amadey | 3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
18-06-2024 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
Size

1.8MB
MD5

d29281e018d65bfa32ce438793eb3946
SHA1

bdf5938d91eeac019d4d02628ac5f742943f2a64
SHA256

3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d
SHA512

47757f87f4b20ff28ba0d2915f5a203199afaedeb8cc0f4fc970162f79b18a8302cc643755921ddc683c20a493787fa4ed134cff37ce35f16a68b0ac6a4eb85c
SSDEEP

24576:MhszjQCVRN8hoVF8ZxeG3BuiWkxAjpuVO8j4gZ6P3YEozPq8mc/zeH+j1vDUmcpL:4spKGsHeGxxWJj8VO8Ms6SPDe+j1s

Score

10^/10

amadey exelastealer lumma redline risepro 0e6740 @logscloudyt_bot e76b71 livetraffic newbild discovery evasion execution infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

newbild

185.215.113.67:40960

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

185.172.128.33:8970

Extracted

Family

redline

Botnet

LiveTraffic

4.185.27.237:13528

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

lumma

https://parallelmercywksoffw.shop/api

https://liabiliytshareodlkv.shop/api

https://notoriousdcellkw.shop/api

https://conferencefreckewl.shop/api

https://flourhishdiscovrw.shop/api

https://landdumpycolorwskfw.shop/api

https://barebrilliancedkoso.shop/api

https://willingyhollowsk.shop/api

https://distincttangyflippan.shop/api

https://macabrecondfucews.shop/api

https://greentastellesqwm.shop/api

https://stickyyummyskiwffe.shop/api

https://sturdyregularrmsnhw.shop/api

https://lamentablegapingkwaq.shop/api

https://innerverdanytiresw.shop/api

https://standingcomperewhitwo.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023595-236.dat	family_redline
behavioral1/memory/4352-259-0x0000000000850000-0x00000000008A0000-memory.dmp	family_redline
behavioral1/files/0x00070000000235a1-302.dat	family_redline
behavioral1/memory/2372-324-0x0000000000300000-0x0000000000352000-memory.dmp	family_redline
behavioral1/memory/5436-362-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7700de6bf0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
972	powershell.exe
5056	powershell.exe
5448	powershell.exe
5324	powershell.exe
5336	powershell.exe
668	powershell.exe
5276	powershell.exe
2352	powershell.exe
5292	powershell.exe
2760	powershell.exe
5360	powershell.exe
872	powershell.exe
2324	powershell.exe
2352	powershell.exe
5292	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5748	netsh.exe
1060	netsh.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7700de6bf0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7700de6bf0.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	explortu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	7700de6bf0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	38f0c3dd14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	NewLatest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	bin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe

Executes dropped EXE 34 IoCs

pid	Process
336	explortu.exe
2364	7700de6bf0.exe
4788	dd6917148a.exe
1120	axplong.exe
2168	38f0c3dd14.exe
624	judit.exe
5044	stub.exe
4352	redline123123.exe
2888	upd.exe
4544	setup222.exe
2372	svhoost.exe
5100	One.exe
5396	gold.exe
5204	lummac2.exe
5432	SetupWizard.exe
5160	SetupWizard.exe
5576	axplong.exe
5596	explortu.exe
3512	drivermanager.exe
4320	NewLatest.exe
5208	Hkbsse.exe
2916	monster.exe
2052	stub.exe
2988	bin.exe
1148	winsvc.exe
3276	Hkbsse.exe
5112	legs.exe
2808	winsvc.exe
1352	Hkbsse.exe
3508	explortu.exe
972	axplong.exe
5488	axplong.exe
5392	explortu.exe
5744	Hkbsse.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	7700de6bf0.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	axplong.exe

Loads dropped DLL 64 IoCs

pid	Process
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
5044	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe
2052	stub.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dd6917148a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\dd6917148a.exe"	explortu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
72	raw.githubusercontent.com
74	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
69	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000700000002354d-75.dat	autoit_exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\.coE186.tmp	SetupWizard.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\wincfg.exe	winsvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\.coE186.tmp	SetupWizard.exe
File opened for modification	C:\Windows\system32\winsvc.exe	SetupWizard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\winnet.exe	winsvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

pid	Process
5044	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
336	explortu.exe
2364	7700de6bf0.exe
1120	axplong.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
5596	explortu.exe
5576	axplong.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
972	axplong.exe
3508	explortu.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
4788	dd6917148a.exe
5392	explortu.exe
5488	axplong.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2888 set thread context of 4988	2888	upd.exe	121
PID 5396 set thread context of 5436	5396	gold.exe	133
PID 3512 set thread context of 4452	3512	drivermanager.exe	175
PID 5112 set thread context of 5300	5112	legs.exe	202

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
File created	C:\Windows\Tasks\axplong.job	7700de6bf0.exe
File created	C:\Windows\Tasks\Hkbsse.job	NewLatest.exe
File created	C:\Windows\Tasks\Hkbsse.job	bin.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5688	sc.exe
1800	sc.exe
1256	sc.exe
4628	sc.exe
4144	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3352	5112	WerFault.exe	200

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3960	WMIC.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
1200	tasklist.exe
5896	tasklist.exe
4956	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
6000	ipconfig.exe
5700	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5240	systeminfo.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
5496	taskkill.exe
2400	taskkill.exe
4212	taskkill.exe
2632	taskkill.exe
5476	taskkill.exe
1888	taskkill.exe
1656	taskkill.exe
5184	taskkill.exe
4488	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-200405930-3877336739-3533750831-1000\{55C3E26D-1045-4733-8D7D-6CFD0C43F241}	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	svhoost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	svhoost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5044	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
5044	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
336	explortu.exe
336	explortu.exe
2364	7700de6bf0.exe
2364	7700de6bf0.exe
1120	axplong.exe
1120	axplong.exe
2492	chrome.exe
2492	chrome.exe
5916	powershell.exe
5916	powershell.exe
5916	powershell.exe
5596	explortu.exe
5596	explortu.exe
5576	axplong.exe
5576	axplong.exe
4352	redline123123.exe
4352	redline123123.exe
2372	svhoost.exe
2372	svhoost.exe
5436	RegAsm.exe
5436	RegAsm.exe
2372	svhoost.exe
2372	svhoost.exe
4352	redline123123.exe
4352	redline123123.exe
5436	RegAsm.exe
5436	RegAsm.exe
5300	RegAsm.exe
5300	RegAsm.exe
5056	powershell.exe
5056	powershell.exe
5056	powershell.exe
5360	powershell.exe
5360	powershell.exe
5360	powershell.exe
872	powershell.exe
872	powershell.exe
872	powershell.exe
5448	powershell.exe
5448	powershell.exe
5448	powershell.exe
972	axplong.exe
972	axplong.exe
3508	explortu.exe
3508	explortu.exe
2352	powershell.exe
2352	powershell.exe
2352	powershell.exe
5292	powershell.exe
5292	powershell.exe
5292	powershell.exe
5324	powershell.exe
5324	powershell.exe
5336	powershell.exe
5336	powershell.exe
5276	powershell.exe
5276	powershell.exe
668	powershell.exe
668	powershell.exe
2324	powershell.exe
2324	powershell.exe
972	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeIncreaseQuotaPrivilege	3920	WMIC.exe
Token: SeSecurityPrivilege	3920	WMIC.exe
Token: SeTakeOwnershipPrivilege	3920	WMIC.exe
Token: SeLoadDriverPrivilege	3920	WMIC.exe
Token: SeSystemProfilePrivilege	3920	WMIC.exe
Token: SeSystemtimePrivilege	3920	WMIC.exe
Token: SeProfSingleProcessPrivilege	3920	WMIC.exe
Token: SeIncBasePriorityPrivilege	3920	WMIC.exe
Token: SeCreatePagefilePrivilege	3920	WMIC.exe
Token: SeBackupPrivilege	3920	WMIC.exe
Token: SeRestorePrivilege	3920	WMIC.exe
Token: SeShutdownPrivilege	3920	WMIC.exe
Token: SeDebugPrivilege	3920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3920	WMIC.exe
Token: SeRemoteShutdownPrivilege	3920	WMIC.exe
Token: SeUndockPrivilege	3920	WMIC.exe
Token: SeManageVolumePrivilege	3920	WMIC.exe
Token: 33	3920	WMIC.exe
Token: 34	3920	WMIC.exe
Token: 35	3920	WMIC.exe
Token: 36	3920	WMIC.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeIncreaseQuotaPrivilege	3920	WMIC.exe
Token: SeSecurityPrivilege	3920	WMIC.exe
Token: SeTakeOwnershipPrivilege	3920	WMIC.exe
Token: SeLoadDriverPrivilege	3920	WMIC.exe
Token: SeSystemProfilePrivilege	3920	WMIC.exe
Token: SeSystemtimePrivilege	3920	WMIC.exe
Token: SeProfSingleProcessPrivilege	3920	WMIC.exe
Token: SeIncBasePriorityPrivilege	3920	WMIC.exe
Token: SeCreatePagefilePrivilege	3920	WMIC.exe
Token: SeBackupPrivilege	3920	WMIC.exe
Token: SeRestorePrivilege	3920	WMIC.exe
Token: SeShutdownPrivilege	3920	WMIC.exe
Token: SeDebugPrivilege	3920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3920	WMIC.exe
Token: SeRemoteShutdownPrivilege	3920	WMIC.exe
Token: SeUndockPrivilege	3920	WMIC.exe
Token: SeManageVolumePrivilege	3920	WMIC.exe
Token: 33	3920	WMIC.exe
Token: 34	3920	WMIC.exe
Token: 35	3920	WMIC.exe
Token: 36	3920	WMIC.exe
Token: SeDebugPrivilege	1200	tasklist.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	5100	One.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeDebugPrivilege	5896	tasklist.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
5044	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
2364	7700de6bf0.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2492	chrome.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2988	bin.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe
2168	38f0c3dd14.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4788	dd6917148a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 336	5044	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe	84
PID 5044 wrote to memory of 336	5044	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe	84
PID 5044 wrote to memory of 336	5044	3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe	84
PID 336 wrote to memory of 4280	336	explortu.exe	85
PID 336 wrote to memory of 4280	336	explortu.exe	85
PID 336 wrote to memory of 4280	336	explortu.exe	85
PID 336 wrote to memory of 2364	336	explortu.exe	86
PID 336 wrote to memory of 2364	336	explortu.exe	86
PID 336 wrote to memory of 2364	336	explortu.exe	86
PID 336 wrote to memory of 4788	336	explortu.exe	87
PID 336 wrote to memory of 4788	336	explortu.exe	87
PID 336 wrote to memory of 4788	336	explortu.exe	87
PID 2364 wrote to memory of 1120	2364	7700de6bf0.exe	88
PID 2364 wrote to memory of 1120	2364	7700de6bf0.exe	88
PID 2364 wrote to memory of 1120	2364	7700de6bf0.exe	88
PID 336 wrote to memory of 2168	336	explortu.exe	89
PID 336 wrote to memory of 2168	336	explortu.exe	89
PID 336 wrote to memory of 2168	336	explortu.exe	89
PID 2168 wrote to memory of 2492	2168	38f0c3dd14.exe	90
PID 2168 wrote to memory of 2492	2168	38f0c3dd14.exe	90
PID 2492 wrote to memory of 2004	2492	chrome.exe	92
PID 2492 wrote to memory of 2004	2492	chrome.exe	92
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 4496	2492	chrome.exe	93
PID 2492 wrote to memory of 872	2492	chrome.exe	94
PID 2492 wrote to memory of 872	2492	chrome.exe	94
PID 2492 wrote to memory of 4444	2492	chrome.exe	95
PID 2492 wrote to memory of 4444	2492	chrome.exe	95
PID 2492 wrote to memory of 4444	2492	chrome.exe	95
PID 2492 wrote to memory of 4444	2492	chrome.exe	95
PID 2492 wrote to memory of 4444	2492	chrome.exe	95
PID 2492 wrote to memory of 4444	2492	chrome.exe	95
PID 2492 wrote to memory of 4444	2492	chrome.exe	95
PID 2492 wrote to memory of 4444	2492	chrome.exe	95
PID 2492 wrote to memory of 4444	2492	chrome.exe	95

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2432	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe
"C:\Users\Admin\AppData\Local\Temp\3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:4280
- - C:\Users\Admin\1000015002\7700de6bf0.exe
    "C:\Users\Admin\1000015002\7700de6bf0.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:1120
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe"
        5⤵
        Executes dropped EXE
        
        PID:624
      - C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:1596
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        7⤵
        
        PID:2424
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        7⤵
        
        PID:2852
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        8⤵
        Views/modifies file attributes
        
        PID:2432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
        7⤵
        
        PID:1596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        7⤵
        
        PID:2184
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:5712
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        7⤵
        
        PID:5720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        7⤵
        
        PID:5728
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:5904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        7⤵
        
        PID:5736
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:5888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        7⤵
        
        PID:5940
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        8⤵
        
        PID:6128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        7⤵
        
        PID:6012
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        8⤵
        Gathers system information
        
        PID:5240
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        8⤵
        
        PID:5140
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        8⤵
        Collects information from the system
        
        PID:3960
        
        C:\Windows\system32\net.exe
        
        net user
        8⤵
        
        PID:5928
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        9⤵
        
        PID:5716
        
        C:\Windows\system32\query.exe
        
        query user
        8⤵
        
        PID:736
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        9⤵
        
        PID:3088
        
        C:\Windows\system32\net.exe
        
        net localgroup
        8⤵
        
        PID:1928
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        9⤵
        
        PID:4384
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        8⤵
        
        PID:6052
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        9⤵
        
        PID:6076
        
        C:\Windows\system32\net.exe
        
        net user guest
        8⤵
        
        PID:1800
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        9⤵
        
        PID:5268
        
        C:\Windows\system32\net.exe
        
        net user administrator
        8⤵
        
        PID:5876
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        9⤵
        
        PID:5720
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        8⤵
        
        PID:5012
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        8⤵
        Enumerates processes with tasklist
        
        PID:4956
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        8⤵
        Gathers network information
        
        PID:6000
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        8⤵
        
        PID:5988
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        8⤵
        
        PID:5796
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        8⤵
        Gathers network information
        
        PID:5700
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        8⤵
        Launches sc.exe
        
        PID:5688
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        8⤵
        Modifies Windows Firewall
        
        PID:5748
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        8⤵
        Modifies Windows Firewall
        
        PID:1060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:6112
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:5956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:736
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:6076
    - - C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4352
    - - C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2888
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Checks computer location settings
        
        PID:4988
        
        C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"
        7⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
    - - C:\Users\Admin\AppData\Local\Temp\1000025001\setup222.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000025001\setup222.exe"
        5⤵
        Executes dropped EXE
        
        PID:4544
      - C:\Users\Admin\AppData\Local\Temp\SetupWizard.exe
        
        SetupWizard.exe
        6⤵
        Executes dropped EXE
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\SetupWizard-f75943ba17e4125d\SetupWizard.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SetupWizard-f75943ba17e4125d\SetupWizard.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\system32\winsvc.exe
        
        "C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\SetupWizard-f75943ba17e4125d\SetupWizard.exe"
        8⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5056
        
        C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"
        10⤵
        Launches sc.exe
        
        PID:1800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5360
        
        C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0
        10⤵
        Launches sc.exe
        
        PID:1256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:872
        
        C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."
        10⤵
        Launches sc.exe
        
        PID:4628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5448
        
        C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" start winsvc
        10⤵
        Launches sc.exe
        
        PID:4144
    - - C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5396
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5436
    - - C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"
        5⤵
        Executes dropped EXE
        
        PID:5204
    - - C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3512
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:4452
    - - C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4320
      - C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
        6⤵
        Executes dropped EXE
        
        PID:5208
    - - C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"
        5⤵
        Executes dropped EXE
        
        PID:2916
      - C:\Users\Admin\AppData\Local\Temp\onefile_2916_133631691772668439\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:1608
    - - C:\Users\Admin\AppData\Local\Temp\1000073001\bin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000073001\bin.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        
        PID:2988
      - C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe"
        6⤵
        Executes dropped EXE
        
        PID:3276
    - - C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5112
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5300
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 240
        6⤵
        Program crash
        
        PID:3352
- - C:\Users\Admin\AppData\Local\Temp\1000016001\dd6917148a.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\dd6917148a.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:4788
- - C:\Users\Admin\AppData\Local\Temp\1000017001\38f0c3dd14.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\38f0c3dd14.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ff8e8f5ab58,0x7ff8e8f5ab68,0x7ff8e8f5ab78
        5⤵
        
        PID:2004
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:2
        5⤵
        
        PID:4496
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:8
        5⤵
        
        PID:872
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:8
        5⤵
        
        PID:4444
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:1
        5⤵
        
        PID:4336
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:1
        5⤵
        
        PID:2664
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4332 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:1
        5⤵
        
        PID:4512
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3256 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:1
        5⤵
        
        PID:4532
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3240 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:8
        5⤵
        
        PID:3484
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:4976
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4016 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:8
        5⤵
        
        PID:1080
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5020 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:8
        5⤵
        
        PID:3576
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4212 --field-trial-handle=1896,i,16845693243095005883,728114527726107537,131072 /prefetch:8
        5⤵
        
        PID:432

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5576

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5112 -ip 5112
1⤵
PID:2136

C:\Windows\system32\winsvc.exe
C:\Windows\system32\winsvc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5324
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
    3⤵
    PID:2560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5336
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0
    3⤵
    PID:5724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5276
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0
    3⤵
    PID:4852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:668
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 0
    3⤵
    PID:680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 0
    3⤵
    PID:3376
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "winnet.exe"
  2⤵
  - Kills process with taskkill
  PID:5496
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "winnet.exe"
  2⤵
  - Kills process with taskkill
  PID:5184
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "wincfg.exe"
  2⤵
  - Kills process with taskkill
  PID:2400
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "wincfg.exe"
  2⤵
  - Kills process with taskkill
  PID:4212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "New-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\"" "-Program" "\"C:\Windows\system32\winnet.exe\"" "-Action" "Allow" "-Direction" "Inbound" "-EdgeTraversalPolicy" "Allow" "-Enabled" "True"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2760
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "WINNET.exe"
  2⤵
  - Kills process with taskkill
  PID:4488
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "WINNET.exe"
  2⤵
  - Kills process with taskkill
  PID:2632
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "WINCFG.exe"
  2⤵
  - Kills process with taskkill
  PID:5476
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "WINCFG.exe"
  2⤵
  - Kills process with taskkill
  PID:1888

C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1352

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3508

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:972

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5488

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5392

C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000015002\7700de6bf0.exe

Filesize
1.8MB

MD5
1596ee7e65daddbde81639b512266192

SHA1
7b4e07d83fff5b94fe6c04273c6043956784e4a4

SHA256
7ec77d0583d16a39eff4b8b3896e819e18eeef8d28ecdf762d54e4e0f2178b90

SHA512
46d4d7aa9b599a764b056aad110c924b5a109aabdfd5eb178356ea5cb848229c96b6dd36d8bc9f16ff25ef5e076f28ff78536844e993a545c7354d9daa0a4392

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f03d1b81d0ac4883fb4a6a795a95ba8b

SHA1
4c12cda86b99a1796c5e7bcd72e85aecd33ff4fe

SHA256
53b5cd8e9ab8fa5c1d5a37404f8e433ed95b78731972ca40cc6b36442978acd9

SHA512
0bce1b9ddc922aac934fb186c987742860114c3f7a49dfdbccec813ca8c1ae1e5fe188bd3858ccb87dfbfcfda32217aa18c9af029dc6e2f8823f33bca814de44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
7ccf9f8976385e75b3e0298e13610700

SHA1
4e6fafdf9fc456da6d2a7837585daf8b824500d0

SHA256
69fef4160e7f7ad2046795aabc0bf57e5e43d352daa28fc1aca90a27f3582c6c

SHA512
b063df8186e5101f32fc4dcfdff857c397c1210766b8f15deecc077324771fbfbb4f7ff48a6d4056063444b2719a487590eef1867d37b40091f4fe08164b2bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\004059303877

Filesize
63KB

MD5
52620023f140396163cd8c72506adb5c

SHA1
2c70f7e3f17059be8c240d2cec15b094e8269f71

SHA256
3e2d32bcbf66eb83e20f73b33f815b6e6f05df8ac61c12377abe269611e3e71b

SHA512
20f33a70c2955027b6f612f093e9b12d47222dbbd9b136976f532abd195afa9b1a54d9e39068de318870f421363d20665906c2b11fc61930294d25d3d108c77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe

Filesize
10.7MB

MD5
c09ff1273b09cb1f9c7698ed147bf22e

SHA1
5634aec5671c4fd565694aa12cd3bf11758675d2

SHA256
bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92

SHA512
e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe

Filesize
297KB

MD5
0efd5136528869a8ea1a37c5059d706e

SHA1
3593bec29dbfd333a5a3a4ad2485a94982bbf713

SHA256
7c21c1f3063ba963818542036a50f62ac7494ad422e7088897b55c61306ec74e

SHA512
4ac391812634107e4a4318c454a19e7c34abfc1f97acc9bcd0fac9a92c372e5ebfe809e5c433479142537762ed633564bc690b38fc268b169498d6a54249e3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe

Filesize
1.7MB

MD5
e8a7d0c6dedce0d4a403908a29273d43

SHA1
8289c35dabaee32f61c74de6a4e8308dc98eb075

SHA256
672f24842aeb72d7bd8d64e78aaba5f3a953409ce21cfe97d3a80e7ef67f232a

SHA512
c8bf2f42f7bcf6f6b752ba5165c57ee99d4b31d5ba48ce1c2651afdb8bc37a14f392253f3daa0e811116d11d4c9175dc55cfb1baac0c30a71a18e1df17e73770

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\dd6917148a.exe

Filesize
1.3MB

MD5
b044b35c7a7b17bc02da7949ec91d825

SHA1
ca43dbf2bcd6be6c39af686bfce78df95b3310d1

SHA256
064acd680c81e7262f11026720cdf976b1dbc822046e47d4b81540391a4f4a9d

SHA512
d85a12b7e34a83ed4f0924abb44e0510121efc7131b4ea8cbb1893d43a9b155f9103b5030bb358af9bfc73ff142cffa123a488e10f484f44499f652b8605cce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\38f0c3dd14.exe

Filesize
1.1MB

MD5
485673cd656c36fb6dcf4a9025803e18

SHA1
c958d537977640eaa73f7ebdb22998c741aee5dc

SHA256
a6e81915b0dddf0bd702548a632e1bea467709b354a17e93358da52e030fcc88

SHA512
a1894f21bcb1a9885b54192c74f8f1dcea93b8585777ad45a3e77263a52895c94e612ad13adc375e52c610fb9735e7b62986f73af8ef11a0feff884f04fb4d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000025001\setup222.exe

Filesize
96KB

MD5
8677376c509f0c66d1f02c6b66d7ef90

SHA1
e057eddf9d2e319967e200a5801e4bbe6e45862a

SHA256
f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96

SHA512
e0c685e289c10a48b5fa251aa4414653c103dac69faf536b9ae9598e066aab5a03b03c09096c42a0f244aeaf80f2b9e4aa28d6b28da436587a3f52a9155473d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe

Filesize
522KB

MD5
70a578f7f58456e475facd69469cf20a

SHA1
83e147e7ba01fa074b2f046b65978f838f7b1e8e

SHA256
5c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a

SHA512
707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe

Filesize
310KB

MD5
6e3d83935c7a0810f75dfa9badc3f199

SHA1
9f7d7c0ea662bcdca9b0cda928dc339f06ef0730

SHA256
dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed

SHA512
9f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe

Filesize
3.6MB

MD5
c28a2d0a008788b49690b333d501e3f3

SHA1
6a25fdb8613db00b09d4d6e1ad302c20c7f7e2c4

SHA256
f61712dccccf8f19c6dbf0dfb7c7c0be9eb2f13d3381ee94e4cb6cb70ffb5f5a

SHA512
455923a63e60b6079d7e0af2bfae5f922b205d024def456ae95158ef1bfcdbc4f56e24b4421a2203f4618d0ea29e229e331c7ee0d7881ee8ebac83fa72f5d788

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe

Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe

Filesize
10.7MB

MD5
3f4f5c57433724a32b7498b6a2c91bf0

SHA1
04757ff666e1afa31679dd6bed4ed3af671332a3

SHA256
0608a7559f895fab33ae65bbfbdc5bebd21eea984f76e1b5571c80906824d665

SHA512
cf572ca616b4f4e6e472e33e8d6d90b85d5885fa64d8bca4507450d66d65057efa771f58c31ea13f394fd0e7b0ff2fcaa9d54c61f28b27b98a79c27bc964f935

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000073001\bin.exe

Filesize
424KB

MD5
13e5872e9b7c47090e035dc228c5589f

SHA1
c55a9708091f19b5fc5baf7c37beb99d8d3bf760

SHA256
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc

SHA512
260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe

Filesize
659KB

MD5
bbd06263062b2c536b5caacdd5f81b76

SHA1
c38352c1c08fb0fa5e67a079998ef30ebc962089

SHA256
1875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9

SHA512
7faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
d29281e018d65bfa32ce438793eb3946

SHA1
bdf5938d91eeac019d4d02628ac5f742943f2a64

SHA256
3de0a4c58ecb7054430465d12e60d994b6a98047decb1b4241bb72812032ce5d

SHA512
47757f87f4b20ff28ba0d2915f5a203199afaedeb8cc0f4fc970162f79b18a8302cc643755921ddc683c20a493787fa4ed134cff37ce35f16a68b0ac6a4eb85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

Filesize
6.9MB

MD5
b364cecdba4b73c71116781b1c38d40f

SHA1
59ef6f46bd3f2ec17e78df8ee426d4648836255a

SHA256
10d009a3c97bf908961a19b4aaddc298d32959acc64bedf9d2a7f24c0261605b

SHA512
999c2da8e046c9f4103385c7d7dbb3bfdac883b6292dca9d67b36830b593f55ac14d6091eb15a41416c0bd65ac3d4a4a2b84f50d13906d36ed5574b275773ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupWizard.exe

Filesize
36.2MB

MD5
bfa6ee61bd4d54d0168942bd934fca57

SHA1
fe32c8db5e2d86f45056b88a795cb64e89f9e9d9

SHA256
674c91e5221bea7c55e22322173859bbbdb4491e03ea17b19976c708d8c65397

SHA512
f542ff662ce5c9b394f7aca1adc8ccbf8384161f9a09274cc2a5c2a0a639cd43ae1babbebb54ce3a59e7b4450b67ed9f0156009a983f73db5d39aa79f115002b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp7D3E.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h1z1xp5v.gdb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\_asyncio.pyd

Filesize
62KB

MD5
6eb3c9fc8c216cea8981b12fd41fbdcd

SHA1
5f3787051f20514bb9e34f9d537d78c06e7a43e6

SHA256
3b0661ef2264d6566368b677c732ba062ac4688ef40c22476992a0f9536b0010

SHA512
2027707824d0948673443dd54b4f45bc44680c05c3c4a193c7c1803a1030124ad6c8fbe685cc7aaf15668d90c4cd9bfb93de51ea8db4af5abe742c1ef2dcd08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\_bz2.pyd

Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\_cffi_backend.pyd

Filesize
177KB

MD5
ebb660902937073ec9695ce08900b13d

SHA1
881537acead160e63fe6ba8f2316a2fbbb5cb311

SHA256
52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd

SHA512
19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\_ctypes.pyd

Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\_overlapped.pyd

Filesize
47KB

MD5
7e6bd435c918e7c34336c7434404eedf

SHA1
f3a749ad1d7513ec41066ab143f97fa4d07559e1

SHA256
0606a0c5c4ab46c4a25ded5a2772e672016cac574503681841800f9059af21c4

SHA512
c8bf4b1ec6c8fa09c299a8418ee38cdccb04afa3a3c2e6d92625dbc2de41f81dd0df200fd37fcc41909c2851ac5ca936af632307115b9ac31ec020d9ed63f157

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\_socket.pyd

Filesize
75KB

MD5
e137df498c120d6ac64ea1281bcab600

SHA1
b515e09868e9023d43991a05c113b2b662183cfe

SHA256
8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a

SHA512
cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\_sqlite3.pyd

Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\_ssl.pyd

Filesize
155KB

MD5
35f66ad429cd636bcad858238c596828

SHA1
ad4534a266f77a9cdce7b97818531ce20364cb65

SHA256
58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc

SHA512
1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\multidict\_multidict.pyd

Filesize
45KB

MD5
ddd4c0ae1e0d166c22449e9dcdca20d7

SHA1
ff0e3d889b4e8bc43b0f13aa1154776b0df95700

SHA256
74ec52418c5d38a63add94228c6f68cf49519666ae8bcb7ac199f7d539d8612c

SHA512
c8464a77ba8b504ba9c7873f76499174095393c42dc85a9c1be2875c3661cda928851e37013e4ac95ba539eed984bf71c0fcc2cb599f3f0c4c1588d4a692bdfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\python3.dll

Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\select.pyd

Filesize
28KB

MD5
adc412384b7e1254d11e62e451def8e9

SHA1
04e6dff4a65234406b9bc9d9f2dcfe8e30481829

SHA256
68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1

SHA512
f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\sqlite3.dll

Filesize
1.4MB

MD5
926dc90bd9faf4efe1700564aa2a1700

SHA1
763e5af4be07444395c2ab11550c70ee59284e6d

SHA256
50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0

SHA512
a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\stub.exe

Filesize
17.9MB

MD5
972d9d2422f1a71bed840709024302f8

SHA1
e52170710e3c413ae3cfa45fcdecf19db4aa382c

SHA256
1c666df4eafab03ecde809ffbc40dd60b8ac2fe7bdca5632c5c4002254e6e564

SHA512
3d84252756dcb4820b7794e9a92811d32631b9f3e9bd1a558fd040736b1472c0d00efb6ff7a13ae3bcd327f3bfac2b6ad94a5a3dfbc8ba54511a366c4f4727a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_624_133631691487817767\vcruntime140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe

Filesize
408KB

MD5
816df4ac8c796b73a28159a0b17369b6

SHA1
db8bbb6f73fab9875de4aaa489c03665d2611558

SHA256
7843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647

SHA512
7dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe

Filesize
304KB

MD5
15a7cae61788e4718d3c33abb7be6436

SHA1
62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f

SHA256
bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200

SHA512
5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45

Download Submit
C:\Windows\System32\.coE186.tmp

Filesize
42.6MB

MD5
e4b86504b7f85a6248e3dfd4e2e9fdf5

SHA1
d932f240e9b50e58ee4962040d6c856d98630c09

SHA256
ae0b50c7c42615b19e0c4cf5d05611ca1e057929b8065fe9a99d7a492c9b441a

SHA512
7baac3b3eac897e06c7f7623d563fa9ab90c26ff04783a511a241ae59755316c9a580d7b91d0e227c6df14a21c4750c6c0a52f02e9c9282b597686878216ffa2

Download Submit
memory/336-560-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/336-16-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/336-19-0x0000000000701000-0x000000000072F000-memory.dmp

Filesize
184KB

Download
memory/336-427-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/336-575-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/336-20-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/336-144-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/336-21-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/624-443-0x00007FF6A0510000-0x00007FF6A0FE5000-memory.dmp

Filesize
10.8MB

Download
memory/972-773-0x0000000000520000-0x00000000009BD000-memory.dmp

Filesize
4.6MB

Download
memory/972-775-0x0000000000520000-0x00000000009BD000-memory.dmp

Filesize
4.6MB

Download
memory/972-922-0x000001C05C780000-0x000001C05C79A000-memory.dmp

Filesize
104KB

Download
memory/972-921-0x000001C05C720000-0x000001C05C72E000-memory.dmp

Filesize
56KB

Download
memory/1120-429-0x0000000000520000-0x00000000009BD000-memory.dmp

Filesize
4.6MB

Download
memory/1120-711-0x0000000000520000-0x00000000009BD000-memory.dmp

Filesize
4.6MB

Download
memory/1120-70-0x0000000000520000-0x00000000009BD000-memory.dmp

Filesize
4.6MB

Download
memory/2352-802-0x000002D44B150000-0x000002D44B16C000-memory.dmp

Filesize
112KB

Download
memory/2352-810-0x000002D44B3C0000-0x000002D44B3CA000-memory.dmp

Filesize
40KB

Download
memory/2352-806-0x000002D44B370000-0x000002D44B37A000-memory.dmp

Filesize
40KB

Download
memory/2352-804-0x000002D44AF00000-0x000002D44AF0A000-memory.dmp

Filesize
40KB

Download
memory/2352-803-0x000002D44B170000-0x000002D44B225000-memory.dmp

Filesize
724KB

Download
memory/2352-809-0x000002D44B3B0000-0x000002D44B3B6000-memory.dmp

Filesize
24KB

Download
memory/2352-807-0x000002D44B3D0000-0x000002D44B3EA000-memory.dmp

Filesize
104KB

Download
memory/2352-805-0x000002D44B390000-0x000002D44B3AC000-memory.dmp

Filesize
112KB

Download
memory/2352-808-0x000002D44B380000-0x000002D44B388000-memory.dmp

Filesize
32KB

Download
memory/2364-39-0x0000000000820000-0x0000000000CBD000-memory.dmp

Filesize
4.6MB

Download
memory/2364-69-0x0000000000820000-0x0000000000CBD000-memory.dmp

Filesize
4.6MB

Download
memory/2372-343-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download
memory/2372-454-0x0000000007BE0000-0x000000000810C000-memory.dmp

Filesize
5.2MB

Download
memory/2372-453-0x00000000074E0000-0x00000000076A2000-memory.dmp

Filesize
1.8MB

Download
memory/2372-342-0x0000000005890000-0x0000000005906000-memory.dmp

Filesize
472KB

Download
memory/2372-324-0x0000000000300000-0x0000000000352000-memory.dmp

Filesize
328KB

Download
memory/2888-272-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2888-274-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/3508-772-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/3508-777-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/3512-493-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-503-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-480-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-481-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-483-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-471-0x0000000000540000-0x00000000008DC000-memory.dmp

Filesize
3.6MB

Download
memory/3512-472-0x0000000005230000-0x00000000052CC000-memory.dmp

Filesize
624KB

Download
memory/3512-473-0x00000000052D0000-0x00000000053D6000-memory.dmp

Filesize
1.0MB

Download
memory/3512-478-0x00000000053E0000-0x00000000054CC000-memory.dmp

Filesize
944KB

Download
memory/3512-479-0x00000000050D0000-0x00000000050EC000-memory.dmp

Filesize
112KB

Download
memory/3512-525-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-523-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-521-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-519-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-517-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-515-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-513-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-511-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-509-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-507-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-505-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-485-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-501-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-499-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-497-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-495-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-487-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-491-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/3512-489-0x00000000050D0000-0x00000000050E5000-memory.dmp

Filesize
84KB

Download
memory/4352-275-0x00000000063F0000-0x0000000006A08000-memory.dmp

Filesize
6.1MB

Download
memory/4352-286-0x0000000005650000-0x000000000575A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-269-0x00000000052B0000-0x00000000052BA000-memory.dmp

Filesize
40KB

Download
memory/4352-288-0x0000000005560000-0x000000000559C000-memory.dmp

Filesize
240KB

Download
memory/4352-440-0x0000000005E40000-0x0000000005EA6000-memory.dmp

Filesize
408KB

Download
memory/4352-268-0x0000000005310000-0x00000000053A2000-memory.dmp

Filesize
584KB

Download
memory/4352-442-0x0000000006D60000-0x0000000006DB0000-memory.dmp

Filesize
320KB

Download
memory/4352-259-0x0000000000850000-0x00000000008A0000-memory.dmp

Filesize
320KB

Download
memory/4352-265-0x0000000005820000-0x0000000005DC4000-memory.dmp

Filesize
5.6MB

Download
memory/4352-297-0x00000000055E0000-0x000000000562C000-memory.dmp

Filesize
304KB

Download
memory/4352-287-0x0000000005540000-0x0000000005552000-memory.dmp

Filesize
72KB

Download
memory/4788-428-0x0000000000990000-0x0000000000EC2000-memory.dmp

Filesize
5.2MB

Download
memory/4788-710-0x0000000000990000-0x0000000000EC2000-memory.dmp

Filesize
5.2MB

Download
memory/4788-55-0x0000000000990000-0x0000000000EC2000-memory.dmp

Filesize
5.2MB

Download
memory/4988-273-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/5044-18-0x0000000000340000-0x0000000000802000-memory.dmp

Filesize
4.8MB

Download
memory/5044-0-0x0000000000340000-0x0000000000802000-memory.dmp

Filesize
4.8MB

Download
memory/5044-1-0x0000000077B24000-0x0000000077B26000-memory.dmp

Filesize
8KB

Download
memory/5044-2-0x0000000000341000-0x000000000036F000-memory.dmp

Filesize
184KB

Download
memory/5044-444-0x00007FF7409C0000-0x00007FF741BF5000-memory.dmp

Filesize
18.2MB

Download
memory/5044-3-0x0000000000340000-0x0000000000802000-memory.dmp

Filesize
4.8MB

Download
memory/5044-5-0x0000000000340000-0x0000000000802000-memory.dmp

Filesize
4.8MB

Download
memory/5100-332-0x0000000000920000-0x000000000098C000-memory.dmp

Filesize
432KB

Download
memory/5100-581-0x000000001E2D0000-0x000000001E30C000-memory.dmp

Filesize
240KB

Download
memory/5100-580-0x000000001C5E0000-0x000000001C5F2000-memory.dmp

Filesize
72KB

Download
memory/5100-579-0x000000001E3A0000-0x000000001E4AA000-memory.dmp

Filesize
1.0MB

Download
memory/5292-836-0x00000168F6570000-0x00000168F6625000-memory.dmp

Filesize
724KB

Download
memory/5300-704-0x0000000008930000-0x000000000897C000-memory.dmp

Filesize
304KB

Download
memory/5300-691-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5392-979-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/5392-977-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/5396-363-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/5436-362-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5488-976-0x0000000000520000-0x00000000009BD000-memory.dmp

Filesize
4.6MB

Download
memory/5488-981-0x0000000000520000-0x00000000009BD000-memory.dmp

Filesize
4.6MB

Download
memory/5576-445-0x0000000000520000-0x00000000009BD000-memory.dmp

Filesize
4.6MB

Download
memory/5576-451-0x0000000000520000-0x00000000009BD000-memory.dmp

Filesize
4.6MB

Download
memory/5596-446-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/5596-452-0x0000000000700000-0x0000000000BC2000-memory.dmp

Filesize
4.8MB

Download
memory/5916-425-0x0000027326850000-0x0000027326872000-memory.dmp

Filesize
136KB

Download