amadey | c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6

Analysis

max time kernel
300s
max time network
304s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
30-09-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6.exe
Size

1.9MB
MD5

49a9681922ad571a4a24b42465e5cdc4
SHA1

f710153121bcde5e6acd4760001d916675973475
SHA256

c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6
SHA512

adcb2e990a433e69468c21bc2f0089d147aad354bb3d637f280383f5d31913f4ad80a8c121a565a89b36946df0df02b142955681e257dd4bca66470146b976f3
SSDEEP

49152:GJd564fdAN+fobpaJztfWOoh1jpt1zeO67:khgfb8tt/oNtcOI

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

136.244.88.135:17615

Extracted

Family

redline

Botnet

@OLEH_PSP

65.21.18.51:45580

Extracted

Family

stealc

Botnet

default2

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

redline

Botnet

newbundle2

185.215.113.67:15206

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

89.105.223.196:29862

Extracted

Family

xworm

Version

5.0

188.190.10.161:4444

Mutex

TSXTkO0pNBdN2KNw

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

stealc

Botnet

doma

http://185.215.113.37

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

stealc

Botnet

default

http://91.202.233.158

Attributes

url_path
/e96ea2db21fa9a1b.php

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

https://chaptermusu.store/api

https://possiwreeste.site/api

https://underlinemdsj.site/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/5372-1398-0x0000000000740000-0x000000000076E000-memory.dmp	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral2/memory/4816-40-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral2/files/0x000700000001aabb-57.dat	family_redline
behavioral2/memory/4868-58-0x0000000000C20000-0x0000000000C72000-memory.dmp	family_redline
behavioral2/files/0x000700000001aade-254.dat	family_redline
behavioral2/memory/4488-262-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral2/memory/5988-1396-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/5372-3333-0x0000000007410000-0x0000000007530000-memory.dmp	family_stormkitty

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 3892 created 3304	3892	rstxdhuj.exe	55
PID 5552 created 3304	5552	Ewpeloxttug.exe	55
PID 6768 created 3304	6768	Waters.pif	55
PID 6768 created 3304	6768	Waters.pif	55

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 15 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	64523faf8f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4c59094d58.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f719864374.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5592	powershell.exe
4336	powershell.exe
5484	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 30 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f719864374.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f719864374.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	64523faf8f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4c59094d58.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4c59094d58.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	64523faf8f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverUtil.vbs	Ewpeloxttug.exe

Executes dropped EXE 48 IoCs

pid	Process
640	axplong.exe
304	gold.exe
4188	12dsvc.exe
2184	q55hJbNYdV.exe
4868	3XzoWVf1Da.exe
1812	Nework.exe
3456	Hkbsse.exe
3208	stealc_default2.exe
3192	needmoney.exe
4316	penis.exe
4964	crypted.exe
1044	javumarfirst.exe
4488	newbundle2.exe
3892	rstxdhuj.exe
5644	f719864374.exe
5608	Hkbsse.exe
5588	axplong.exe
5060	64523faf8f.exe
3280	svchost015.exe
2508	lummetc.exe
3752	processclass.exe
1424	skotes.exe
5856	splwow64.exe
5552	Ewpeloxttug.exe
4860	CompleteStudio.exe
6884	num.exe
6932	4c59094d58.exe
1632	2.exe
3144	context.exe
1444	Ewpeloxttug.exe
6768	Waters.pif
5508	skotes.exe
4524	axplong.exe
6856	Hkbsse.exe
5248	Waters.pif
4352	service123.exe
5960	skotes.exe
5188	Hkbsse.exe
6176	axplong.exe
5832	service123.exe
2488	skotes.exe
4476	axplong.exe
6300	Hkbsse.exe
6668	service123.exe
1480	skotes.exe
7040	axplong.exe
7048	Hkbsse.exe
6020	service123.exe

Identifies Wine through registry keys 2 TTPs 15 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine	4c59094d58.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine	f719864374.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine	64523faf8f.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine	c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine	axplong.exe

Loads dropped DLL 6 IoCs

pid	Process
3208	stealc_default2.exe
3208	stealc_default2.exe
4352	service123.exe
5832	service123.exe
6668	service123.exe
6020	service123.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\f719864374.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000354001\\f719864374.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ylrdnrwcx = "C:\\Users\\Admin\\AppData\\Roaming\\Ylrdnrwcx.exe"	rstxdhuj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\64523faf8f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000355001\\64523faf8f.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\4c59094d58.exe = "C:\\Users\\Admin\\1000115002\\4c59094d58.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
6276	tasklist.exe
6780	tasklist.exe
6904	tasklist.exe
6076	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

pid	Process
1604	c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6.exe
640	axplong.exe
5644	f719864374.exe
5588	axplong.exe
5060	64523faf8f.exe
1424	skotes.exe
6932	4c59094d58.exe
5508	skotes.exe
4524	axplong.exe
5960	skotes.exe
6176	axplong.exe
2488	skotes.exe
4476	axplong.exe
1480	skotes.exe
7040	axplong.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 304 set thread context of 4816	304	gold.exe	74
PID 4964 set thread context of 5988	4964	crypted.exe	94
PID 3892 set thread context of 5372	3892	rstxdhuj.exe	95
PID 3192 set thread context of 3280	3192	needmoney.exe	102
PID 1632 set thread context of 5164	1632	2.exe	118
PID 4860 set thread context of 5844	4860	CompleteStudio.exe	128
PID 5552 set thread context of 1444	5552	Ewpeloxttug.exe	139

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ViewpictureKingdom	splwow64.exe
File opened for modification	C:\Windows\BrandonBlind	splwow64.exe
File opened for modification	C:\Windows\IpaqArthur	splwow64.exe
File opened for modification	C:\Windows\HardlyAircraft	context.exe
File opened for modification	C:\Windows\IpaqArthur	context.exe
File created	C:\Windows\Tasks\Test Task17.job	Ewpeloxttug.exe
File created	C:\Windows\Tasks\axplong.job	c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6.exe
File created	C:\Windows\Tasks\Hkbsse.job	Nework.exe
File created	C:\Windows\Tasks\skotes.job	64523faf8f.exe
File opened for modification	C:\Windows\HardlyAircraft	splwow64.exe
File opened for modification	C:\Windows\ViewpictureKingdom	context.exe
File opened for modification	C:\Windows\BrandonBlind	context.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6572	3280	WerFault.exe	102
6328	5372	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	penis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c59094d58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newbundle2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ewpeloxttug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q55hJbNYdV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64523faf8f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nework.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rstxdhuj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Waters.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Waters.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javumarfirst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12dsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ewpeloxttug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	num.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	splwow64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	context.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	needmoney.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f719864374.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lummetc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3XzoWVf1Da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	javumarfirst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	javumarfirst.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost015.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost015.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5572	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
6324	taskkill.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	3XzoWVf1Da.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	3XzoWVf1Da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5992	schtasks.exe
6128	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5372	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1604	c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6.exe
1604	c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6.exe
640	axplong.exe
640	axplong.exe
3208	stealc_default2.exe
3208	stealc_default2.exe
2184	q55hJbNYdV.exe
4816	RegAsm.exe
3208	stealc_default2.exe
3208	stealc_default2.exe
5644	f719864374.exe
5644	f719864374.exe
3892	rstxdhuj.exe
3892	rstxdhuj.exe
5588	axplong.exe
5588	axplong.exe
4488	newbundle2.exe
4488	newbundle2.exe
5060	64523faf8f.exe
5060	64523faf8f.exe
4336	powershell.exe
4336	powershell.exe
4336	powershell.exe
4816	RegAsm.exe
4816	RegAsm.exe
1424	skotes.exe
1424	skotes.exe
4336	powershell.exe
5988	RegAsm.exe
5988	RegAsm.exe
6932	4c59094d58.exe
6932	4c59094d58.exe
4868	3XzoWVf1Da.exe
4868	3XzoWVf1Da.exe
4868	3XzoWVf1Da.exe
4868	3XzoWVf1Da.exe
5592	powershell.exe
5592	powershell.exe
5592	powershell.exe
5484	powershell.exe
5484	powershell.exe
5592	powershell.exe
5484	powershell.exe
4488	newbundle2.exe
4488	newbundle2.exe
5484	powershell.exe
3480	chrome.exe
3480	chrome.exe
5988	RegAsm.exe
5988	RegAsm.exe
5988	RegAsm.exe
5988	RegAsm.exe
5988	RegAsm.exe
5988	RegAsm.exe
5372	InstallUtil.exe
5372	InstallUtil.exe
3280	svchost015.exe
3280	svchost015.exe
5552	Ewpeloxttug.exe
5552	Ewpeloxttug.exe
6768	Waters.pif
6768	Waters.pif
6768	Waters.pif
6768	Waters.pif

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	q55hJbNYdV.exe
Token: SeBackupPrivilege	2184	q55hJbNYdV.exe
Token: SeSecurityPrivilege	2184	q55hJbNYdV.exe
Token: SeSecurityPrivilege	2184	q55hJbNYdV.exe
Token: SeSecurityPrivilege	2184	q55hJbNYdV.exe
Token: SeSecurityPrivilege	2184	q55hJbNYdV.exe
Token: SeDebugPrivilege	4316	penis.exe
Token: SeBackupPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeDebugPrivilege	4816	RegAsm.exe
Token: SeDebugPrivilege	3892	rstxdhuj.exe
Token: SeDebugPrivilege	3892	rstxdhuj.exe
Token: SeDebugPrivilege	4488	newbundle2.exe
Token: SeDebugPrivilege	5372	InstallUtil.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	5988	RegAsm.exe
Token: SeDebugPrivilege	5552	Ewpeloxttug.exe
Token: SeBackupPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeDebugPrivilege	4868	3XzoWVf1Da.exe
Token: SeDebugPrivilege	4860	CompleteStudio.exe
Token: SeDebugPrivilege	3752	processclass.exe
Token: SeDebugPrivilege	5592	powershell.exe
Token: SeDebugPrivilege	5484	powershell.exe
Token: SeShutdownPrivilege	3480	chrome.exe
Token: SeCreatePagefilePrivilege	3480	chrome.exe
Token: SeShutdownPrivilege	3480	chrome.exe
Token: SeCreatePagefilePrivilege	3480	chrome.exe
Token: SeDebugPrivilege	5372	InstallUtil.exe
Token: SeBackupPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeDebugPrivilege	5552	Ewpeloxttug.exe
Token: SeDebugPrivilege	6276	tasklist.exe
Token: SeDebugPrivilege	6780	tasklist.exe
Token: SeBackupPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeDebugPrivilege	6904	tasklist.exe
Token: SeDebugPrivilege	6076	tasklist.exe
Token: SeBackupPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeBackupPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeDebugPrivilege	6324	taskkill.exe
Token: SeBackupPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe
Token: SeSecurityPrivilege	4316	penis.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
1604	c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6.exe
5060	64523faf8f.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
6768	Waters.pif
6768	Waters.pif
6768	Waters.pif
5248	Waters.pif
5248	Waters.pif
5248	Waters.pif

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
6768	Waters.pif
6768	Waters.pif
6768	Waters.pif
5248	Waters.pif
5248	Waters.pif
5248	Waters.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5372	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 640	1604	c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6.exe	71
PID 1604 wrote to memory of 640	1604	c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6.exe	71
PID 1604 wrote to memory of 640	1604	c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6.exe	71
PID 640 wrote to memory of 304	640	axplong.exe	72
PID 640 wrote to memory of 304	640	axplong.exe	72
PID 640 wrote to memory of 304	640	axplong.exe	72
PID 304 wrote to memory of 4816	304	gold.exe	74
PID 304 wrote to memory of 4816	304	gold.exe	74
PID 304 wrote to memory of 4816	304	gold.exe	74
PID 304 wrote to memory of 4816	304	gold.exe	74
PID 304 wrote to memory of 4816	304	gold.exe	74
PID 304 wrote to memory of 4816	304	gold.exe	74
PID 304 wrote to memory of 4816	304	gold.exe	74
PID 304 wrote to memory of 4816	304	gold.exe	74
PID 640 wrote to memory of 4188	640	axplong.exe	75
PID 640 wrote to memory of 4188	640	axplong.exe	75
PID 640 wrote to memory of 4188	640	axplong.exe	75
PID 4188 wrote to memory of 2184	4188	12dsvc.exe	76
PID 4188 wrote to memory of 2184	4188	12dsvc.exe	76
PID 4188 wrote to memory of 2184	4188	12dsvc.exe	76
PID 4188 wrote to memory of 4868	4188	12dsvc.exe	78
PID 4188 wrote to memory of 4868	4188	12dsvc.exe	78
PID 4188 wrote to memory of 4868	4188	12dsvc.exe	78
PID 640 wrote to memory of 1812	640	axplong.exe	80
PID 640 wrote to memory of 1812	640	axplong.exe	80
PID 640 wrote to memory of 1812	640	axplong.exe	80
PID 1812 wrote to memory of 3456	1812	Nework.exe	81
PID 1812 wrote to memory of 3456	1812	Nework.exe	81
PID 1812 wrote to memory of 3456	1812	Nework.exe	81
PID 640 wrote to memory of 3208	640	axplong.exe	82
PID 640 wrote to memory of 3208	640	axplong.exe	82
PID 640 wrote to memory of 3208	640	axplong.exe	82
PID 640 wrote to memory of 3192	640	axplong.exe	84
PID 640 wrote to memory of 3192	640	axplong.exe	84
PID 640 wrote to memory of 3192	640	axplong.exe	84
PID 640 wrote to memory of 4316	640	axplong.exe	85
PID 640 wrote to memory of 4316	640	axplong.exe	85
PID 640 wrote to memory of 4316	640	axplong.exe	85
PID 640 wrote to memory of 4964	640	axplong.exe	87
PID 640 wrote to memory of 4964	640	axplong.exe	87
PID 640 wrote to memory of 4964	640	axplong.exe	87
PID 3456 wrote to memory of 1044	3456	Hkbsse.exe	89
PID 3456 wrote to memory of 1044	3456	Hkbsse.exe	89
PID 3456 wrote to memory of 1044	3456	Hkbsse.exe	89
PID 640 wrote to memory of 4488	640	axplong.exe	90
PID 640 wrote to memory of 4488	640	axplong.exe	90
PID 640 wrote to memory of 4488	640	axplong.exe	90
PID 640 wrote to memory of 3892	640	axplong.exe	92
PID 640 wrote to memory of 3892	640	axplong.exe	92
PID 640 wrote to memory of 3892	640	axplong.exe	92
PID 640 wrote to memory of 5644	640	axplong.exe	93
PID 640 wrote to memory of 5644	640	axplong.exe	93
PID 640 wrote to memory of 5644	640	axplong.exe	93
PID 4964 wrote to memory of 5988	4964	crypted.exe	94
PID 4964 wrote to memory of 5988	4964	crypted.exe	94
PID 4964 wrote to memory of 5988	4964	crypted.exe	94
PID 4964 wrote to memory of 5988	4964	crypted.exe	94
PID 4964 wrote to memory of 5988	4964	crypted.exe	94
PID 4964 wrote to memory of 5988	4964	crypted.exe	94
PID 4964 wrote to memory of 5988	4964	crypted.exe	94
PID 4964 wrote to memory of 5988	4964	crypted.exe	94
PID 3892 wrote to memory of 5372	3892	rstxdhuj.exe	95
PID 3892 wrote to memory of 5372	3892	rstxdhuj.exe	95
PID 3892 wrote to memory of 5372	3892	rstxdhuj.exe	95

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3304
- C:\Users\Admin\AppData\Local\Temp\c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6.exe
  "C:\Users\Admin\AppData\Local\Temp\c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
      "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:304
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
  - - C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
      "C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4188
    - - C:\Users\Admin\AppData\Roaming\q55hJbNYdV.exe
        
        "C:\Users\Admin\AppData\Roaming\q55hJbNYdV.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
    - - C:\Users\Admin\AppData\Roaming\3XzoWVf1Da.exe
        
        "C:\Users\Admin\AppData\Roaming\3XzoWVf1Da.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
  - - C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
      "C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3456
      - C:\Users\Admin\AppData\Local\Temp\1000072001\javumarfirst.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000072001\javumarfirst.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:6128
  - - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:3208
  - - C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
      "C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3192
    - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3280
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1196
        6⤵
        Program crash
        
        PID:6572
  - - C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
      "C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4316
  - - C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4964
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5988
  - - C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4488
  - - C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe
      "C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\1000354001\f719864374.exe
      "C:\Users\Admin\AppData\Local\Temp\1000354001\f719864374.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5644
  - - C:\Users\Admin\AppData\Local\Temp\1000355001\64523faf8f.exe
      "C:\Users\Admin\AppData\Local\Temp\1000355001\64523faf8f.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:5060
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1424
      - C:\Users\Admin\AppData\Local\Temp\1000113001\num.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000113001\num.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6884
      - C:\Users\Admin\1000115002\4c59094d58.exe
        
        "C:\Users\Admin\1000115002\4c59094d58.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6932
      - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        6⤵
        
        PID:5440
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000128041\ko.ps1"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5592
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --kiosk --user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data
        7⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3480
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Google\Chrome\User\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffdeea39758,0x7ffdeea39768,0x7ffdeea39778
        8⤵
        
        PID:6152
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1876,i,11234776275947230871,9397245101149485567,131072 /prefetch:2
        8⤵
        
        PID:5884
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User" --mojo-platform-channel-handle=1652 --field-trial-handle=1876,i,11234776275947230871,9397245101149485567,131072 /prefetch:8
        8⤵
        
        PID:5452
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User" --mojo-platform-channel-handle=2124 --field-trial-handle=1876,i,11234776275947230871,9397245101149485567,131072 /prefetch:8
        8⤵
        
        PID:1504
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User" --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1876,i,11234776275947230871,9397245101149485567,131072 /prefetch:1
        8⤵
        
        PID:3028
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1876,i,11234776275947230871,9397245101149485567,131072 /prefetch:1
        8⤵
        
        PID:5184
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3252 --field-trial-handle=1876,i,11234776275947230871,9397245101149485567,131072 /prefetch:1
        8⤵
        
        PID:2992
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User" --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3888 --field-trial-handle=1876,i,11234776275947230871,9397245101149485567,131072 /prefetch:1
        8⤵
        
        PID:3716
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User" --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3900 --field-trial-handle=1876,i,11234776275947230871,9397245101149485567,131072 /prefetch:1
        8⤵
        
        PID:3868
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User" --mojo-platform-channel-handle=3764 --field-trial-handle=1876,i,11234776275947230871,9397245101149485567,131072 /prefetch:8
        8⤵
        
        PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\1000365001\lummetc.exe
      "C:\Users\Admin\AppData\Local\Temp\1000365001\lummetc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\1000367001\processclass.exe
      "C:\Users\Admin\AppData\Local\Temp\1000367001\processclass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3752
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start context.exe
        5⤵
        
        PID:3592
      - C:\Users\Admin\AppData\Local\Temp\context.exe
        
        context.exe
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6396
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6904
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6076
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 607698
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\607698\Waters.pif
        
        Waters.pif Q
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5248
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3820
  - - C:\Users\Admin\AppData\Local\Temp\1000368001\splwow64.exe
      "C:\Users\Admin\AppData\Local\Temp\1000368001\splwow64.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5856
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4272
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6276
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6632
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6780
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6788
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 607698
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6256
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "MaskBathroomCompositionInjection" Participants
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6228
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6724
      - C:\Users\Admin\AppData\Local\Temp\607698\Waters.pif
        
        Waters.pif Q
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:6768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "Waters.pif" && timeout 1 && del Waters.pif && Exit"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "Waters.pif"
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6324
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5572
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6868
  - - C:\Users\Admin\AppData\Local\Temp\1000376001\Ewpeloxttug.exe
      "C:\Users\Admin\AppData\Local\Temp\1000376001\Ewpeloxttug.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5552
  - - C:\Users\Admin\AppData\Local\Temp\1000377001\CompleteStudio.exe
      "C:\Users\Admin\AppData\Local\Temp\1000377001\CompleteStudio.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4860
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5844
  - - C:\Users\Admin\AppData\Local\Temp\1000378001\2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000378001\2.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1632
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5372
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 1848
    3⤵
    - Program crash
    PID:6328
- C:\Users\Admin\AppData\Local\Temp\1000376001\Ewpeloxttug.exe
  "C:\Users\Admin\AppData\Local\Temp\1000376001\Ewpeloxttug.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7124
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5992
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:5220

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5608

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5588

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5424

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5508

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4524

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:6856

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5960

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5188

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6176

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5832

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2488

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4476

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:6300

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6668

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1480

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7040

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:7048

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User\Default\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User\Default\Cache\Cache_Data\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User\Default\Sync Data\LevelDB\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
df40d97afbb8a641b12c9909035b8520

SHA1
e3fd1c9519db67a97e7010b375a8978cf3cbe54f

SHA256
5ca3fd71d3e40fb7862c022c21467773535360be08786b91d40f456af3d80146

SHA512
0aeae2064368083c4d2b5cbb127f6e7abd270e5eda02c627e58b28418d596da41d36745eaee0a2d754926274834d0f88def6fc881fcab8819384873af40c6fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

Filesize
314KB

MD5
f2d385ddbb2edafacd070f103f7f1576

SHA1
5ee6cb80bc943476067c148e5c16738b7b062029

SHA256
d56a1a5602b5e72b8b9b2d6f2e0c5bc689682d0983f30b8c66dad9af093679b3

SHA512
e6ee00d15483ef29fb7e48ed28833ce5059f7bfada96b92c350246f6032f85d318571950bf6d2ee557e417e87d24d90965aa1523782416792fa7eb7354266df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe

Filesize
1006KB

MD5
c005d4ffa3e28c22b41a9d222598260a

SHA1
57cc3a6540bc38c649ddfdd54fa4f3c8a2423677

SHA256
799d10acbb0e2886c4d32c771964f4c2cb47f93c817cdc26a9acaefa3ba042cb

SHA512
ce39903c46160deeee1c7b362000361a3f5a9243b2e180bbaafa5b8ab09cc09ca413ce32f4deb2074fa928110d25b3dae7465c849fc388a58ddf649a9caa3a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

Filesize
416KB

MD5
f5d7b79ee6b6da6b50e536030bcc3b59

SHA1
751b555a8eede96d55395290f60adc43b28ba5e2

SHA256
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

SHA512
532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
187KB

MD5
7a02aa17200aeac25a375f290a4b4c95

SHA1
7cc94ca64268a9a9451fb6b682be42374afc22fd

SHA256
836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

SHA512
f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000072001\javumarfirst.exe

Filesize
9.5MB

MD5
0603207308448ad82dc3d1fc17923ddb

SHA1
9c4f8f3e35d6404e22b50b7f1a0641a1b4195d94

SHA256
0fb82d8a8edd32ba4f80b129b228c9e74871f55f970b44c75af5aa4572b1b582

SHA512
50595287ba90421dbb6fc612b69d2a2bffdad54ff79b04c50a05ea414af4e7deeb7101fb1b0638257cb28d3627ef8258e7cb039178b6d504d922774e91f95ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000113001\num.exe

Filesize
307KB

MD5
791fcee57312d4a20cc86ae1cea8dfc4

SHA1
04a88c60ae1539a63411fe4765e9b931e8d2d992

SHA256
27e4a3627d7df2b22189dd4bebc559ae1986d49a8f4e35980b428fadb66cf23d

SHA512
2771d4e7b272bf770efad22c9fb1dfafe10cbbf009df931f091fb543e3132c0efda16acb5b515452e9e67e8b1fc8fe8aedd1376c236061385f026865cdc28d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000128041\ko.ps1

Filesize
1KB

MD5
35292f05c28986bd94cc363c44485653

SHA1
81047ee0529810fe35619fe2cff6b5c1ae9b7fb4

SHA256
03d8c848bd6d6d25cba8c809cba33b541ed43a95c09bcb669741cc9d6a91f80e

SHA512
89feff3083bb66f51fec71b952465db62ff61e60dbd25c3f5986d00747f0ef68cece359aa8d992b2c6667d1a29f93a5e91c57fe22c54eda25344597a809a5edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe

Filesize
4.1MB

MD5
7fa5c660d124162c405984d14042506f

SHA1
69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f

SHA256
fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2

SHA512
d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

Filesize
409KB

MD5
a21700718c70ec5e787ad373cb72a757

SHA1
027554ab5ff3245e7617f3b83d6548bf7919f92e

SHA256
87e639ecc7704cb5e29f1ebb1d8ade3ae863aaa2505a37b28f2d45121da500c6

SHA512
ea292a5442d9fe536e650a2bc5142dd3aef79c66930243897e0e87c57915f0a54e45e03e58daffb473f85fe10b963d4670050bff5ab3f91121d21d463e25659b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe

Filesize
314KB

MD5
ff5afed0a8b802d74af1c1422c720446

SHA1
7135acfa641a873cb0c4c37afc49266bfeec91d8

SHA256
17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

SHA512
11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

Filesize
304KB

MD5
58e8b2eb19704c5a59350d4ff92e5ab6

SHA1
171fc96dda05e7d275ec42840746258217d9caf0

SHA256
07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834

SHA512
e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe

Filesize
963KB

MD5
1ef39c8bc5799aa381fe093a1f2d532a

SHA1
57eabb02a7c43c9682988227dd470734cc75edb2

SHA256
0cced5b50789fca3ad4b2c151b798363d712da04c377bd704dcef4898e66b2b4

SHA512
13a9c267c4ceb2bd176f1339faa035ffeb08936deeeb4e38252ea43cfe487ea1c1876e4cc2a965548e767af02805a1da62885e6538da056be0c6fae33b637682

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000354001\f719864374.exe

Filesize
1.8MB

MD5
beb729f85b42e8201b31a5b96c898f5f

SHA1
b29a39f73636dea3780c5167bb87809ef8a82d6c

SHA256
d71873f393259dc6b0998b4be7be61adbc24e0652716c2aaab2bbcb3d6cafabe

SHA512
e85ed0f17a02b3bacac12430bbc1ada55ac782f2bcd9c541b3daf3a5ad221439be02931135dfbacf226037b34cd8891fd65890aac2ff8b6d17c22518dd635e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000355001\64523faf8f.exe

Filesize
1.8MB

MD5
ed23c3616cae82f6fe5e3df97ee3efbe

SHA1
9e2671c2827cf009ebb92bf09fa1ac1c9134b938

SHA256
5b7c78f3bc09b7882a600bd5561623c7c357ec89ac2c9b3419c889f8ee015ae7

SHA512
90a18ea03d73b36a17c5318b434415bac14d7c37f4b4885c636d859e881e71869ee2577cde0ddcee89db3a583bd50514523ea813a15d7f1f65d6d4336edaae2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000365001\lummetc.exe

Filesize
352KB

MD5
2fe92adf3fe6c95c045d07f3d2ecd2ed

SHA1
42d1d4b670b60ff3f27c3cc5b8134b67e9c4a138

SHA256
13167320a0e8266a56694be70a9560c83e2c645d6eeaa147b9ae585c2960ebb2

SHA512
0af7b4a3ce3981707ca450b90829a4a8e933ea3cd3affbce738265a1a0647e96323117db325d0e5e3884f67f36b21b8c955b6c3c6dda21d9b01212e28ef88d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000367001\processclass.exe

Filesize
6KB

MD5
c042782226565f89ce3954489075e516

SHA1
256dd5ba42837a33c7aa6cb71cef33d5617117ee

SHA256
a7b63cd9959ac6f23c86644a4ca5411b519855d47f1f5e75a1645d7274f545a6

SHA512
9f0771c66ea7c0a2264b99a8782e3ab88a2d74b609265b5ce14f81dcc52b71e46248abd77767018711d72a18e20fe3b272513bfd722fff9043f962f7c8ed93fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000368001\splwow64.exe

Filesize
1.3MB

MD5
2b01c9b0c69f13da5ee7889a4b17c45e

SHA1
27f0c1ae0ddeddc9efac38bc473476b103fef043

SHA256
d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29

SHA512
23d4a0fc82b70cd2454a1be3d9b84b8ce7dd00ad7c3e8ad2b771b1b7cbca752c53feec5a3ac5a81d8384a9fc6583f63cc39f1ebe7de04d3d9b08be53641ec455

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000376001\Ewpeloxttug.exe

Filesize
2.2MB

MD5
23c8cb1226c61a164d7518218c837b81

SHA1
45ea74832e487bacb788189c04661b29a71e86b5

SHA256
21aaa5319a6729df0581203a0782ead837b848387e44cd1844ca8e19882a50af

SHA512
8e219108c05966ec8ee6bc2ce2fb40c4aedce6614e65970c356e4f840e88720188c762aaa4451c2f5f1fa1bbc14136ecbcd1f4c9f3b1a5fccc0ab053a37bcc21

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000377001\CompleteStudio.exe

Filesize
479KB

MD5
ee4d5bd9f92faca11d441676ceddcec9

SHA1
64626881b63abc37cd77fca95f524830849dd135

SHA256
d6872d521e977683f9fbf54b80e2a218aec4f0ae9caaa233ca9797f16c37b4d4

SHA512
0daac4bdfc51994877c27f87377d210674c78eb4587a9baef6fbe46f5a1aa8e9ed700d4881356adc66c713562995a5fa5f56ecacc2a84ee2f695f2816fe63752

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000378001\2.exe

Filesize
1.9MB

MD5
ae85198b4e96994847b851ba2360a2e5

SHA1
7b0217e10e74c3d20d46b776c64f49e81dc8d8f2

SHA256
7451a7613a173ab1c80d664892cb744c7f09925dedf9adb964b31861b74cb713

SHA512
ce58b0f4faaa79266679c767b5e03f1990f822bfc81286e99bd8a0890bc1b07c9740ce65cb08ca6380e6ba285dffe97f00748d46ddfee1e1fb00bf135fc1071d

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.9MB

MD5
49a9681922ad571a4a24b42465e5cdc4

SHA1
f710153121bcde5e6acd4760001d916675973475

SHA256
c66b9636df8b16d69170b47f28611d70194925cd941c0a7ed49a6f35a599dad6

SHA512
adcb2e990a433e69468c21bc2f0089d147aad354bb3d637f280383f5d31913f4ad80a8c121a565a89b36946df0df02b142955681e257dd4bca66470146b976f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\453213197474

Filesize
85KB

MD5
447b4068825563a50dc736739128252c

SHA1
7a234219846c043edbba17a00956e20210c2f2bd

SHA256
b7d49ebe5ad3942dff8b031e548567cfe21d753b98dd57b21a29f4eac730dbe1

SHA512
2bce53d9012ef43a88cdf09c43417f6c7c9a84043abb0d4d614eb747c3c8fa527eaa1dfaab768d99a50d496c5cc9660c0cdfc98b3df4b3fb26f967bb31353a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\607698\Q

Filesize
794KB

MD5
7b5632dcd418bcbae2a9009dbaf85f37

SHA1
32aaf06166854718f0bcbb2f7173c2732cfb4d33

SHA256
361e9c3b62719b79bc280420b5f710e160fd55f2250bf605911ded7162483db4

SHA512
c834e90ccf2d35529c294319b8e9a49db7a7d67d0567e0739131d5af51170db32076d68147dc101f8047a75cb5b2275b25a9c8346a99a146a6798b9764316838

Download Submit
C:\Users\Admin\AppData\Local\Temp\Emotions

Filesize
19KB

MD5
b98d78c3abe777a5474a60e970a674ad

SHA1
079e438485e46aff758e2dff4356fdd2c7575d78

SHA256
2bc28afb291ece550a7cd2d0c5c060730eb1981d1cf122558d6971526c637eb4

SHA512
6218413866237bc1f6eada6554658a00c9fc55402e104576b33a2e8d4adf0fd952d8cc8d1ae3a02ebcfa030115fc388fc1a6f23b9d372f808e11e1b551064e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpE697.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n2jy0q1r.pej.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF6CF.tmp.dat

Filesize
92KB

MD5
64408bdf8a846d232d7db045b4aa38b1

SHA1
2b004e839e8fc7632c72aa030b99322e1e378750

SHA256
292f45b8c48293c19461f901644572f880933cbbde47aedcc060b5162283a9fe

SHA512
90c169dbae6e15779c67e013007ac7df182a9221395edd9d6072d15e270132a44e43e330dfe0af818cf3c93754086601cd1c401fb9b69d7c9567407e4d08873b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF761.tmp.dat

Filesize
5.0MB

MD5
992848147f89ffb1c8c56771484ed175

SHA1
0d2f38d2f569e18cf37e7771376c42d430fb517b

SHA256
90f853eb9adc4d53d070033082db2d8d5100659e85ef477066fc450f68adb112

SHA512
1010f75056512235a122cac576634cacf7305a3244631eec80c5e6be1170627073cf24e955e5f23ad22bb74dcfe749ec3274f581ccd5d01bc788ea8afead74e0

Download Submit
C:\Users\Admin\AppData\Roaming\3XzoWVf1Da.exe

Filesize
304KB

MD5
65c058e4a90d2ec70b03211d768b6ecc

SHA1
bf5af6f650759e5e612d42d72145660056737164

SHA256
5a00e3718afb5bfb18a6b1c824b680015733f0403af0d5663289a17ba8206cc3

SHA512
3d9114409f8096ce8a1d134a48235fbbad0c6c53f820707a951bac42c4f7ba6a38e98a50c9d929f049042263a7c0e24da8368d3aa4e934f5da79e9bda4a930aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1453213197-474736321-1741884505-1000\76b53b3ec448f7ccdda2063b15d2bfc3_f5749a82-599b-445b-bbdf-fb54150d3ac0

Filesize
2KB

MD5
dcced5abb8417943cfeff1cbc1c66418

SHA1
b653b7667a783ea4a7a4da8acaa0650b30b9649b

SHA256
4bba18c18cba352b95bc22b40337bb82c8dd77a91dfb22a11fec8adb8039b7cc

SHA512
d11ec831121f1d78d4e1b7ccf2e5e62b74fb8fa67c96128622e4d1abfb6868d49899fc57d78738c802a2f2c7c7fe80ca93dd61192eef8bb2037bf50e342a2ec7

Download Submit
C:\Users\Admin\AppData\Roaming\q55hJbNYdV.exe

Filesize
490KB

MD5
b473c40205c61dc4750bc49f779908dd

SHA1
88a0fc0962099f0ac2d827d2c4d691ed9cade251

SHA256
8707c03158ba6395a11bdfd8c1b11eeedc2e052d3b55d73d0a5c64417e5fbd3b

SHA512
8fbaaa5bde30fe7c6e31a349c14e3bd710e92c4dbcca8cbdbaf34583887bc31e07e10a0223fc6c6c0d091787c296eba139ec91af44ec4ee6abbfb611493951d1

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
60a398233e795ea00a5291286c7eddd8

SHA1
95e8eacf58e63180b958833a2cdb0ebaad301101

SHA256
b069d268337524b26f5100a9131cb0b978c24cceee202e8f320f7aa97b0065ff

SHA512
6f5283a7c4c6dfd78a7a6dcc97747aea4cf66f8cd9127152dfa24050843c54409b1bb65f1e77378ef4bd29f825dcefecc9cfeb7493eba8f79bdd5da1b6ad4ecf

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
341ab3b9d68514c5b231f2ec2701580e

SHA1
aa134f2d9b3eb029c7886f0fa107e066a9b9aafa

SHA256
a6de5aea4b77146140543e2648c2f3420ac3f72e45096e13fc4e3294d63419bc

SHA512
c3429dd621841d58943ddfacea1f7a9d4846af10dcc0cbfc4bb9bdd02c178b827d7617e258aa094f97a5471385e92e20e12464cdb7490a1e514bfc5d55bea497

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/304-30-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download
memory/640-15-0x0000000000BF1000-0x0000000000C1F000-memory.dmp

Filesize
184KB

Download
memory/640-137-0x0000000000BF0000-0x00000000010D9000-memory.dmp

Filesize
4.9MB

Download
memory/640-159-0x0000000000BF0000-0x00000000010D9000-memory.dmp

Filesize
4.9MB

Download
memory/640-16-0x0000000000BF0000-0x00000000010D9000-memory.dmp

Filesize
4.9MB

Download
memory/640-17-0x0000000000BF0000-0x00000000010D9000-memory.dmp

Filesize
4.9MB

Download
memory/640-158-0x0000000000BF0000-0x00000000010D9000-memory.dmp

Filesize
4.9MB

Download
memory/640-14-0x0000000000BF0000-0x00000000010D9000-memory.dmp

Filesize
4.9MB

Download
memory/640-138-0x0000000000BF0000-0x00000000010D9000-memory.dmp

Filesize
4.9MB

Download
memory/1424-1493-0x00000000001A0000-0x000000000064E000-memory.dmp

Filesize
4.7MB

Download
memory/1424-2857-0x00000000001A0000-0x000000000064E000-memory.dmp

Filesize
4.7MB

Download
memory/1480-3531-0x00000000001A0000-0x000000000064E000-memory.dmp

Filesize
4.7MB

Download
memory/1604-13-0x0000000001240000-0x0000000001729000-memory.dmp

Filesize
4.9MB

Download
memory/1604-1-0x0000000077CD4000-0x0000000077CD5000-memory.dmp

Filesize
4KB

Download
memory/1604-0-0x0000000001240000-0x0000000001729000-memory.dmp

Filesize
4.9MB

Download
memory/1604-2-0x0000000001241000-0x000000000126F000-memory.dmp

Filesize
184KB

Download
memory/1604-3-0x0000000001240000-0x0000000001729000-memory.dmp

Filesize
4.9MB

Download
memory/1604-5-0x0000000001240000-0x0000000001729000-memory.dmp

Filesize
4.9MB

Download
memory/1632-2909-0x0000000000FC0000-0x00000000011A4000-memory.dmp

Filesize
1.9MB

Download
memory/2184-141-0x0000000008970000-0x00000000089D6000-memory.dmp

Filesize
408KB

Download
memory/2184-1428-0x0000000009E30000-0x000000000A35C000-memory.dmp

Filesize
5.2MB

Download
memory/2184-1426-0x0000000009730000-0x00000000098F2000-memory.dmp

Filesize
1.8MB

Download
memory/2184-60-0x00000000003F0000-0x0000000000470000-memory.dmp

Filesize
512KB

Download
memory/2488-3488-0x00000000001A0000-0x000000000064E000-memory.dmp

Filesize
4.7MB

Download
memory/3208-142-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3208-136-0x0000000000D00000-0x0000000000F43000-memory.dmp

Filesize
2.3MB

Download
memory/3208-296-0x0000000000D00000-0x0000000000F43000-memory.dmp

Filesize
2.3MB

Download
memory/3280-1463-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3280-3401-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3752-1488-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/3892-1386-0x00000000063D0000-0x000000000641C000-memory.dmp

Filesize
304KB

Download
memory/3892-300-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-344-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-343-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-340-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-336-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-298-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-297-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-310-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-302-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-304-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-334-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-306-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-1385-0x0000000005FC0000-0x0000000006028000-memory.dmp

Filesize
416KB

Download
memory/3892-1394-0x00000000064E0000-0x0000000006534000-memory.dmp

Filesize
336KB

Download
memory/3892-332-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-330-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-338-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-329-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-294-0x0000000000FC0000-0x00000000010B8000-memory.dmp

Filesize
992KB

Download
memory/3892-295-0x0000000005BF0000-0x0000000005CDE000-memory.dmp

Filesize
952KB

Download
memory/3892-308-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-314-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-326-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-316-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-312-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-324-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-318-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-323-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/3892-320-0x0000000005BF0000-0x0000000005CD8000-memory.dmp

Filesize
928KB

Download
memory/4316-200-0x0000000000BC0000-0x0000000000C2C000-memory.dmp

Filesize
432KB

Download
memory/4336-1495-0x00000000078A0000-0x00000000078BC000-memory.dmp

Filesize
112KB

Download
memory/4336-1469-0x0000000006F40000-0x0000000006F62000-memory.dmp

Filesize
136KB

Download
memory/4336-1471-0x0000000007A10000-0x0000000007D60000-memory.dmp

Filesize
3.3MB

Download
memory/4336-1446-0x00000000045D0000-0x0000000004606000-memory.dmp

Filesize
216KB

Download
memory/4336-1551-0x00000000094C0000-0x0000000009554000-memory.dmp

Filesize
592KB

Download
memory/4336-2880-0x0000000008130000-0x000000000814A000-memory.dmp

Filesize
104KB

Download
memory/4336-1470-0x0000000006FE0000-0x0000000007046000-memory.dmp

Filesize
408KB

Download
memory/4336-1461-0x0000000007090000-0x00000000076B8000-memory.dmp

Filesize
6.2MB

Download
memory/4336-2885-0x0000000008110000-0x0000000008118000-memory.dmp

Filesize
32KB

Download
memory/4336-1544-0x000000006C5A0000-0x000000006C5EB000-memory.dmp

Filesize
300KB

Download
memory/4336-1543-0x00000000091D0000-0x0000000009203000-memory.dmp

Filesize
204KB

Download
memory/4336-1545-0x0000000009190000-0x00000000091AE000-memory.dmp

Filesize
120KB

Download
memory/4336-1550-0x0000000009300000-0x00000000093A5000-memory.dmp

Filesize
660KB

Download
memory/4476-3490-0x0000000000BF0000-0x00000000010D9000-memory.dmp

Filesize
4.9MB

Download
memory/4476-3486-0x0000000000BF0000-0x00000000010D9000-memory.dmp

Filesize
4.9MB

Download
memory/4488-1427-0x0000000007050000-0x00000000070A0000-memory.dmp

Filesize
320KB

Download
memory/4488-262-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4524-3373-0x0000000000BF0000-0x00000000010D9000-memory.dmp

Filesize
4.9MB

Download
memory/4524-3370-0x0000000000BF0000-0x00000000010D9000-memory.dmp

Filesize
4.9MB

Download
memory/4816-46-0x0000000005BD0000-0x00000000060CE000-memory.dmp

Filesize
5.0MB

Download
memory/4816-51-0x0000000005690000-0x000000000569A000-memory.dmp

Filesize
40KB

Download
memory/4816-100-0x00000000089F0000-0x0000000008AFA000-memory.dmp

Filesize
1.0MB

Download
memory/4816-47-0x00000000056D0000-0x0000000005762000-memory.dmp

Filesize
584KB

Download
memory/4816-94-0x0000000006250000-0x00000000062C6000-memory.dmp

Filesize
472KB

Download
memory/4816-99-0x0000000007190000-0x0000000007796000-memory.dmp

Filesize
6.0MB

Download
memory/4816-102-0x0000000006D60000-0x0000000006D9E000-memory.dmp

Filesize
248KB

Download
memory/4816-101-0x0000000006D00000-0x0000000006D12000-memory.dmp

Filesize
72KB

Download
memory/4816-40-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4816-111-0x0000000006E30000-0x0000000006E7B000-memory.dmp

Filesize
300KB

Download
memory/4860-2628-0x0000000000230000-0x00000000002AE000-memory.dmp

Filesize
504KB

Download
memory/4860-2856-0x000000001D2B0000-0x000000001D31E000-memory.dmp

Filesize
440KB

Download
memory/4868-58-0x0000000000C20000-0x0000000000C72000-memory.dmp

Filesize
328KB

Download
memory/4868-95-0x00000000067F0000-0x000000000680E000-memory.dmp

Filesize
120KB

Download
memory/4964-224-0x0000000000290000-0x00000000002E4000-memory.dmp

Filesize
336KB

Download
memory/5060-1494-0x0000000000FF0000-0x000000000149E000-memory.dmp

Filesize
4.7MB

Download
memory/5060-1443-0x0000000000FF0000-0x000000000149E000-memory.dmp

Filesize
4.7MB

Download
memory/5372-3335-0x0000000007DE0000-0x0000000008130000-memory.dmp

Filesize
3.3MB

Download
memory/5372-1414-0x0000000004C10000-0x0000000004CAC000-memory.dmp

Filesize
624KB

Download
memory/5372-1398-0x0000000000740000-0x000000000076E000-memory.dmp

Filesize
184KB

Download
memory/5372-3333-0x0000000007410000-0x0000000007530000-memory.dmp

Filesize
1.1MB

Download
memory/5372-3334-0x0000000007530000-0x0000000007880000-memory.dmp

Filesize
3.3MB

Download
memory/5484-3009-0x000000006C5A0000-0x000000006C5EB000-memory.dmp

Filesize
300KB

Download
memory/5484-3014-0x0000000009CE0000-0x0000000009D85000-memory.dmp

Filesize
660KB

Download
memory/5508-3375-0x00000000001A0000-0x000000000064E000-memory.dmp

Filesize
4.7MB

Download
memory/5508-3369-0x00000000001A0000-0x000000000064E000-memory.dmp

Filesize
4.7MB

Download
memory/5552-1635-0x00000000056F0000-0x00000000057CC000-memory.dmp

Filesize
880KB

Download
memory/5552-2797-0x0000000005860000-0x00000000058B8000-memory.dmp

Filesize
352KB

Download
memory/5552-1632-0x0000000000B80000-0x0000000000DB6000-memory.dmp

Filesize
2.2MB

Download
memory/5588-1421-0x0000000000BF0000-0x00000000010D9000-memory.dmp

Filesize
4.9MB

Download
memory/5588-1425-0x0000000000BF0000-0x00000000010D9000-memory.dmp

Filesize
4.9MB

Download
memory/5592-2967-0x0000000009290000-0x00000000092B2000-memory.dmp

Filesize
136KB

Download
memory/5592-2966-0x0000000009240000-0x000000000925A000-memory.dmp

Filesize
104KB

Download
memory/5644-1387-0x00000000000F0000-0x000000000078E000-memory.dmp

Filesize
6.6MB

Download
memory/5644-1423-0x00000000000F0000-0x000000000078E000-memory.dmp

Filesize
6.6MB

Download
memory/5960-3424-0x00000000001A0000-0x000000000064E000-memory.dmp

Filesize
4.7MB

Download
memory/5960-3427-0x00000000001A0000-0x000000000064E000-memory.dmp

Filesize
4.7MB

Download
memory/5988-1396-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/6176-3425-0x0000000000BF0000-0x00000000010D9000-memory.dmp

Filesize
4.9MB

Download
memory/6176-3429-0x0000000000BF0000-0x00000000010D9000-memory.dmp

Filesize
4.9MB

Download
memory/6884-2799-0x0000000000F10000-0x0000000001171000-memory.dmp

Filesize
2.4MB

Download
memory/6884-3408-0x0000000000F10000-0x0000000001171000-memory.dmp

Filesize
2.4MB

Download
memory/6932-2858-0x0000000001170000-0x000000000180E000-memory.dmp

Filesize
6.6MB

Download
memory/6932-3003-0x0000000001170000-0x000000000180E000-memory.dmp

Filesize
6.6MB

Download
memory/7040-3528-0x0000000000BF0000-0x00000000010D9000-memory.dmp

Filesize
4.9MB

Download