Windows\system32\curl.exe
      curl.exe -fIks -X GET -o NUL "https://github.com/Illegal-Services/Illegal_Services" -w "%{response_code}"
      4⤵
      PID:2316
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Proxy" /t REG_SZ /d "https://github.com/Illegal-Services/Illegal_Services" /f
    3⤵
    PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "VoiceAssistant"
    3⤵
    PID:916
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "VoiceAssistant"
      4⤵
      PID:4724
- - C:\Windows\system32\reg.exe
    reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "VoiceAssistant"
    3⤵
    PID:908
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "VoiceAssistant" /t REG_DWORD /d 0 /f
    3⤵
    PID:3516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "VoiceAssistant"
    3⤵
    PID:4296
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "VoiceAssistant"
      4⤵
      PID:3852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl.exe -fkLs "https://github.com/Illegal-Services/Illegal_Services/raw/version/version.txt"
    3⤵
    PID:5036
  - - C:\Windows\system32\curl.exe
      curl.exe -fkLs "https://github.com/Illegal-Services/Illegal_Services/raw/version/version.txt"
      4⤵
      PID:1764
- - C:\Windows\system32\where.exe
    where chcp.com
    3⤵
    PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp
    3⤵
    PID:4084
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:1800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundBorderTransparency"
    3⤵
    PID:2060
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundBorderTransparency"
      4⤵
      PID:3440
- - C:\Windows\system32\reg.exe
    reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundBorderTransparency"
    3⤵
    PID:3272
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundBorderTransparency" /t REG_DWORD /d 1 /f
    3⤵
    PID:1868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundBorderTransparency"
    3⤵
    PID:4256
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundBorderTransparency"
      4⤵
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundDisabled"
    3⤵
    PID:2456
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundDisabled"
      4⤵
      PID:4596
- - C:\Windows\system32\reg.exe
    reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundDisabled"
    3⤵
    PID:1372
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundDisabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundDisabled"
    3⤵
    PID:2868
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundDisabled"
      4⤵
      PID:440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundTransparency"
    3⤵
    PID:772
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundTransparency"
      4⤵
      PID:4824
- - C:\Windows\system32\reg.exe
    reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundTransparency"
    3⤵
    PID:3796
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundTransparency" /t REG_DWORD /d 10 /f
    3⤵
    PID:3116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundTransparency"
    3⤵
    PID:2108
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundTransparency"
      4⤵
      PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundWallpaper"
    3⤵
    PID:1260
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundWallpaper"
      4⤵
      PID:636
- - C:\Windows\system32\reg.exe
    reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundWallpaper"
    3⤵
    PID:5048
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundWallpaper" /t REG_DWORD /d 6 /f
    3⤵
    PID:316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundWallpaper"
    3⤵
    PID:2220
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundWallpaper"
      4⤵
      PID:3888
- - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdbkg.exe
    lib\cmdbkg.exe lib\backgrounds\background-6.jpg
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1804
  - - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdbkg.exe
      lib\cmdbkg.exe lib\backgrounds\background-6.jpg
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4396
- - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdwiz.exe
    lib\cmdwiz.exe delay 500
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3112
- - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdwiz.exe
    lib\cmdwiz.exe setwindowtransparency 10
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "UntrustedWebsitesWarning"
    3⤵
    PID:1244
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "UntrustedWebsitesWarning"
      4⤵
      PID:4208
- - C:\Windows\system32\reg.exe
    reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "UntrustedWebsitesWarning"
    3⤵
    PID:320
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "UntrustedWebsitesWarning" /t REG_DWORD /d 1 /f
    3⤵
    PID:4716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "UntrustedWebsitesWarning"
    3⤵
    PID:4364
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "UntrustedWebsitesWarning"
      4⤵
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "VoiceAssistantChoice"
    3⤵
    PID:4064
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "VoiceAssistantChoice"
      4⤵
      PID:1592
- - C:\Windows\system32\reg.exe
    reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "VoiceAssistantChoice"
    3⤵
    PID:2444
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "VoiceAssistantChoice" /t REG_DWORD /d 1 /f
    3⤵
    PID:1440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "VoiceAssistantChoice"
    3⤵
    PID:3296
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "VoiceAssistantChoice"
      4⤵
      PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c findstr /bc:"[First Launch]=" "lib\speak\EN.lang"
    3⤵
    PID:4384
  - - C:\Windows\system32\findstr.exe
      findstr /bc:"[First Launch]=" "lib\speak\EN.lang"
      4⤵
      PID:3232
- - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\speak\extd.exe
    lib\speak\extd.exe /speak "Welcome to Illegal Services. My name is Rose, and I will be, your personal voice assistant. If you wish, you can deactivate me in the menu that appears."
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:916
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\msgbox.vbs" "Do you want to disable Rose voice assistant ?" 69668 "Illegal Services"
    3⤵
    PID:1800
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "VoiceAssistant" /t REG_DWORD /d 0 /f
    3⤵
    PID:2156
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "VoiceAssistantChoice" /t REG_DWORD /d 0 /f
    3⤵
    PID:3800
- - C:\Windows\system32\find.exe
    find """extd.exe"""
    3⤵
    PID:668
- - C:\Windows\system32\tasklist.exe
    tasklist /nh /fo csv /fi "imagename eq extd.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:3388
- - C:\Windows\system32\tasklist.exe
    tasklist /nh /fo csv /fi "imagename eq speak-x64.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:4452
- - C:\Windows\system32\find.exe
    find """speak-x64.exe"""
    3⤵
    PID:1604
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:776
- - C:\Windows\system32\mode.com
    mode 125,29
    3⤵
    PID:4592
- - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdwiz.exe
    lib\cmdwiz.exe delay 5
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2720
- - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdwiz.exe
    lib\cmdwiz.exe delay 5
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4984
- - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdwiz.exe
    lib\cmdwiz.exe delay 5
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:848
- - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdwiz.exe
    lib\cmdwiz.exe delay 5
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4048
- - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdwiz.exe
    lib\cmdwiz.exe delay 5
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1740
- - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdwiz.exe
    lib\cmdwiz.exe delay 5
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4620
- - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdwiz.exe
    lib\cmdwiz.exe delay 5
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1592
- - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdwiz.exe
    lib\cmdwiz.exe delay 5
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3652
- - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdwiz.exe
    lib\cmdwiz.exe delay 5
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1440
- - C:\Windows\system32\mode.com
    mode 125,29
    3⤵
    PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "FirstLaunch"
    3⤵
    PID:4332
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "FirstLaunch"
      4⤵
      PID:1016
- - C:\Windows\system32\reg.exe
    reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "FirstLaunch"
    3⤵
    PID:908
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "FirstLaunch" /t REG_DWORD /d 1 /f
    3⤵
    PID:1480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "FirstLaunch"
    3⤵
    PID:3300
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "FirstLaunch"
      4⤵
      PID:4352
- - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\Illegal_Services.exe
    "Illegal_Services.exe" IS_BOOKMARKS_PARSER
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSKR2PDI.bat" "Illegal_Services.exe" IS_BOOKMARKS_PARSER"
      4⤵
      PID:2044
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Local\Temp\CSKR2PDI.bat"
        5⤵
        Views/modifies file attributes
        
        PID:3388
    - - C:\Windows\system32\attrib.exe
        
        attrib +s +h +i "C:\Users\Admin\AppData\Local\Temp\CSKR2PDI.bat"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2284
    - - C:\Windows\system32\findstr.exe
        
        findstr /v "$" "C:\Users\Admin\AppData\Local\Temp\CSKR2PDI.bat"
        5⤵
        
        PID:3092
    - - C:\Windows\system32\findstr.exe
        
        findstr /v "$" "C:\Users\Admin\AppData\Local\Temp\CSKR2PDI.bat"
        5⤵
        
        PID:3392
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        5⤵
        
        PID:1804
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:4092
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3956
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /z "Illegal_Services.exe" nul
        5⤵
        
        PID:2720
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c forfiles /m "Illegal_Services.exe" /c "cmd /c echo 0x1B"
        5⤵
        
        PID:4984
      - C:\Windows\system32\forfiles.exe
        
        forfiles /m "Illegal_Services.exe" /c "cmd /c echo 0x1B"
        6⤵
        
        PID:848
        
        C:\Windows\system32\cmd.exe
        
        /c echo
        7⤵
        
        PID:2356
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c set
        5⤵
        
        PID:4736
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language"
        5⤵
        
        PID:1740
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language"
        6⤵
        
        PID:4620
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Personal"
        5⤵
        
        PID:3816
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Personal"
        6⤵
        
        PID:3984
    - - C:\Windows\system32\chcp.com
        
        chcp 437
        5⤵
        
        PID:5008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell /?
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4136
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4388
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        5⤵
        
        PID:4368
    - - C:\Windows\system32\where.exe
        
        where mode.com
        5⤵
        
        PID:220
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundBorderTransparency"
        5⤵
        
        PID:4192
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundBorderTransparency"
        6⤵
        
        PID:4008
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundDisabled"
        5⤵
        
        PID:4616
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundDisabled"
        6⤵
        
        PID:2664
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundTransparency"
        5⤵
        
        PID:3288
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundTransparency"
        6⤵
        
        PID:5048
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundWallpaper"
        5⤵
        
        PID:3292
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "BackgroundWallpaper"
        6⤵
        
        PID:3944
    - - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdbkg.exe
        
        lib\cmdbkg.exe lib\backgrounds\background-6.jpg
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:916
      - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdbkg.exe
        
        lib\cmdbkg.exe lib\backgrounds\background-6.jpg
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2992
    - - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdwiz.exe
        
        lib\cmdwiz.exe delay 500
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4036
    - - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdwiz.exe
        
        lib\cmdwiz.exe setwindowtransparency 10
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1700
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c lib\cmdwiz.exe getconsoledim
        5⤵
        
        PID:1868
      - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\cmdwiz.exe
        
        lib\cmdwiz.exe getconsoledim
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:772
    - - C:\Windows\system32\curl.exe
        
        curl.exe -fIkLs -X GET -o NUL "https://1.1.1.1/"
        5⤵
        
        PID:2120
    - - C:\Windows\system32\curl.exe
        
        curl.exe -f#kLo "C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\user_data\IS.bookmarks.html" "https://github.com/Illegal-Services/Illegal_Services/raw/downloads/IS.bookmarks.html"
        5⤵
        
        PID:4708
    - - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\binread\x64\binread.exe
        
        lib\binread\x64\binread.exe "lib\binread\x64\binread.exe" 0
        5⤵
        
        PID:3636
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c lib\binread\x64\binread.exe "C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\user_data\IS.bookmarks.html" 8
        5⤵
        
        PID:2996
      - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\binread\x64\binread.exe
        
        lib\binread\x64\binread.exe "C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\user_data\IS.bookmarks.html" 8
        6⤵
        
        PID:2800
    - - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\binread\x64\binread.exe
        
        lib\binread\x64\binread.exe "lib\binread\x64\binread.exe" 0
        5⤵
        
        PID:1988
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c lib\binread\x64\binread.exe "C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\user_data\IS.bookmarks.html" 35
        5⤵
        
        PID:1992
      - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\binread\x64\binread.exe
        
        lib\binread\x64\binread.exe "C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\user_data\IS.bookmarks.html" 35
        6⤵
        
        PID:832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c 2>nul wmic os get Localdatetime /value
        5⤵
        
        PID:1116
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Localdatetime /value
        6⤵
        
        PID:512
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "DBLastDownload" /t REG_SZ /d "2024-02-21 11:27" /f
        5⤵
        
        PID:4940
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "DBLastDownload"
        5⤵
        
        PID:1820
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "DBLastDownload"
        6⤵
        
        PID:3424
    - - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\binread\x64\binread.exe
        
        lib\binread\x64\binread.exe "lib\binread\x64\binread.exe" 0
        5⤵
        
        PID:1616
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c lib\binread\x64\binread.exe "C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\user_data\IS.bookmarks.html" 35
        5⤵
        
        PID:2092
      - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\binread\x64\binread.exe
        
        lib\binread\x64\binread.exe "C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\user_data\IS.bookmarks.html" 35
        6⤵
        
        PID:1384
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c 2>nul certutil -hashfile "lib\bookmarks_parser.exe" SHA1
        5⤵
        
        PID:4644
      - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "lib\bookmarks_parser.exe" SHA1
        6⤵
        
        PID:2776
    - - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\bookmarks_parser.exe
        
        lib\bookmarks_parser.exe -h
        5⤵
        
        PID:4912
      - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\bookmarks_parser.exe
        
        lib\bookmarks_parser.exe -h
        6⤵
        Loads dropped DLL
        
        PID:2356
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c lib\bookmarks_parser.exe --list-folders --list-index --extended-parsing --folders-path --quoting-style "'" "C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\user_data\IS.bookmarks.html"
        5⤵
        
        PID:3252
      - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\bookmarks_parser.exe
        
        lib\bookmarks_parser.exe --list-folders --list-index --extended-parsing --folders-path --quoting-style "'" "C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\user_data\IS.bookmarks.html"
        6⤵
        
        PID:3976
        
        C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\bookmarks_parser.exe
        
        lib\bookmarks_parser.exe --list-folders --list-index --extended-parsing --folders-path --quoting-style "'" "C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\user_data\IS.bookmarks.html"
        7⤵
        Loads dropped DLL
        
        PID:752
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c 2>nul set root_path_[
        5⤵
        
        PID:1344
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c 2>nul set untrusted_website_[
        5⤵
        
        PID:3424
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c 2>nul set url_[
        5⤵
        
        PID:4584
    - - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\binread\x64\binread.exe
        
        lib\binread\x64\binread.exe "lib\binread\x64\binread.exe" 0
        5⤵
        
        PID:1152
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c lib\binread\x64\binread.exe "C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\user_data\IS.bookmarks.html" 35
        5⤵
        
        PID:1384
      - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\binread\x64\binread.exe
        
        lib\binread\x64\binread.exe "C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\user_data\IS.bookmarks.html" 35
        6⤵
        
        PID:2192
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c lib\bookmarks_parser.exe --list-index --extended-parsing --folders-path --quoting-style "'" --folders-all-case_sensitive "Doxing" "C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\user_data\IS.bookmarks.html"
        5⤵
        
        PID:3660
      - C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\bookmarks_parser.exe
        
        lib\bookmarks_parser.exe --list-index --extended-parsing --folders-path --quoting-style "'" --folders-all-case_sensitive "Doxing" "C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\user_data\IS.bookmarks.html"
        6⤵
        
        PID:2776
        
        C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\lib\bookmarks_parser.exe
        
        lib\bookmarks_parser.exe --list-index --extended-parsing --folders-path --quoting-style "'" --folders-all-case_sensitive "Doxing" "C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\user_data\IS.bookmarks.html"
        7⤵
        Loads dropped DLL
        
        PID:1664
- - C:\Windows\system32\mode.com
    mode 125,29
    3⤵
    PID:808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "FirstLaunch"
    3⤵
    PID:1476
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "FirstLaunch"
      4⤵
      PID:428

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x220 0x484
1⤵
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9eef9735c17c9f3a01fc0c62f7bae2d2

SHA1
b18a5d94129e335bd82186890b96b52d7323c307

SHA256
e2b0c932ea69cf08aab0d4513d37861b157ad3bd958c3698cd164cac9996b3fa

SHA512
379efd6bd2a311605f5d0df17c7b330bf12b4154c9aadea3c0f13f9f90d31f6cc7440eefab1dddfe4f0966b75ed04cfa9be3fbe2b2ab0b9ca017210ddffed199

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
494c45cc791a126e7b43f26469f8a6e6

SHA1
9a34b7f2221629800d1378e19382641507de4bac

SHA256
e8a5f5971130b331ce7e48435fab6b0dc7ff103324c5ab5ab31d8cf3f820ef3d

SHA512
bcbb9dc6ef5202f9fc2ed9e6cebb54ed4f27624ee2982174cbf5c5945332ef591c3953bfd98842d22aeb8570826c8ff690b51c0f48c8801d2b23e71165224aac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9b41966c2fedd2ac113d95d9a90cb8b1

SHA1
e441df3432d742404515d04d4eec100e0fe7cadc

SHA256
b41dbfe8a0801b1e23662efbe0d4177aee7bf30c11e10d406147a1d2ac926aab

SHA512
677bbb8e8bba2ed836c3c310a9cc9bacb6b9422b0f2119067498b5a8568410e17093b9a2fb3128872d703fd9ceceaeb1250fc8078a399ec1686d35cd63987e0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
db4cd4ca51871be2f096a305767bc4e2

SHA1
f4f45d6f81ab75b623806af23b0275118677f610

SHA256
9fe7b5e8d6ab8e9971ebca64d027a6bc3ca91787d492490d7ca50be47b0b9017

SHA512
f63b66004bdc34b332b5e7b6c35a6eeca10c8966b3b1c6a7221548cf2dcc9a582d14ac9d14173987f6e1f7aaacd64344d8463f1597e1ab206cf0f870b409f471

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
475f6a41bf491f5c19be80e1e98abacc

SHA1
6b6cbb24267d9a624e66755b8ae31a13ff4620d3

SHA256
d71a382aba25241bcad0750cdb5098b321137c63676d56c027364311687a2bb3

SHA512
30fc58ce5f3064319997feb367a0125f265fea2ce45eeebf109e7d4f61c480ac09da0bc1e283e8b450ee4e18add08a4a6457451e4e9deed6d9e7f30d4d9766bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
96b4ded4d4d9de9fae67d6e00373c87d

SHA1
594f0b9a52e1fe48689330822c9b3e418b81f5f3

SHA256
241e7661b7b0217d79d3bd9337b058c1cb1b634e0af4c9810e2c73b64e4c396f

SHA512
c0af2da4714c1cd3b1addd08c93b156be2112e3c88cf88bdbb5ad4a50d9205e9724e403cb3678e114903890f80b791eb72be38e79295a649db6c85f44701b5e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fc6a69247acc5a75561744a1b464b379

SHA1
0cf87a9beff49675eda49772c5f7631567d49407

SHA256
476baa42f4bdb8de01b10c5756129e06685289b8679066f562225815de67226a

SHA512
a71ae25326bd435b6b7dd619cc69226a409dc4df5b06e82f83b05871c9c86e388af9faa6167f6fd62c70ef0059b6a18e3d380ed28a3ab24a1816923d3a4d6a28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d6b37bdcafb8903febdc109dda276afb

SHA1
fea11a2539f7e91e32914608ada130ac8d10d9dc

SHA256
859e3eb93593c58058ab98f2012ecf14a7a0c75e691d11b35a9d589da9792563

SHA512
10ca353757a24721046f25fbd20fe8eaae8c1f2dd690a107927b37539702a585fbf52be2f2dd4eb6aaf6c016de086d586d7552ed7b68a438f0339789c70d7d30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ed4b44eadf09ec661b654fb513ffbdc7

SHA1
e42bf9c5db8a13cf952366cdef1075e6a944885a

SHA256
dfa89325463ddd8c27b916edf67117a0a12107d6d26e5571436bad189da97192

SHA512
75ecec45691e041c869d1d717cb6c6e9d2e14e56563a719b11547e19dd85441f2f77a88767cbe737b07b46b4767bfcbbad08371dca573bf3aff2f347844c627d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b654cd6a8b231353647616db0e44961d

SHA1
106aebf00c888eed77fa431af109dffa8fa97157

SHA256
dd0bab6fad9d3fab892cfd0975ef09072c0ae877875ce2809ef5c9250c1df06a

SHA512
68f13c29516b63eedbb8f6808c37cf08f40084dc3018470283b89e61c61b83d0c02a8935055a32c19d79eeb74a46b05bfcac383233f564830fcb5b80b30d841b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
06e7d5b99da8a78d865188350ad42a86

SHA1
2874baa63922165d973f1a885d698cb5364075d2

SHA256
8d31a1048263be46d5f88091fe89bfcd24574f621fd4c6728f23d67b752595a5

SHA512
4af8a34d3aa4085dec8d8121eca7f19e58fe023a6c24670e4107fe9a82ce67d10c697a0dc655ee76f5767294973c5b169dd648bfd3b314cebd00595963437f06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9033c72732fea9362ed444b01ec6e690

SHA1
c0ef84647046863eb5813a2ec4cd2ec22efdcf41

SHA256
efe36c4dde13f5ddce49f932495ff11a77f965ace358e808249c55e49e8697cd

SHA512
ffa5fc1fd8a2c8b4e18936ffbd47d55dffda23ebcf40625901f1e2d336b95faa3905b4066335c9e637707ad3e70f5fe6a48556be5d14d3894eb6dfe5650015a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
1a3388aa1508d2b90f1608ce053aa9af

SHA1
20f29830c68862da86ef7a3733f6c449d874a4d5

SHA256
8f3add7a45077b44906c2a9eaecda500a0c79da9a8493b9d68a640b6979674d4

SHA512
a31231b8d9ac521fd4a038c29fedaa34171e3cb7d5b8c1ffa216f5d9eb28f90c5f77d9b0f0baf595896a9c17e8a2a6e714ed91eaf5c97d3d01d5fb403a7d1430

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
102KB

MD5
cd7f8b19c6d775c68956122796b7a7c2

SHA1
90aea2c0e415cded049d4faf3968d1b409f9055a

SHA256
08301133b160078c3c2b6d212e1163400dfa16e016d0e57f0bae8af8eeca4292

SHA512
d21cb1c194c2ad8b893f16bfcecb42bf6a9db7291e613cd1da4ad1d529437baadf9dcfb60a2026d5be45f6cae4aa983ccc04fc930d157466248b1285f56efe9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
7bb1664cd36a3f27e3e0ce4eb87f33b4

SHA1
7503040a30a4524d4d5576feb5e7cf7aa6e507a1

SHA256
9c213d061067966a378030172ec2a60d8de6d87567ce3ab5d64da7279ea6e4bc

SHA512
66810d38b22aba8abef77e27e31678b4c421db2f910593a96b6032190ba5cc12234234b4bd7bcd68e70a79e789179b1bd078cf4ca59f41ae92248294b7685a11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57c3fc.TMP

Filesize
96KB

MD5
fa61a40885ce65baab66f5e2bca3d3df

SHA1
d68a332734b634b81930000f9a3c883c40f17efe

SHA256
72401c21e7b655f59be20b770dd67fb3490b1aa03fa309a139bb2da3b2a929c6

SHA512
f730613701d9db7f53cda4b51b500fa8c2cb2f98171cb62a5f3b0a825fe2a0d98a6d267cd9416f97912d2d3926bedf446076e2823f6dbbe5a6e24543e4d404fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
25d7ac29d798600ddc5fd880b162958b

SHA1
a2ba91e14155cfa5c26670e17ac606f3f28b0be2

SHA256
3c6d5ecae46dd9f6756e444bc51635cdd9696f3ed9fe0601cf41059a04085f88

SHA512
d91a9028c0fdf3761edbccddaa460573281b7d390efc7dfe3ebef46ce5ede53d36a7148c523e312b5daedc91c11cdb2cc8d0f8b475339cd35dba044595778d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7f6a4b84d93993fde98d6553834416b

SHA1
4b4a227af10826f5a2f2e9b232ddb0336b3066f1

SHA256
843a9671b3fab9337d8d600e170f9ac8b200a2faf63b5a8cd16f157bcf73c21d

SHA512
ccfe39c47109dbf71c74ff6950526be7fcd521462f80e69e27388a9757d7f1adebf5f723c46b1631ffe3e2b4aa5829655d556bff8bd7e0f9f87fca46545bfb97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3300b8028991d6e234684db7803b66f9

SHA1
96df26150566233e1e0201bf17b4ea896861862e

SHA256
5b7786b5ae4ba62b88bdbd0992a8fd96b37e4c7068e2fd23d0b33acf769d00cc

SHA512
2f2dff4c24d4fd60160f70d544059bf02eca983309ff46bb7a1cb4d7c413e291c1520842e1922be55a4058380cd041cb6b4d9e70cdc5e4e00880fe13472df031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dfef4f016a65325fd9cbba0c98ec41c6

SHA1
5bda5b26d231eb2ce83436b47f17517dfd9a4e1c

SHA256
0829fd8ee1f7d551f9deda0fe68f7ae1a60eef6ecb1471b76bff9fe02ecbc00b

SHA512
cac4826f245818db6ba1900b45629f431aa11559be432303389e3e4ebd04e7afaf5b2e521427495637d5b1f24fe10afdcd8906f24f4a3ed155df7655ee338db0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5bc5e814cb369929f690f2c1ec18851b

SHA1
674b6e239b2908f5d7e20923ccc576599c7ceb33

SHA256
11a3ea5cd1186bbe09a8f1fdd6b7aedca51cc86b4888ab459f360ecec8e28e42

SHA512
b6bda3639c0aedf9aebe4b06b7006caf58fb2af7a08dbdf3cb009345960da153fb9ee10e29d3739a0e02a9afb91ff650769bdf8eef604390dba8b238117f2e84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
926b5c19c4f37af91146d8203079732d

SHA1
1fc8e994c700b7177d0f88954419ad2d413464a3

SHA256
e003f0a78f477d6beb5ff6e927a459052060e51a8b40e3e642c7d55c36b0b085

SHA512
5c83a21496c6f9bc65a589eb725f02cce26a779ce197c0e37a35356023ec2b89a1682fb952649597035a046d76e3a1b28dcef347e3e0e055924b809aab1cdd9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8IJEK507.bat

Filesize
265KB

MD5
598ba6708a1c06f0bb11fedc03853f98

SHA1
a66aa6c50201202fcd91dd68a5f00cb818d2fd9f

SHA256
2a2bf04251618e31c24379d3561ea75158235b1ef370ec2de9bfc1b576e376fa

SHA512
ba94a96816f55b56c921a8da7145f04e2a85ad2cb6a9403139a516d57343bd8996eacc6b0a15017b2421e0e9dd437c5ec8fa6618ebb57a7542a905ffd83ef47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27762\python38.dll

Filesize
1.7MB

MD5
f97c911312ca2428c1477d0e328661fa

SHA1
e6dbb436e98b61f727d40886f831e2aeca58e8b9

SHA256
0866c10eccc43b3603a7007bbf25ab447f48ef140aa41c3f3d6d0b3c3a570fd1

SHA512
96c9f728082b59b4e9f7890118c5618b47b6b1ea80db39f8dd8998fe63ca3dbf8cbb440c95745afaa0d5a627d2b5942037ff84ea8c7b0cd97d507b472bade1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39762\python38.dll

Filesize
2.9MB

MD5
c825d4f0653888f6b320b8dc834559a3

SHA1
044764afaef208cbad52e13c29016b8cb98e2eee

SHA256
5c7b456dec8ffa362c055d270f778254e20aed16bc0f2ed8f43beaf691b913b6

SHA512
bfa55d7a4497276360405373322c57eefc6f1b2b847f973ac8f50697956c662cc15df0c6e43ac21deaa1002671306589b6a97fe3f0910a1df3626cc49bccaa44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39762\python38.dll

Filesize
2.2MB

MD5
2e5446a090e0fc53fb2cc753db373f8e

SHA1
0d6cf2afb46961a07c21fb81fc07428e967b5362

SHA256
648b6136de218563d62a09070bdc579d221cb1421d9d0c7acfffdf0bafba783c

SHA512
d3dcedbf0992116633fef4785ce21090d456de398d6a3674bf045999830820a4df5b1da3efc128d28e1c885d4cb7b31571d486ad52dbe36e6b53d374dcc08e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39762\ucrtbase.dll

Filesize
704KB

MD5
55ea699a6e17daf1de7fc55cb8384141

SHA1
6d682d3721ed33ddb08cd2bd5a2241173d7a9f44

SHA256
ce9657eb5bf3505555548e675a14784d97f531c47553177c418ec9415e0f44c6

SHA512
5202b204d0c754eff7fc29248d968649bf2106fb2361a9e6c0cf7c57a2d7ed67f1c89a068844532a3bdfbb12dc6cbc5e2dbe4896336d64f1580446c1322b9c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\VCRUNTIME140.dll

Filesize
81KB

MD5
5116fd80399d5af500badb186c866cde

SHA1
8dfbcdd296383aebc039058101aac1ae408e5152

SHA256
1e5dc86e122379740724621890a1ba1b18252c745631a6dff862aa7723a1f99a

SHA512
e41b71380fa49743f1efcc920276dbf1b2f7f5db5771f64a4d2ff18039c124efdb3b7d3fa66eda2c47b21012abe1186eade388b38dcaa7e8417707be546c65d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_bz2.pyd

Filesize
70KB

MD5
69571f3b3b8a1101515e4aee7f080cd1

SHA1
67cbcbac47499b15a60343b67a80cd16c4a9c197

SHA256
7a9c1b992529281ffc38944580dd858e85d4a76620c768839fb7fb7c21771989

SHA512
5b110ce65a93e03205fc4bac5fb2c83e3f67aae1e84a1d5503589ce43e843c29a31379c013e43533c84e70c0a82e5db8fbe63a678e20b8cefa515199bc599c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_lzma.pyd

Filesize
137KB

MD5
76677f460125603976656f78b8af6b56

SHA1
0664d710ef55f5c58178ce44c185a4c0ad10a31a

SHA256
a8f71849e92ef2455488b5a9334bd0c378b92f75b089b3eddb284c0ca545060a

SHA512
60a8d0c95553700ad5c18f4c5fc5475e22c8d42ccbe7bc26530649695e18cecf2202c55bd4c7d3a943a018f6737b9ef262f52cf75c5e8df63d72eca40fcff442

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\base_library.zip

Filesize
1008KB

MD5
3c39f09efc25551e8d79d60ac23d205c

SHA1
c965fc04fbf09de3cf012dd8171c707d717da537

SHA256
52e1825807e78e761671a757848e3eac5f1c19fd26b1e238846b4086d0b01809

SHA512
63323c079dd880058c3a1af8c6dd6df969d3b662a358b1b09273c401cd7cf2e0c1dbfa6cf65b5df201aaaa11c46188a2e13ec909cdfd8e1263cb1b129ddd06ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\python38.dll

Filesize
3.5MB

MD5
21af5002786204a0fce0ebab2643f12a

SHA1
b9920ca2c11205186e77b8d35021137c474abe91

SHA256
d65d664fca161565b20e114a6b6ddb0cec7cfcb7d6f04d431fd64cdbeeed48b7

SHA512
76ed9de199ac156853126ea74016dead74a14223fdf9688bb7cf2be191caa76c70fcc4d8577264b98f386270b56a83454636581bf06f7f905e8ca1dea6386cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\ucrtbase.dll

Filesize
249KB

MD5
173521b95831ea95ece1a6da7ce01e26

SHA1
e55775f7ee92c970737adbc3a7849251e2eb42ad

SHA256
bea270d46c122bb33051273ac3d5c840baf6c98299f5f62c21535a1d52e551f2

SHA512
5402f82a9b74d3bfc90874787f104694e2d49c542d2d7de8d91797570206b59bcdfe86658d1d6bf52871d58c8c6b0f0bcf6afb26aad8f4ec6d7d9acab95dc56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\ucrtbase.dll

Filesize
893KB

MD5
a924b24d71829da17e8908e05a5321e4

SHA1
fa5c69798b997c34c87a8b32130f664cdef8c124

SHA256
f32a61d91264aff96efd719915bed80785a8db4c8d881d6da28909b620fe466f

SHA512
9223ec0e6e0f70b92473e897e4fd4635a19e9ca3aff2fe7c5c065764b58e86460442991787525ed53e425ecd36f2881a6df34c35d2a0e21b7ac4bc61bf1cbeab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hihxpnjg.42x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgbox.vbs

Filesize
159B

MD5
90b924c8d449073b02af7b0d83f50983

SHA1
9e3ef2591194004f256146f1632531e8bf846372

SHA256
9317acb89938472a8e7af2fa7d93bd503c5fc95b0f31ea64b558ae859eac36c6

SHA512
0d14616dcf5c39c44b5863d9810abe9ef8fc84744316345d7240d01115d09057f427c870588b1d116bde77e10bffe45fc842c710b54a5db93f420ea2bf78cd45

Download Submit
C:\Users\Admin\Downloads\Illegal_Services-main.zip.crdownload

Filesize
10.6MB

MD5
04cd1594fe255e12c87fbc0c7204eb28

SHA1
34f7b3d7489215596c25a0655b918e2e12d82220

SHA256
c1981ef171205573e3e1eacb1bc138fb6998cd13ade6edbfd67242e2a2b17d38

SHA512
a16b1b8547959c74a95048c441ea435dcb53220a9f3420315a63b0afceb118ef0e6708de7e17415996030108d0917e6517214b41e0c5a0e3bb3ca0eb208bb2e5

Download Submit
C:\Users\Admin\Downloads\Illegal_Services-main\Illegal_Services-main\user_data\IS.bookmarks.html

Filesize
1.5MB

MD5
5a6c923685ba09b368fcada1da0fa224

SHA1
4bee4e2f81a9be8c72cfef342f2cdf204c2f052a

SHA256
fb07700b6ef6275310eb3b501995d41f4827f329b8ae6b46bb060ba2fc6edbb3

SHA512
50c4a9402d881579b06eb5daeb07ed2c25f6772e144ad9fc1c0b612f486a7a1162e1fb1e32402c3b2aa4da2693b993919bbbdc62dc3169bf8b4a1213a76de789

Download Submit
memory/772-486-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/848-429-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/916-371-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/916-379-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/916-483-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/916-378-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1440-435-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1592-433-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1700-485-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1740-431-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1804-368-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2136-375-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2652-415-0x00007FFEC86F0000-0x00007FFEC91B1000-memory.dmp

Filesize
10.8MB

Download
memory/2652-660-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2652-354-0x00000174EF320000-0x00000174EF342000-memory.dmp

Filesize
136KB

Download
memory/2652-364-0x00007FFEC86F0000-0x00007FFEC91B1000-memory.dmp

Filesize
10.8MB

Download
memory/2720-427-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2992-706-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3112-369-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3472-370-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3652-434-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3796-367-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4036-484-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4048-430-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4136-480-0x000001FF55250000-0x000001FF55260000-memory.dmp

Filesize
64KB

Download
memory/4136-479-0x00007FFEC82C0000-0x00007FFEC8D81000-memory.dmp

Filesize
10.8MB

Download
memory/4136-818-0x00007FFEC82C0000-0x00007FFEC8D81000-memory.dmp

Filesize
10.8MB

Download
memory/4396-377-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4620-432-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4984-428-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download